Security Bulletin: Vulnerability in the Linux kernel affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary A vulnerability in the Linux kernel affects IBM Storage Virtualize products and could cause side-channel leakage. CVE-2023-6240. Vulnerability Details CVEID:CVE-2023-6240 DESCRIPTION: Linux Kernel could allow a remote attacker to obtain sensitive information, caused by a Marvin...

Security Bulletin: Vulnerability in python3 affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary A flaw was found in Python. The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as "globally reachable" or "private". Due to this issue, it is possible that values will not be returned in accordance with the latest information...

Security Bulletin: Vulnerability in requests affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0)[CVE-2023-32681]

Summary The requests package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVE CVE-2023-32681 Vulnerability Details CVEID:CVE-2023-32681 DESCRIPTION: Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking...

Security Bulletin: Security vulnerability due to a vulnerability in the Apache Derby package shipped with IBM TXSeries for Multiplatforms

Summary Security vulnerability due to a vulnerability in the Apache Derby package shipped with IBM TXSeries for Multiplatforms. The Apache Derby package version has been updated. Vulnerability Details CVEID:CVE-2022-46337 DESCRIPTION: Apache Derby could allow a remote attacker to bypass security...

Security Bulletin: Vulnerability in urllib3 affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0)[CVE-2023-43804]

Summary The urllib3 package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEsCVE-2023-43804 Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information,...

Security Bulletin: Vulnerability in idna affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-3651]

Summary The idna package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2024-3651. Vulnerability Details CVEID:CVE-2024-3651 DESCRIPTION: idna could allow a local user to cause a denial of service using a specially crafted...

Security Bulletin: Vulnerability in zipp affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-5569]

Summary The zipp package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2024-5569. Vulnerability Details CVEID:CVE-2024-5569 DESCRIPTION: zipp is vulnerable to a denial of service, caused by an infinite loop flaw in the Path...

Security Bulletin: Multiple Vulnerabilities in containers of IBM Workload Scheduler component of IBM Workload Automation

Summary Multiple vulnerabilities, that impacts containers only, were addressed in IBM Workload Scheduler component of IBM Workload Automation 10.1.0.5 and 10.2.3 Vulnerability Details CVEID:CVE-2022-48564 DESCRIPTION: Python is vulnerable to a denial of service, caused by a flaw in the readints...

Security Bulletin: There is a vulnerability in IBM Maximo Manage application that could allow an unauthenticated path-traversal leading to an arbitrary file disclosure (CVE-2024-22328)

Summary There is a vulnerability in IBM Maximo Manage application that could allow an unauthenticated path-traversal leading to an arbitrary file disclosure. Vulnerability Details CVEID:CVE-2024-22328 DESCRIPTION: IBM Maximo Application Suite 8.10 and 8.11 could allow a remote attacker to travers...

Security Bulletin: Rational Service Tester contains vulnerabilities which could affect Eclipse Jetty

Summary Due to the use of Eclipse Jetty, Rational Service Tester contains vulnerabilities around request processing that could lead to a potential denial of service attack. Vulnerability Details CVEID:CVE-2024-9823 DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by a flaw ...

Security Bulletin: Rational Performance Tester contains vulnerabilities which could affect Eclipse Jetty

Summary Due to the use of Eclipse Jetty, Rational Performance Tester contains vulnerabilities around request processing that could lead to a potential denial of service attack. Vulnerability Details CVEID:CVE-2024-9823 DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by a...

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to improper privilege management due to Apache Kafka Client(CVE-2024-31141)

Summary IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to improper privilege management, allowing external parties access to files or directories due to Apache Kafka Client. Vulnerability Details CVEID:CVE-2024-31141 DESCRIPTION: Files or Directories Accessible to...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to Netty (CVE-2024-47535)

Summary There is a vulnerability in the Netty library used by IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, with the grpc-1.0 or grpcClient-1.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service due to Netty (CVE-2024-47535)

Summary There is a vulnerability in the Netty library used by IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, with the grpc-1.0 or grpcClient-1.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes...

Security Bulletin: Vulnerability in gunicorn affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-1135]

Summary The gunicorn package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2024-1135. Vulnerability Details CVEID:CVE-2024-1135 DESCRIPTION: Gunicorn is vulnerable to HTTP request smuggling, caused by improper parsing of the...

Security Bulletin: IBM JRS (Jazz Reporting Service) uses a web link with untrusted references to an external site.

Summary IBM JRS Jazz Reporting Service uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims' web browser. The web application produces links to untrusted...

Security Bulletin: Potential Improper Privilege Management vulnerability in Logstash affects IBM Operations Analytics - Log Analysis (CVE-2024-31141)

Summary Apache Kafka Client bundle in Logstash is vulnerable to improper privilege management. Vulnerability Details CVEID:CVE-2024-31141 DESCRIPTION: Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients...

Security Bulletin: IBM Maximo Application Suite, IBM Maximo Application Suite - IoT Component and IBM Truststore Manager uses jinja2-3.1.4-py3-none-any.whl which is vulnerable to CVE-2024-56326, CVE-2024-56201

Summary IBM Maximo Application Suite, IBM Maximo Application Suite - IoT Component and IBM Truststore Manager uses jinja2-3.1.4-py3-none-any.whl which is vulnerable to CVE-2024-56326, CVE-2024-56201. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability...

Security Bulletin:IBM Maximo Application Suite - IoT Component uses netty-common-4.1.114.Final.jar which is vulnerable to CVE-2024-47535

Summary IBM Maximo Application Suite - IoT Component uses netty-common-4.1.114.Final.jar which is vulnerable to CVE-2024-47535 This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous...

Security Bulletin: IBM Sterling Connect:Direct for Unix is vulnerable to denial of service and unauthorized data access attacks due to IBM Runtime Environment Java Technology Edition Version 8

Summary IBM Java 8 is used by IBM Sterling Connect:Direct for Unix in product configuration and management. IBM Sterling Connect:Direct for Unix is impacted by denial of service and unauthorized data access attacks due to IBM Java 8. IBM Sterling Connect:Direct for Unix has upgraded IBM Java 8 to...

Security Bulletin: Denial of service, SQL injection, and other vulnerabilities might affect IBM Storage Defender – Resiliency Service

Summary IBM Storage Defender – Resiliency Service is vulnerable to denial of service, SQL injection, and others. The vulnerabilities have been addressed. CVE-2023-52425, CVE-2024-53908, CVE-2024-53907, CVE-2023-52426, CVE-2022-29162, CVE-2023-25809, CVE-2023-27561, CVE-2023-28642, CVE-2024-21626,...

Security Bulletin: IBM Sterling Connect:Direct for Unix is vulnerable to denial of service and arbitrary code execution attacks due to IBM Runtime Environment Java Technology Edition Version 17

Summary IBM Java 17 is used by IBM Sterling Connect:Direct for Unix in product configuration and management. IBM Sterling Connect:Direct for Unix is impacted by denial of service and arbitrary code execution attacks due to IBM Java 17. IBM Sterling Connect:Direct for Unix has upgraded IBM Java 17...

Security Bulletin: IBM i is vulnerable to a user gaining elevated privileges due to an unqualified library call [CVE-2024-55898].

Summary IBM i is vulnerable to a user with the capability to compile or restore a program to gain elevated priviliges due to an unqualified library call as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the...

Security Bulletin: This Power System update is being released to address CVE-2023-52881

Summary This affects the BMC's network transmission control protocol TCP interface which affects aspects of interfaces that use TCP including the BMC's secure shell SSH, HTTPS interfaces including the BMC's webserver, REST APIs, and ASMi web application, and event and subscriptions services. An...

Security Bulletin: Vulnerability in IBM Cloud Pak for Multicloud Management

Summary A vulnerability in IBM Cloud Pak for Multicloud Management has been delivered in a HotFix for 2.3 FP9 Vulnerability Details CVEID:CVE-2024-21534 DESCRIPTION: Jsonpath-plus could allow a remote attacker to execute arbitrary code on the system, caused by improper input sanitization and unsa...

Security Bulletin: IBM Maximo Application Suite Predict Component uses IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java CVE-2024-40094

Summary Security Bulletin: IBM Maximo Application Suite Predict Component uses IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java CVE-2024-40094. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite Predict Component uses CVE-2024-52304 (Low) detected in aiohttp-3.9.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl which is vulnerable to CVE-2024-52304

Summary IBM Maximo Application Suite Predict Component uses CVE-2024-52304 Low detected in aiohttp-3.9.2-cp39-cp39-manylinux217x8664.manylinux2014x8664.whl which is vulnerable to CVE-2024-52304. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-12798, CVE-2024-12801 logback-core-1.5.12.jar (Publicly disclosed vulnerability found by Mend) CVE-2024-12798, CVE-2024-12801

Summary Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-12798, CVE-2024-12801 logback-core-1.5.12.jar Publicly disclosed vulnerability found by Mend CVE-2024-12798, CVE-2024-12801. This bulletin contains information regarding the vulnerability and its fixture...

Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-47874 starlette-0.27.0-py3-none-any.whl (Publicly disclosed vulnerability found by Mend) CVE-2024-47874

Summary Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-47874 starlette-0.27.0-py3-none-any.whl Publicly disclosed vulnerability found by Mend CVE-2024-47874. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-12798 logback-classic-1.5.12.jar (Publicly disclosed vulnerability found by Mend) CVE-2024-12798

Summary Security Bulletin: Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-12798 logback-classic-1.5.12.jar Publicly disclosed vulnerability found by Mend CVE-2024-12798. This bulletin contains information regarding the vulnerability and its fixture. Vulnerabilit...

Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-52798 path-to-regexp-0.1.10.tgz (Publicly disclosed vulnerability found by Mend) CVE-2024-52798

Summary Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-52798 path-to-regexp-0.1.10.tgz Publicly disclosed vulnerability found by Mend CVE-2024-52798. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-56337 tomcat-embed-core-10.1.33.jar (Publicly disclosed vulnerability found by Mend) CVE-2024-56337

Summary Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-56337 tomcat-embed-core-10.1.33.jar Publicly disclosed vulnerability found by Mend CVE-2024-56337. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-38827 spring-boot-starter-security-3.3.5.jar: 1 vulnerabilities CVE-2024-38827

Summary Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-38827 spring-boot-starter-security-3.3.5.jar: 1 vulnerabilities CVE-2024-38827. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-38827...

Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-53981 python_multipart-0.0.17-py3-none-any.whl (Publicly disclosed vulnerability found by Mend) CVE-2024-53981

Summary Security Bulletin: IBM Maximo Application Suite Ai-Broker Component uses CVE-2024-53981 pythonmultipart-0.0.17-py3-none-any.whl Publicly disclosed vulnerability found by Mend CVE-2024-53981. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability...

Security Bulletin: Execution Engine for Apache Hadoop is vulnerable to heap-based buffer overflow and remote attacker to bypass security restrictions

Summary bash, curl are used by Execution Engine for Apache Hadoop in all the components. CVE-2022-3715, CVE-2022-32221, CVE-2022-32207, CVE-2023-38545, CVE-2022-22576, CVE-2022-27781, CVE-2021-22926, CVE-2021-22946, CVE-2022-27782, CVE-2023-28319, CVE-2022-32206, CVE-2021-22922, CVE-2023-23916,...

Security Bulletin: z/Transaction Processing Facility is affected by a vulnerability in the Apache Mina SSHD package (CVE-2023-48795)

Summary The Apache Mina SSHD package is used by the z/TPF system as part of the z/TPF secure file transfer support. Vulnerability Details CVEID:CVE-2023-48795 DESCRIPTION: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote...

Security Bulletin: z/Transaction Processing Facility is affected by an OpenSSL vulnerability

Summary The z/TPF version of OpenSSL was updated to address the vulnerability described by CVE-2024-13176. Vulnerability Details CVEID:CVE-2024-13176 DESCRIPTION: Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computatio...

Security Bulletin: Vulnerability in the Linux kernel affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary A vulnerability in the Linux kernel affects IBM Storage Virtualize products and could cause denial of service. CVE-2023-52881. Vulnerability Details CVEID:CVE-2023-52881 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we nev...

Security Bulletin: Vulnerability in python-dns affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary A vulnerability in python-dns affects IBM Storage Virtualize products and could cause denial of service. CVE-2023-29483. Vulnerability Details CVEID:CVE-2023-29483 DESCRIPTION: Dnspython is vulnerable to a denial of service, caused by a flaw in stub resolver when a bad-in-some-way respons...

Security Bulletin: Vulnerabilities in bind affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary Vulnerabilities in bind affect IBM Storage Virtualize products and could cause denial of service. CVE-2024-1737 CVE-2024-1975. Vulnerability Details CVEID:CVE-2024-1737 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by an error when content is being added or updated in...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Kafka nodes are vulnerable to privilege escalation [CVE-2024-31141]

Summary The Apache Kafka client is used by IBM App Connect Enterprise Certified Container for the Kafka client nodes. IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run toolkit flows containing Kafka nodes are vulnerable to privilege...

Security Bulletin: A Security Vulnerability was discovered in IBM Security Verify Directory (CVE-2024-45650)

Summary A Security Vulnerability was addressed in IBM Security Verify Directory. Vulnerability Details CVEID:CVE-2024-45650 DESCRIPTION: IBM Security Verify Directory 10.0 is vulnerable to a denial of service when sending an LDAP extended operation. CWE:CWE-754: Improper Check for Unusual or...

Security Bulletin: A Security Vulnerability discovered in IBM Security Verify Directory (CVE-2022-2068) has been addressed.

Summary A Security Vulnerability discovered in IBM Security Verify Directory Server containers has been addressed Vulnerability Details CVEID:CVE-2022-2068 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplie...

Security Bulletin: Vulnerability in openssl library (CVE-2024-5535) affects Power HMC.

Summary The openssl library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-5535 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a buffer over-read flaw in the SSLselectnextproto API function when...

Security Bulletin: Vulnerability in bzip library (CVE-2019-12900) affects Power HMC.

Summary The bzip library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2019-12900 DESCRIPTION: bzip2 is vulnerable to a denial of service, caused by an out-of-bounds write flaw when there are many selectors in the...

Security Bulletin: Vulnerability in expact library (CVE-2024-50602) affects Power HMC.

Summary The expat library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-50602 DESCRIPTION: An issue was discovered in libexpat before 2.6.4. There is a crash within the XMLResumeParser function because XMLStopParser ca...

Security Bulletin: Vulnerability in Apache Tomcat Server (CVE-2024-52317) affects Power HMC.

Summary The Apache Tomcat Server is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-52317 DESCRIPTION: Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response...

Security Bulletin: Vulnerability in Apache Tomcat Server (CVE-2024-52318) affects Power HMC.

Summary The Apache Tomcat Server is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-52318 DESCRIPTION: Incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31,...

Security Bulletin: Vulnerabilities in IBM Java SDK (CVE-2024-21217, CVE-2024-21208, CVE-2024-10917) affect Power HMC.

Summary The IBM Java SDK library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-21217 DESCRIPTION: Vulnerability in Java SE component: Serialization. Difficult to exploit vulnerability allows unauthenticated attacker...

Security Bulletin: IBM Db2 used by IBM Security Verify Governance - Container has multiple vulnerabilities

Summary IBM Security Verify Governance ISVG - Container uses IBM Db2. Information about security vulnerabilities affecting IBM Db2 has been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...