Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs

Summary Multiple vulnerabilities were fixed in IBM Cloud Pak for Watson AIOps Vulnerability Details CVEID:CVE-2022-42004 DESCRIPTION: FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in in the BeanDeserializer.deserializeFromArray function. By sending a...

Security Bulletin: IBM Technical Suppport Appliance - possible security flaws or denial of service

Summary Numerous fixes to the Linux kernel for reported issues related to various security vulnerabilities such as demnial of service, unauthorized access, or leakage of sensitive data. Vulnerability Details CVEID:CVE-2019-13631 DESCRIPTION: Linux Kernel could allow a physical attacker to execute...

Security Bulletin: IBM Security Directory Suite is vulnerable to multiple issues

Summary Multiple Security Vulnerabilities in the IBM Security Directory Suite have been addressed by code updates and updating the relevant components. Vulnerability Details CVEID:CVE-2022-22475 DESCRIPTION: IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are...

Security Bulletin: IBM Watson Speech Services Cartridge v4.8.7 is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge v4.8.7 is vulnerable to multiple Operator package issues. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for remediation below...

Security Bulletin: Multiple vulnerabilities found on thirdparty libraries used by IBM® MobileFirst Platform

Summary There are multiple vulnerabilities in open source libraries used by IBM MobileFirst Platform Foundation. They are addressed in this update. Vulnerability Details CVEID:CVE-2023-24998 DESCRIPTION: Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not lim...

Security Bulletin: IBM QRadar SIEM includes components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2021-25220 DESCRIPTION: ISC BIND could allow a remote attacker to bypass...

Security Bulletin: Multiple vulnerabilities in DITA, Apache Batik, Apache FOP may affect IBM Business Automation Workflow and IBM Case Manager

Summary IBM Business Automation Workflow and IBM Case Manager packages DITA for documentation generation in Case Management. Multiple CVEs have been reported for open source libraries repackaged in DITA. A few of the same open source libraries, such as Apache Batik and Apache FOP, are also used f...

Security Bulletin: IBM Cloud Pak for Network Automation 2.4.7 fixes multiple security vulnerabilities

Summary IBM Cloud Pak for Network Automation 2.4.7 fixes multiple security vulnerabilities, listed in the CVEs below. Vulnerability Details CVEID:CVE-2023-24538 DESCRIPTION: Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by the failure to properly consider...

Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs

Summary Multiple vulnerabilities were fixed in IBM Cloud Pak for Watson AIOps version 3.7 Vulnerability Details CVEID:CVE-2023-0044 DESCRIPTION: Quarkus could allow a remote attacker to obtain sensitive information, caused by a flaw when the Form Authentication session cookie Path attribute is se...

Security Bulletin: Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

Summary IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift can be affected by vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi. Vulnerabilities include denial of service, bypass security restrictions, HTTP request smuggling, spyware,...

Security Bulletin: Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager

Summary There are multiple vulnerabilities identified in IBM Security Guardium Key Lifecycle Manager. These vulnerabilties have been fixed in IBM Security Guardium Key Lifecycle Manager v4.2 . Please upgrade to GKLM v4.2 for the fixes. Vulnerability Details CVEID:CVE-2023-25689 DESCRIPTION: IBM...

Security Bulletin: Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services are impacted by multiple vulnerabilities.

Summary The vulnerabilities addressed include access control, sensitive information disclosure, cross site scripting and directory traversal. Vulnerability Details CVEID:CVE-2020-5002 DESCRIPTION: IBM Financial Transaction Manager could allow an authenticated user to perform unauthorized actions...

Security Bulletin: IBM FTM for ACH Services and Check Services (v3.0.2.1 - v3.0.5) is impacted by a directory traversal vulnerability.

Summary The vulnerability addressed allowed a remote attacker to traverse server directories. Vulnerability Details CVEID:CVE-2020-5001 DESCRIPTION: IBM Financial Transaction Manager 3.2.0 through 3.2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a...

Security Bulletin: Multiple Vulnerabilities in Multicloud Management Security Services

Summary Multiple vulnerabilities were fixed in IBM Cloud Pak for Multicloud Management Security Services Vulnerability Details CVEID:CVE-2022-1705 DESCRIPTION: Golang Go is vulnerable to HTTP request smuggling, caused by a flaw with accepting of some invalid Transfer-Encoding headers in the HTTP/...

Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities

Summary IBM Security Guardium has addressed these vulnerabilities Vulnerability Details CVEID:CVE-2022-22307 DESCRIPTION: IBM Security Guardium could allow a local user to obtain elevated privileges due to incorrect authorization checks. CVSS Base score: 4.4 CVSS Temporal Score: See:...

Security Bulletin: IBM InfoSphere Information Server is affected by a path traversal vulnerability (CVE-2023-24960)

Summary A path traversal vulnerability in InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2023-24960 DESCRIPTION: IBM InfoSphere Information Server could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL...

Security Bulletin: TADDM affected by multiple vulnerabilities due to Apache Tomcat libraries

Summary IBM Tivoli Application Dependency Discovery Manager is vulnerable to denial of service due to use of Apache Tomcat libraries CVE-2005-3164, CVE-2005-4836, CVE-2005-4838, CVE-2007-2449, CVE-2007-5461, CVE-2008-0128, CVE-2007-5333, CVE-2008-1232, CVE-2008-2370, CVE-2008-4308, CVE-2009-0781,...

Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs

Summary Multiple vulnerabilities were fixed in IBM Cloud Pak for Watson AIOps version 3.6.1 Vulnerability Details CVEID:CVE-2021-25220 DESCRIPTION: ISC BIND could allow a remote attacker to bypass security restrictions, caused by an error when using DNS forwarders. An attacker could exploit this...

Security Bulletin: Multiple Vulnerabilities in Apache Ivy affect IBM Cloud Pak System

Summary Vulnerabilities found in Apache Ivy affect IBM Cloud Pak SystemCVE-2022-46751, CVE-2022-2765,CVE-2022-37866. Vulnerability Details CVEID:CVE-2022-46751 DESCRIPTION: Apache Ivy could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity...

Security Bulletin: Path traversal vulnerability affects IBM Business Monitor - CVE-2022-43864

Summary IBM Business Monitor is vulnerable to a Path Traversal attack in the Business Space component. Vulnerability Details CVEID:CVE-2022-43864 DESCRIPTION: IBM Business Automation Workflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially...

Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Summary Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. Red Hat is used by IBM Robotic Process Automation for Cloud Pak as part of base container images. CVE-2016-4074. getaddrinfo is used by IBM Robotic Process Automation for Cloud Pak as part of the ba...

Security Bulletin: IBM Security Verify Governance stores user credentials in plain clear text which can be read by a local user (CVE-2022-22470)

Summary IBM Security Verify Governance is vulnerable to exposure of user credentials to local users due to storage of credentials in cleartext CVE-2022-22470. This vulnerability has been removed by a code fix. Vulnerability Details CVEID:CVE-2022-22470 DESCRIPTION: IBM Security Verify Governance...

Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to CSV injection (CVE-2022-35281)

Summary IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to CSV injection. Vulnerability Details CVEID:CVE-2022-35281 DESCRIPTION: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are...

Security Bulletin: IBM Robotic Process Automation for Cloud Pak is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak (CVE-2022-43844)

Summary IBM Robotic Process Automation for Cloud Pak is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. This bulletin identifies the security fixes to apply to address this vulnerability. Vulnerabili...

Security Bulletin: A vulnerability in IBM Robotic Process Automation may result in sensitive information disclosure (CVE-2022-41740)

Summary There is a vulnerability in IBM Robotic Process Automation, Sensitive information may be disclosed if an attacker has physical access to system memory. This bulletin identifies the security fixes to apply to address this vulnerability. Vulnerability Details CVEID:CVE-2022-41740 DESCRIPTIO...

Security Bulletin: A vulnerability in IBM Robotic Process Automation may result in exposure of the name and email for the creator/modifier of platform level objects (CVE-2022-43573)

Summary There is a vulnerability in IBM Robotic Process Automation. Accessing specific platform level objects created in RPA may expose the creator or modifiers email address. This bulletin identifies the security fixes to apply to address this vulnerability. Vulnerability Details...

Security Bulletin: A vulnerability exists in Google Web Toolkit (GWT) framework used by ITNM (CVE-2007-2378)

Summary Vulnerability CVE-2007-2378 found in gwt-maps that is present in IBM Tivoli Network Manager ITNM IP Edition. The fix contains the removal of this library from ITNM Vulnerability Details CVEID:CVE-2007-2378 DESCRIPTION: The Google Web Toolkit GWT framework exchanges data using JavaScript...

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to Cross-Site Scripting (CVE-2022-34330)

Summary IBM Sterling B2B Integrator has addressed the cross-site scripting vulnerability Vulnerability Details CVEID:CVE-2022-34330 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code i...

Security Bulletin: B2B API of IBM Sterling B2B Integrator is vulnerable to Cross Origin Resource Sharing (CORS) (CVE-2021-38928)

Summary IBM Sterling B2B Integrator has addressed the Cross Origin Sharing vulnerability in B2B API Vulnerability Details CVEID:CVE-2021-38928 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged...

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to access control issue (CVE-2022-43920)

Summary IBM Sterling B2B Integrator has addressed the access control security vulnerability. Vulnerability Details CVEID:CVE-2022-43920 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition could allow an authenticated user to gain privileges in a different group due to an access control...

Security Bulletin: Dashboard of IBM Sterling B2B Integrator is vulnerable to session mismanagment (CVE-2022-22371)

Summary IBM Sterling B2B Integrator has addressed the session mismangement vulnerability in Dashboard. Vulnerability Details CVEID:CVE-2022-22371 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition does not invalidate session after a password change which could allow an authenticated user t...

Security Bulletin: B2B API of IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2022-22337)

Summary IBM Sterling B2B Integrator has addressed the information disclousre vulnerability in B2B API Vulnerability Details CVEID:CVE-2022-22337 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition could disclose sensitive information to an authenticated user. CVSS Base score: 4.3 CVSS...

Security Bulletin: EBICS Client of IBM Sterling B2B Integrartor is vulnerable SQL Injection (CVE-2022-22338)

Summary IBM Sterling B2B Integrator has addressed the SQL injection vulnerability in EBICS client. Vulnerability Details CVEID:CVE-2022-22338 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements,...

Security Bulletin: Dashboard of IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-22352)

Summary IBM Sterling B2B Integrator has addressed the cross-site scripting vulnerability in Dashboard. Vulnerability Details CVEID:CVE-2022-22352 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary...

Security Bulletin: Security vulnerability has been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component

Summary IBM Security Verify Governance, Identity Manager virtual appliance component has addressed the following vulnerability. Vulnerability Details CVEID:CVE-2022-22461 DESCRIPTION: IBM Security Verify Governance uses weaker than expected cryptographic algorithms that could allow an attacker to...

Security Bulletin: Security vulnerability has been fixed in IBM Security Verify Governance, Identity Manager Software component (CVE-2022-35646)

Summary IBM Security Verify Governance, Identity Manager Software component has addressed the following vulnerability: An authenticated user may be able modify or cancel any other user's access request. Vulnerability Details CVEID:CVE-2022-35646 DESCRIPTION: IBM Security Verify Governance, Identi...

Security Bulletin: Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component

Summary IBM Security Verify Governance, Identity Manager virtual appliance component has addressed the following vulnerabilities Vulnerability Details CVEID:CVE-2022-22457 DESCRIPTION: IBM Security Verify Governance stores sensitive information including user credentials in plain clear text which...

Security Bulletin: Multiple Vulnerabilities Affect IBM Financial Transaction Manager for SWIFT Services (CVE-2022-4387, CVE-2022-43875)

Summary Multiple vulnerabilities affect IBM Financial Transaction Manager for SWIFT Services. These are addressed. Vulnerability Details CVEID:CVE-2022-43872 DESCRIPTION: IBM Financial Transaction Manager authorization checks are done incorrectly for some HTTP requests which allows getting...

Security Bulletin: A vulnerability in IBM Spectrum Scale CSI could allow unauthorized access (CVE-2022-40607)

Summary A security vulnerability has been identified in IBM Spectrum Scale CSI that could allow unauthorized access. A fix for this vulnerability is available. Vulnerability Details CVEID:CVE-2022-40607 DESCRIPTION: IBM Spectrum Scale could allow users with permissions to create pod, persistent...

Security Bulletin: Watson Machine Learning Accelerator on Cloud Pak for Data is affected by multiple vulnerabilities in Grafana

Summary Watson Machine Learning Accelerator on Cloud Pak for Data had an internal dependency on Grafana. Grafana dependency is now removed. Grafana component is no longer used or shipped with Watson Machine Learning Accelerator on Cloud Pak for Data. This bulletin identifies the steps to take to...

Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related IBM WebSphere Application Server Liberty and FasterXML jackson-databind

Summary Vulnerabilities in IBM WebSphere Application Server Liberty and FasterXML jackson-databind such as HTTP header injection, identity spoofing, denial of service may affect IBM Spectrum Control. Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0...

Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Summary IBM Cloud Transformation Advisor has addressed multiple security vulnerabilities including those in Node.js, IBM WebSphere Application Server Liberty and various other libraries. Vulnerability Details CVEID:CVE-2022-24839 DESCRIPTION: Sparkle Motion Nokogiri is vulnerable to a denial of...

Security Bulletin: This Power System update is being released to address CVE 2022-2809

Summary POWER10: In response to a security issue with the BMC HTTPS server, a new Power System firmware update is being released to address Common Vulnerabilities and Exposures issue number CVE-2022-2809. Vulnerability Details CVEID:CVE-2022-2809 DESCRIPTION: In IBM OPENBMC, when using using a...

Security Bulletin: A vulnerability in IBM Spectrum Scale could allow a local attacker to execute arbitrary commands (CVE-2022-43867)

Summary A security vulnerability has been identified in IBM Spectrum Scale Container Native Access Storage that could allow a local attacker to execute arbitrary commands. A fix for this vulnerability is available. Vulnerability Details CVEID:CVE-2022-43867 DESCRIPTION: IBM Spectrum Scale could...

Security Bulletin: Multiple vulnerabilities affect IBM Sterling Secure Proxy (CVE-2021-2163, CVE-2022-34361)

Summary A java vulnerability and an exposure of weak TLS ciphers affect IBM Sterling Secure Proxy. Vulnerability Details CVEID:CVE-2021-2163 DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality...

Security Bulletin: IBM API Connect is impacted by host header injection vulnerability (CVE-2021-38997)

Summary IBM API Connect is impacted by host header injection vulnerability. The fix addresses the host header injection CVE-2021-38997. Vulnerability Details CVEID:CVE-2021-38997 DESCRIPTION: IBM API Connect is vulnerable to HTTP header injection, caused by improper validation of input by the HOS...

Security Bulletin: IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps is vulnerable to information disclosure and weaker security (CVE-2022-43901, CVE-2022-43900)

Summary IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps could disclose sensitive information and contain weaker than expected security. This has been addressed. Vulnerability Details CVEID:CVE-2022-43901 DESCRIPTION: IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps could...

Security Bulletin: IBM Maximo Mobile is vulnerable to Information Disclosure (CVE-2022-41732)

Summary IBM Maximo Mobile stores user credentials in plain clear text which can be read by a local user. Vulnerability Details CVEID:CVE-2022-41732 DESCRIPTION: IBM Maximo Mobile stores user credentials in plain clear text which can be read by a local user. CVSS Base score: 6.2 CVSS Temporal Scor...

Security Bulletin: IBM DataPower Gateway does not invalidate active sessions on a password change (CVE-2022-40228)

Summary If a user password is changed, IBM DataPower Gateway does not immediately invalidate existing active sessions that were created with the old password. This means that a session created using a compromised password could continue to operate after the password has been changed until the...

Security Bulletin: IBM i Access Client Solutions is vulnerable to DLL hijacking when run on a Windows operating system (CVE-2022-40746)

Summary IBM i Access Client Solutions is vulnerable to DLL hijacking when certain features are run on a Windows operating system that leverage native code. IBM has addressed this CVE by providing a fix to IBM i Access Client Solutions as described in the remediation/fixes section. Vulnerability...