Security Bulletin: IBM App Connect Enterprise Certified Container operands have unnecessary external access [CVE-2022-43916]

Summary Some of the IBM App Connect Enterprise Certified Container Pods in a deployed environment have unnecessary external network access. This bulletin provides patch information to address the network access. CVE-2022-43916 Vulnerability Details CVEID:CVE-2022-43916 DESCRIPTION: IBM App Connec...

Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities

Summary IBM QRadar SIEM includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. These have been addressed in the update. Vulnerability Details CVEID:CVE-2024-46695 DESCRIPTION: In the Linux kernel, the following vulnerability has been...

Security Bulletin: IBM Aspera Faspex 5 has addressed multiple vulnerabilities (CVE-2023-37412, CVE-2023-37398, CVE-2023-37413, CVE-2023-35907)

Summary This Security Bulletin addresses multiple vulnerabilities that have been remediated in IBM Aspera Faspex 5.0.11 Vulnerability Details CVEID:CVE-2023-37412 DESCRIPTION: IBM Aspera Faspex could allow a privileged user to make system changes without proper access controls. CWE:CWE-284:...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to remote code execution due to Apache Subversion (CVE-2024-45720)

Summary Apache Subversion is shipped with IBM Tivoli Netcool Impact as part of its version control for files. Information about a security vulnerability affecting Apache Subversion has been published in a security bulletin. Vulnerability Details CVEID:CVE-2024-45720 DESCRIPTION: Apache Subversion...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in logback-core

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of logback-core Vulnerability Details CVEID:CVE-2024-12801 DESCRIPTION: Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allo...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in logback-classic

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of logback-classic Vulnerability Details CVEID:CVE-2024-12798 DESCRIPTION: ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in LibTIFF

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of LibTIFF Vulnerability Details CVEID:CVE-2024-6716 DESCRIPTION: libtiff is vulnerable to a denial of service, caused by an out-of-memory flaw in the TIFFReadEncodedStrip function. By persuading a victim to ope...

Security Bulletin: IBM Cognos Analytics is affected by multiple vulnerabilities

Summary There are vulnerabilities in IBM WebSphere Application Server Liberty and Open Source Software OSS components used by IBM Cognos Analytics. Additionally, Cognos Analytics is vulnerable to an XML External Entity Injection XXE. For more information about the vulnerability impact, refer to t...

Security Bulletin: A Security Vulnerability was discovered in IBM Security Verify Bridge (CVE-2024-45672)

Summary A Security Vulnerability has been addressed in IBM Security Verify Bridge. Vulnerability Details CVEID:CVE-2024-45672 DESCRIPTION: IBM Security Verify Bridge could allow a local privileged user to overwrite files due to excessive privileges granted to the agent. which could also cause a...

Security Bulletin: A vulnerability in DotNetZip affects IBM Robotic Process Automation and could allow an attacker to execute arbitrary code (CVE-2024-48510).

Summary A vulnerability in DotNetZip affects IBM Robotic Process Automation and could allow an attacker to execute arbitrary code. DotNetZip was used by IBM Robotic Process Automation for compression. This library has been replaced. This bulletin identifies the fixes required to resolve the...

Security Bulletin: IBM Robotic Process Automation for Cloud Pak is vulnerable to cross-site scripting (CVE-2024-51457).

Summary IBM Robotic Process Automation for Cloud Pak is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

Security Bulletin: IBM Observability with Instana (OnPrem) is affected by multiple security vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 1.0.287 Vulnerability Details CVEID:CVE-2024-47561 DESCRIPTION: Apache Avro could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in schema parsing in th...

Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to Renwoxing Enterprise Intelligent Management System SQL injection vulnerability (CVE-2024-43040)

Summary A potential SQL injection vulnerability CVE-2024-43040 has been identified related to Renwoxing Enterprise Intelligent Management System that affects IBM Watson CP4D Data Stores. This vulnerability have been addressed. Refer to details for additional information. Vulnerability Details...

Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to java_shop arbitrary code execution vulnerabilitiy (CVE-2024-50652)

Summary A potential arbitrary code execution vulnerability CVE-2024-50652 has been identified related to javashop that affects IBM Watson CP4D Data Stores. This vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-50652 DESCRIPTION:...

Security Bulletin: IBM watsonx.ai (for IBM Cloud Pak for Data) is vulnerable to cross-site scripting

Summary IBM watsonx.ai for IBM Cloud Pak for Data is vulnerable to cross-site scripting when using unauthored, 3rd party LLM prompts in the Web UI interface of the application. IBM watsonx.ai for IBM Cloud Pak for Data has addresed the applicable vulnerability. Vulnerability Details...

Security Bulletin: A vulnerability in IBM Robotic Process Autmation could allow a remote attacker to obtain sensitive data that may be exposed through certain crypto-analytic attacks (CVE-2024-51456).

Summary A vulnerability in IBM Robotic Process Autmation could allow a remote attacker to obtain sensitive data that may be exposed through certain crypto-analytic attacks. This bulletin identifies the fixes or remediations available to resolve this vulnerability. Vulnerability Details...

Security Bulletin: IBM Engineering Requirements Management DOORS Next is vulnerable to Race Condition Format Flaw (CVE-2024-41779) and Race Condition Servlet (CVE-2024-41787)

Summary IBM Engineering Requirements Management DOORS Next is vulnerable to CVE-2024-41779 Race Condition Format Flaw and CVE-2024-41787 Race Condition Servlet. Vulnerability Details CVEID:CVE-2024-41787 DESCRIPTION: IBM Engineering Requirements Management DOORS Next could allow a remote attacker...

Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to Envoy denial of service vulnerabilitiy(CVE-2024-32475).

Summary Potential Envoy denial of service vulnerabilitiyCVE-2024-32475 has been identified that affects IBM Watson CP4D Data Stores. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-32475 DESCRIPTION: Envoy is vulnerable to a...

Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to Elasticsearch denial of service vulnerabilitiy(CVE-2024-23449)

Summary A potential denial of service vulnerability CVE-2024-23449 has been identified related to Elasticsearch that affects IBM Watson CP4D Data Stores. This vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-23449 DESCRIPTION:...

Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to Envoy denial of service vulnerabilitiy(CVE-2024-39305).

Summary Potential Envoy denial of service vulnerabilitiyCVE-2024-39305 has been identified that affects IBM Watson CP4D Data Stores. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-39305 DESCRIPTION: Envoy is vulnerable to a...

Security Bulletin: Vulnerability in HAProxy (CVE-2023-45539) affects IBM Watson CP4D Data Stores

Summary A potential sensitive information disclosure vulnerability CVE-2023-45539 has been identified related to HAProxy that may affect IBM Watson CP4D Data Stores. This vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2023-45539...

Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to Validate.js Regular Expression Denial of Service (ReDoS) vulnerabilitiy(CVE-2020-26310)

Summary A potential Regular Expression Denial of Service ReDoSvulnerability CVE-2020-26310 has been identified related to Validate.js that affects IBM Watson CP4D Data Stores. This vulnerability have been addressed. Refer to details for additional information. Vulnerability Details...

Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to Envoy denial of service vulnerabilitiy( CVE-2024-45810).

Summary Potential Envoy denial of service vulnerabilitiy CVE-2024-45810 has been identified that affects IBM Watson CP4D Data Stores. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-45810 DESCRIPTION: Envoy is vulnerable to ...

Security Bulletin: Vulnerability in Elasticsearch (CVE-2023-49921) affects IBM Watson CP4D Data Stores

Summary A potential vulnerability CVE-2023-49921 has been identified related to Elasticsearch that may affect IBM Watson CP4D Data Stores. This vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2023-49921 DESCRIPTION: An issue was...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service [CVE-2022-22491]

Summary IBM App Connect Enterprise Certified Container operands running in Red Hat OpenShift do not restrict writing to the local filesystem, which may result in exhausting the available storage in a Pod, resulting in that Pod being restarted. CVE-2022-22491 Vulnerability Details...

Security Bulletin: IBM Security QRadar EDR Software has multiple vulnerabilities ( CVE-2024-45640, CVE-2024-45100)

Summary IBM Security ReaQta is vulnerable to exposing sensitive information and denial of service.These vulnerabilities have been addressed in the latest update. Vulnerability Details CVEID:CVE-2024-45640 DESCRIPTION: IBM Security ReaQta returns sensitive information in an HTTP response that coul...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted

Summary Software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a...

Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerability which can allow remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser

Summary A vulnerability has been identified under which sensitive application information might be leaked to a remote attacker when a detailed technical error message is returned in the browser which is being used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains...

Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by plaintext password fields which can leak sensitive information

Summary A vulnerability has been identified under which some password fields were used as plaintext causing un-intentional info leakage, which is being used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to Log Forging CVE-2024-35150

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to Log Forging CVE-2024-35150. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-35150 DESCRIPTION: IBM Maximo Application Suite - Monitor Component does not...

Security Bulletin: IBM PowerHA SystemMirror for IBM i is vulnerable to multiple vulnerabilities in the PowerHA Web Interface [CVE-2024-55897, CVE-2024-55896]

Summary The IBM PowerHA SystemMirror for IBM i Web Interface is vulnerable to obtaining cookie values CVE-2024-55897 and hijacking the clicking action of users CVE-2024-55896 as described in the vulnerability details section. The PowerHA Web Interface allows easy management of PowerHA operations...

Security Bulletin: IBM WebSphere Automation is vulnerable to an unauthorized code or commands execution weakness (CVE-2024-54181)

Summary IBM WebSphere Automation is vulnerable to an unauthorized code or commands execution weakness. Vulnerability Details CVEID:CVE-2024-54181 DESCRIPTION: IBM WebSphere Automation could allow a remote privileged user, who has authorized access to the swagger UI, to execute arbitrary code. Usi...

Security Bulletin: AIX is vulnerable to denial of service (CVE-2024-47102, CVE-2024-52906)

Summary Vulnerabilities in the AIX TCP/IP and perfstat kernel extensions may lead to a denial of service CVE-2024-47102, CVE-2024-52906. Vulnerability Details CVEID:CVE-2024-47102 DESCRIPTION: IBM AIX could allow a non-privileged local user to exploit a vulnerability in the AIX perfstat kernel...

Security Bulletin: IBM Security QRadar Log Management AQL Plugin contains multiple vulnerabilities (CVE-2024-45296, CVE-2024-8986, CVE-2024-21489)

Summary IBM Security QRadar Log Management AQL Plugin for Grafana contains multiple vulnerabilities. These vulnerabilities have been addressed in the update. Vulnerability Details CVEID:CVE-2024-45296 DESCRIPTION: pillarjs Path-to-RegExp is vulnerable to a denial of service, caused by a regular...

Security Bulletin: A Security Vulnerability was discovered in IBM Security Directory Integrator (CVE-2024-28767)

Summary A Security Vulnerability was adressed in IBM Security Directory Integrator. Vulnerability Details CVEID:CVE-2024-28767 DESCRIPTION: IBM Security Directory Integrator could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted...

Security Bulletin: Multiple Vulnerabilities in IBM Edge Application Manager.

Summary Multiple vulnerabilities were addressed in IBM Edge Application Manager 4.5.9. Vulnerability Details CVEID:CVE-2024-51744 DESCRIPTION: golang-jwt jwt-go could allow a remote attacker to obtain sensitive information, caused by improper error handling in ParseWithClaims. By sending a...

Security Bulletin: IBM Security Guardium is affected by a SSRF vulnerability (CVE-2024-49336)

Summary IBM Security Guardium has addressed this vulnerability in an update. Vulnerability Details CVEID:CVE-2024-49336 DESCRIPTION: IBM Security Guardium is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send unauthorized requests from the system,...

Security Bulletin: Vulnerability in JsonToBinaryStream() function ( CVE-2024-2410) may affect IBM watsonx Assistant for IBM Cloud Pak for Data

Summary A potential vulnerability CVE-2024-2410 has been identified related to JsonToBinaryStream function that may affect IBM watsonx Assistant for IBM Cloud Pak for Data. This vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-24...

Security Bulletin: IBM Fusion HCI and IBM Fusion are vulnerable to denial of service due to Node.js, isaacs node-tar, ShowdownJS

Summary IBM Fusion HCI and IBM Fusion's graphical user interface are vulnerable to a denial of service due to Node.js, isaacs node-tar, and ShowdownJS. CVE-2024-4068, CVE-2024-28863, CVE-2024-1899. Vulnerability Details CVEID:CVE-2024-4068 DESCRIPTION: Node.js braces module is vulnerable to a...

Security Bulletin: IBM Fusion HCI and IBM Fusion are vulnerable to exposure of sensitive information, SSRF and gaining elevated privileges

Summary IBM Fusion HCI and IBM Fusion user interfaces are affected by vulnerabilities in Node.js packages follow-redirects, axios, webpack, and Go package Beego. Vulnerabilities include remote authenticated exposure of sensitive information, server-side request forgery, and cross-site scripting...

Security Bulletin: IBM Fusion and IBM Fusion HCI are vulnerable to lack of egress restriction

Summary IBM Fusion and IBM Fusion HCI are vulnerable to allowing data to be sent to the external network due to the lack of egress restriction. CVE-2024-22315. Vulnerability Details CVEID:CVE-2024-22315 DESCRIPTION: IBM Storage Fusion is vulnerable to insecure network connection by allowing an...

Security Bulletin: IBM Sterling Secure Proxy is vulnerable to several issues (CVE-2024-38337, CVE-2024-25016)

Summary IBM Sterling Secure Proxy is affected by an improper input validation vulnerability that is exploitable by authenticated, privileged users. IBM Sterling Secure Proxy SSP also uses IBM MQ, which is vulnerable to improper input validation. Vulnerability Details CVEID:CVE-2024-38337...

Security Bulletin: IBM Controller is affected by vulnerabilities

Summary There are vulnerabilities in Open-Source Software OSS components used by IBM Controller. Additionally, IBM Controller is vulnerable to cross site scripting XSS and server-side request forgery SSRF vulnerabilities. Please refer to the table in the Related Information section for...

Security Bulletin: Multiple Linux Kernel vulnerabilities may affect IBM Storage Scale System

Summary There are multiple vulnerabilities in the Linux kernel, used by IBM Storage Scale System, which could allow a denial of service. Fixes for these vulnerabilities are available. Vulnerability Details CVEID:CVE-2024-40998 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused...

Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities

Summary IBM Security Guardium has addressed these vulnerabilities in an update Vulnerability Details CVEID:CVE-2024-26837 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a race condition between generation of the list of MDB events to replay with the creation of new grou...

Security Bulletin: Vulnerability in linux affects IBM Integrated Analytics System [CVE-2024-27399, CVE-2024-36972]

Summary Redhat provided linux is used by IBM Integrated Analytics System. IBM Integrated Analytics System has addressed the applicable CVE CVE-2024-27399, CVE-2024-36972 Vulnerability Details CVEID:CVE-2024-27399 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL...

Security Bulletin: IBM Storage Protect Server is susceptible to denial of service due to CoreDNS (CVE-2023-28452).

Summary The IBM Storage Protect Server is susceptible to denial of service caused by improper input validation linked to CoreDNS. Vulnerability Details CVEID:CVE-2023-28452 DESCRIPTION: CoreDNS is vulnerable to a denial of service, caused by improper input validation . By sending a specially...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 2.0

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.0 Vulnerability Details CVEID:CVE-2024-52317 DESCRIPTION: Apache Tomcat could provide weaker than expected security, caused by an incorrect...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v5.0.3 is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v5.0.3 is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability...

Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to a denial of service

Summary IBM i Modernization Engine for Lifecycle Integration keycloak component is vulnerable to a denial of service CVE-2023-6841 as described in the Vulnerability Details section. These components are used in IBM i Modernization Engine for Lifecycle Integration for infrastructure support in the...