Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to Improper and Incorrect Authorization and SQL Injection in Vault (CVE-2023-0665, CVE-2023-24999, CVE-2023-0620)

Summary Vault is used by IBM Storage Fusion Data Foundation as part of user authentication. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2023-0665, CVE-2023-24999, CVE-2023-0620. Vulnerability Details CVEID:CVE-2023-0665...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to Path Traversal in Moment.js (CVE-2022-24785)

Summary Moment.js is used by IBM Storage Fusion Data Foundation in noobaa-core-container and Ceph as part of Storage. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2022-24785. Vulnerability Details CVEID:CVE-2022-24785...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to an uncontrolled resource consumption in the RHEL UBI (CVE-2023-44487)

Summary HTTP/2 is used by IBM Storage Fusion Data Foundation as part of the RHEL UBI and in assorted other locations. CVE-2023-44487. Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to allocation of resources without limits or throttling (rapid reset) in HTTP/2 (CVE-2023-39325)

Summary HTTP/2 is used by IBM Storage Fusion Data Foundation in Golang as part of the intrinsic operator. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2023-39325. Vulnerability Details CVEID:CVE-2023-39325 DESCRIPTION: Golang G...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to Uncontrolled Resource Consumption in HTTP/2 via golang (CVE-2022-41723)

Summary HTTP/2 is used by IBM Storage Fusion Data Foundation in golang as a fundamental part of all operators. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2022-41723. Vulnerability Details CVEID:CVE-2022-41723 DESCRIPTION:...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to uncontrolled recursion in golang (CVE-2022-30631)

Summary Golang is used by IBM Storage Fusion Data Foundation in mcg and cephcsi. as part of the operator. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2022-30631. Vulnerability Details CVEID:CVE-2022-30631 DESCRIPTION: Golang G...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to the use of insufficiently random values in Golang (CVE-2022-30629)

Summary Golang is used by IBM Storage Fusion Data Foundation as part of the operator's intrinsic functionality. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2022-30629. Vulnerability Details CVEID:CVE-2022-30629 DESCRIPTION:...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to Uncontrolled Recursion in golang (CVE-2022-30632)

Summary Golang is used by IBM Storage Fusion Data Foundation in mcg and cephcsi. as part of the operator. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2022-30632. Vulnerability Details CVEID:CVE-2022-30632 DESCRIPTION: Golang G...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to multiple software weaknesses due to Golang

Summary Golang Go is vulnerable to a denial of service, which could allow a remote attacker to conduct query parameter smuggling and could allow a local attacker to execute arbitrary code on the system. Golang is used by IBM Storage Fusion Data Foundation as a core part of operators. This bulleti...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to inconsistent interpretation of HTTP requests in Golang (CVE-2022-1705)

Summary Golang is used by IBM Storage Fusion Data Foundation as a core part of operators. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2022-1705. Vulnerability Details CVEID:CVE-2022-1705 DESCRIPTION: Golang Go is vulnerable to...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to Uncontrolled Recursion in Golang (CVE-2022-30635)

Summary Golang is used by IBM Storage Fusion Data Foundation as part of the operator's intrinsic functionality. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2022-30635. Vulnerability Details CVEID:CVE-2022-30635 DESCRIPTION:...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to improper removal of sensitive information before storage or transfer in the console (CVE-2022-1650)

Summary EventSource is used by IBM Storage Fusion Data Foundation in the console as part of data metrics. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2022-1650. Vulnerability Details CVEID:CVE-2022-1650 DESCRIPTION: EventSourc...

Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to improper input validation in Ceph (CVE-2023-46159)

Summary Ceph is used by IBM Storage Fusion Data Foundation as storage. This bulletin identifies the steps to take to address the vulnerability in IBM Storage Fusion Data Foundation. CVE-2023-46159. Vulnerability Details CVEID:CVE-2023-46159 DESCRIPTION: IBM Storage Ceph 5.3z1, 5.3z5, and 6.1z1...

Security Bulletin: Vulnerabilities in Apache Commons IO library affect IBM SPSS Collaboration and Deployment Services

Summary Vulnerabilities in Apache Commons IO library affect IBM SPSS Collaboration and Deployment Services CVE-2024-47554. These have been addressed in the remediation section. Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Uncontrolled Resource Consumption vulnerability in Apache Common...

Security Bulletin: There is a vulnerability in netty-handler-4.1.115.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-24970)

Summary There is a vulnerability in netty-handler-4.1.115.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2025-24970 DESCRIPTION: Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in...

Security Bulletin: There is a vulnerability in CPython used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2024-7592,CVE-2024-6232,CVE-2024-8775)

Summary There is a vulnerability in CPython used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2024-7592 DESCRIPTION: There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing...

Security Bulletin: Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data (January 2025)

Summary Multiple vulnerabilities have been addressed in IBM Data Virtualization on Cloud Pak for Data. Note that IBM Data Virtualization was named Watson Query in IBM Cloud Pak for Data version 4.6, 4.7, and 4.8. Vulnerability Details CVEID:CVE-2022-46363 DESCRIPTION: Apache CXF could allow a...

Security Bulletin: IBM Maximo Application Suite - Predict Component vulnerable to vulnerable to a denial of service due to Netty.

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component vulnerable to vulnerable to a denial of service due to Netty.. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchrono...

Security Bulletin: IBM Maximo Application Suite - Predict Component vulnerable to jinja is an extensible templating engine.

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component vulnerable to jinja is an extensible templating engine. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-27516 DESCRIPTION: Jinja is an extensible...

Security Bulletin: IBM Maximo Application Suite - Predict Component vulnerable to authenticate a server may fail to notice that the server was not authenticated.

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component vulnerable to Clients that enable server-side raw public keys can still find out that raw public key verification. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM DataPower Gateway vulnerable to denial of service and remote code execution through use of Redis

Summary IBM DataPower Gateway uses Redis internally for gateway peering. Vulnerability Details CVEID:CVE-2024-46981 DESCRIPTION: Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and...

Security Bulletin: Multiple vulnerabilities exists in Spring and Xstream affect IBM Tivoli Network Configuration Manager

Summary Multiple vulnerabilities exists in Spring and Xstream affect IBM Tivoli Network Configuration Manager ITNCM IP Edition v6.4.2. Vulnerability Details CVEID:CVE-2024-38819 DESCRIPTION: Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are...

Security Bulletin: Multiple vulnerabilities exists in the IBM® SDK, Java™ Technology Edition affect IBM Tivoli Network Configuration Manager.

Summary Multiple vulnerabilitis exists in IBM® SDK Java™ Technology Edition, Version 8, which is used by IBM Tivoli Network Configuration Manager ITNCM IP Edition v6.4.2. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...

Security Bulletin: Multiple Vulnerabilities in IBM® Runtime Environment Java™ Technology Edition affects WebSphere eXtreme Scale

Summary There are multiple vulnerabilities in IBM Runtime Environment Java Version 8 used by WebSphere eXtreme Scale. Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE component: Hotspot. Difficult to exploit vulnerability allows unauthenticated attacker with networ...

Security Bulletin: IBM Cloud Kubernetes Service is affected by Kubernetes Ingress Controller security vulnerabilities (CVE-2025-24514, CVE-2025-1097, CVE-2025-1098)

Summary IBM Cloud Kubernetes Service is affected by Kubernetes Ingress Controller security vulnerabilities where a user that can create or update Ingress objects can use the nginx.ingress.kubernetes.io/auth-url annotation CVE-2025-24514 or the nginx.ingress.kubernetes.io/auth-tls-match-cn...

Security Bulletin: Multiple Java Vulnerabilities in IBM Event Streams

Summary Multiple Java SE vulnerabilities were addressed in IBM Event Streams version 11.5.1. Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE component: Hotspot. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple...

Security Bulletin: IBM Security QRadar Analyst Workflow for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. The update addresses these issues. Vulnerability Details CVEID:CVE-2024-52798 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certa...

Security Bulletin: Vulnerable Version Of Software In Use for watsonx Code Assistant On Prem product

Summary Watsonx Code Assistant On Prem product uses version of Python which has a known vulnerability Vulnerability Details CVEID:CVE-2024-0450 DESCRIPTION: Python CPython is vulnerable to a denial of service, caused by improper input validation by the zipfile module. By persuading a victim to op...

Security Bulletin: Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition (ITNM) version 4.2 Fix Pack 21 (4.2.0.21)

Summary IBM Tivoli Network Manager IP Edition version 4.2 Fix Pack 21 4.2.0.21 Core components carries a JRE version which is affected by multiple vulnerabilities. Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE component: Hotspot. Difficult to exploit vulnerabili...

Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting

Summary IBM Content Navigator has addressed the following vulnerability. Vulnerability Details CVEID:CVE-2024-56341 DESCRIPTION: IBM Content Navigator is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus...

Security Bulletin: IBM DataPower Gateway vulnerable to denial of service due to rustls

Summary Rustls is used in gateway peering Vulnerability Details CVEID:CVE-2024-11738 DESCRIPTION: A flaw was found in Rustls 0.23.13 and related APIs. This vulnerability allows denial of service panic via a fragmented TLS ClientHello message. CWE:CWE-248: Uncaught Exception CVSS Source:...

Security Bulletin: IBM DataPower Gateway vulnerable to naming confusion (CVE-2024-12224)

Summary idna is used in the GitOps feature. Vulnerability Details CVEID:CVE-2024-12224 DESCRIPTION: idna 0.5.0 and earlier accepts Punycode labels that do not produce any non-ASCII output, which means that either ASCII labels or the empty root label can be masked such that they appear unequal...

Security Bulletin: IBM Watson Speech Services Cartridge v5.1.1 is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge v5.1.1 is vulnerable to multiple Operator package issues.. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for remediation below...

Security Bulletin: IBM Watson Speech Services Cartridge v5.1.1 is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability Details CVEID:CVE-2019-12900...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a man-in-the-middle attack in OpenSSL [CVE-2024-12797]

Summary IBM Watson Speech Services Cartridge is vulnerable to a man-in-the-middle attack in OpenSSL, caused by a failure to abort TLS/DTLS handshakes in RFC7250 Raw Public Key RPK authentication CVE-2024-12797. OpenSSL is used by our Speech runtimes. This vulnerabilitiy has been addressed. Please...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in isaacs node-tar [CVE-2024-28863]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in isaacs node-tar, caused by the lack of folders count validation CVE-2024-28863. Isaacs node-tar is used by our Speech utilities. This vulnerabilitiy has been addressed. Please read the details for remediation...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in isaacs node-tar [CVE-2024-28863]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in isaacs node-tar, caused by the lack of folders count validation CVE-2024-28863. Isaacs node-tar is used by our Speech microservices. This vulnerabilitiy has been addressed. Please read the details for remediation...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Golang Go [CVE-2024-34155]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Golang Go, caused by a stack exhaustion in all Parse functions CVE-2024-34155. Golang Go is used by our Speech utilities. This vulnerabilitiy has been addressed. Please read the details for remediation below...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an information disclosure in Golang crypto [CVE-2025-22866]

Summary IBM Watson Speech Services Cartridge is vulnerable to an information disclosure in the Golang crypto/internal/nistec package, due to the usage of a variable time instruction in the assembly implementation of an internal function CVE-2025-22866. Golang crypto is used by our Speech utilitie...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security bypass in Golang crypto [CVE-2024-45341]

Summary IBM Watson Speech Services Cartridge is vulnerable to a security bypass in the crypto/x509 package of the Golang standard library, caused by a faulty certificate URI CVE-2024-45341. Golang is used by our Speech utilities. This vulnerabilitiy has been addressed. Please read the details for...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to arbitrary code execution in Hugging Face Transformers [CVE-2024-11392, CVE-2024-11393, CVE-2024-11394]

Summary IBM Watson Speech Services Cartridge is vulnerable to arbitrary code execution in Hugging Face Transformers, caused by a flaw in the parsing of model files CVE-2024-11392, CVE-2024-11393, CVE-2024-11394. Hugging Face Transformers is used by our Speech runtimes. This vulnerabilitiy has bee...

Security Bulletin: Multiple vulnerabilities disclosed in Netty affect IBM SPSS Analytic Server

Summary Multiple vulnerabilities disclosed in Netty affect IBM SPSS Analytic Server CVE-2025-24970, CVE-2025-25193. These have been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-24970 DESCRIPTION: Netty, an asynchronous, event-driven network application framework, has...

Security Bulletin: IBM CloudPak for Data Scheduling Service is vulernable to CVE-2023-45288.

Summary Golang's net/http is used by the CP4D Scheduling Service for http communication. CVE-2023-45288. Vulnerability Details CVEID:CVE-2023-45288 DESCRIPTION: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames...

Security Bulletin: IBM CloudPak for Data Scheduling Service is vulernable to CVE-2024-36129.

Summary OpenTelemetry Collector is used by the CP4D Scheduling Service for telemetry collection. CVE-2024-36129. Vulnerability Details CVEID:CVE-2024-36129 DESCRIPTION: OpenTelemetry OpenTelemetry Collector is vulnerable to a denial of service, caused by an unsafe decompression vulnerability. By...

Security Bulletin: IBM CloudPak for Data Scheduling Service is vulernable to CVE-2024-45506.

Summary HAProxy is used by the CP4D Scheduling Service for multicluster scheduling. CVE-2024-45506. Vulnerability Details CVEID:CVE-2024-45506 DESCRIPTION: HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding...

Security Bulletin: IBM CloudPak for Data Scheduling Service is vulernable to IBM X-Force ID: 350626.

Summary GRPC-Go is used by the CP4D Scheduling Service for inter-process communication. IBM X-Force ID: 350626. Vulnerability Details IBM X-Force ID: 350626 DESCRIPTION: gRPC-Go is vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sendi...

Security Bulletin: Multiple vulnerabilities found in IBM TXSeries for Multiplatforms.

Summary IBM TXSeries for Multiplatforms has been updated in order to address multiple vulnerabilities. Vulnerability Details CVEID:CVE-2024-56475 DESCRIPTION: IBM TXSeries for Multiplatforms is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary...

Security Bulletin: There is a vulnerability in org.eclipse.core.runtime-3.14.0.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-4218)

Summary There is a vulnerability in org.eclipse.core.runtime-3.14.0.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2023-4218 DESCRIPTION: Eclipse IDE could allow a local authenticated attacker to obtain sensitive information, caused by...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to leaking sensitive information due to the ClassGraph package ( CVE-2021-47621 )

Summary ClassGraph is used by DataStage on Cloud Pak for Data as part of the path and module scanning functionality. Vulnerability Details CVEID:CVE-2021-47621 DESCRIPTION: ClassGraph could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity...

Security Bulletin: IBM Copy Services Manager may be affected by multiple vulnerabilities due to IBM SDK which are addressed in the Java Technology Edition quarterly updates

Summary Multiple Vulnerabilities were disclosed as part of the JAVA SE March 2025 Patch Update. Although likelihood of these issues being exploited is very low, IBM Copy Services Manager frequently updates product stack to ensure the utmost security is maintained. Vulnerability Details Refer to t...