Security Bulletin: R statistical programming language - deserialization of untrusted leading to arbitrary code execution

Summary Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS R Data Serialization formatted file or R package to run arbitrary code on an end user's system when...

Security Bulletin: Multiple Vulnerabilities affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition

Summary IBM® Runtime Environment Java™ is used by CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. The fix updates the Java Runtime Environment to resolve the following vulnerabilities. Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability ...

Security Bulletin: Security vulnerability found in package openssl shipped with IBM CICS TX Advanced.

Summary Security vulnerability found in package openssl shipped with IBM CICS TX Advanced. The versions of the packages have been updated. Vulnerability Details CVEID:CVE-2024-4741 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-fr...

Security Bulletin: IBM Support for Hyperledger Fabric is vulnerable to CVE-2024-52798

Summary path-to-regexp-0.1.10.tgz is used by IBM Support for Hyperledger Fabric Console. Vulnerability Details CVEID:CVE-2024-52798 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to jinja2-3.1.4-py3-none-any.whl (CVE-2024-56326, CVE-2024-56201)

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to jinja2-3.1.4-py3-none-any.whl CVE-2024-56326, CVE-2024-56201. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-56326 DESCRIPTION: Jinja is an extensible...

Security Bulletin: IBM Operational Decision Manager for Jan 2025 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-51504...

Security Bulletin: Vulnerabilities in IBM Java affect IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products

Summary Vulnerabilities in IBM® Runtime Environment Java™ Technology Edition affect the product's management GUI. The Command Line Interface is unaffected. CVE-2024-21235 CVE-2024-21217 CVE-2024-21210 CVE-2024-21208 CVE-2024-10917 . Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION:...

Security Bulletin: SPSS Collaboration and Deployment Services is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty

Summary SPSS Collaboration and Deployment Services is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty CVE-2024-40094, CVE-2024-7254, CVE-2023-50314 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...

Security Bulletin: Multiple Vulnerabilities of IBM Java SDK affect Linux KVM Agent from IBM Tivoli Monitoring for Virtual Environments

Summary IBM java SDK is used by Linux KVM Agent from IBM Tivoli Monitoring for Virtual Environments. Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality, high...

Security Bulletin: Multiple Vulnerabilities of IBM Java SDK affect VMware Agent from IBM Tivoli Monitoring for Virtual Environments.

Summary IBM java SDK is used by VMware Agent from IBM Tivoli Monitoring for Virtual Environments. Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality, high integrity...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to virtualenv-20.17.1-py3-none-any.whl CVE-2024-53899

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to virtualenv-20.17.1-py3-none-any.whl CVE-2024-53899. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-53899 DESCRIPTION: virtualenv before 20.26.6 allows command...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to bootstrap-4.6.2 CVE-2024-6531

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to bootstrap-4.6.2 CVE-2024-6531. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-6531 DESCRIPTION: Node.js Bootstrap module is vulnerable to cross-site scripting...

Security Bulletin: Denial of Service vulnerability in jackson-core may affect IBM Business Automation Workflow - IBM X-Force ID: 220938

Summary IBM Business Automation Workflow is vulnerable to a Denial of Service attack. Vulnerability Details IBM X-Force ID: 220938 DESCRIPTION: FasterXML Jackson Core is vulnerable to a denial of service, caused by an out of memory error when writing big decimal when the WRITEBIGDECIMALASPLAIN...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution [CVE-2024-21534]

Summary Node.js module jsonpath-plus is used by IBM App Connect Enterprise Certified Container for processing JSON configuration. IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution. This bulletin provides patch information to address the reported...

Security Bulletin: Cross-Site scripting vulnerability affect IBM Business Automation Workflow - CVE-2024-52365

Summary IBM Business Automation Workflow is vulnerable to a Cross Site Scripting attack. Vulnerability Details CVEID:CVE-2024-52365 DESCRIPTION: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-21217 DESCRIPTION: Vulnerability in Java SE component: Serialization. Difficult to exploit vulnerability allows...

Security Bulletin: Older Versions of Statistics Include an R Runtime with a Vulnerability in Zlib

Summary The version of zlib contained in the R language runtime that ships with IBM SPSS Statistics version 29 and lower contains a vulnerability related to a heap-based buffer over-read or buffer overflow in inflate. IBM SPSS Statistics is not directly affected, but is offering an upgrade for th...

Security Bulletin: Vulnerabilities in the jquery-1.10.0.js package affect Data Replication on Cloud Pak for Data

Summary Multiple vulnerabilities in the jquery-1.10.0.js package used in Data Replication on Cloud Pak for Data were addressed. Vulnerability Details CVEID:CVE-2020-11023 DESCRIPTION: In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing option elements from...

Security Bulletin: InfoSphere Data Replication is affected by Snappy-Java vulnerabilities

Summary InfoSphere Data Replication uses Snappy-Java. This bulletin identifies the steps to take to address the vulnerability in that package. Vulnerability Details CVEID:CVE-2023-34453 DESCRIPTION: snappy-java is vulnerable to a denial of service, caused by an integer overflow in the shuffle...

Security Bulletin: Multiple vulnerabilities have been identified in IBM Installation Manager shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2021-34428, CVE-2022-2047, CVE-2023-36479)

Summary IBM Installation Manager is shipped as a package manager for IBM Security Guardium Key Lifecycle Manager SKLM/GKLM. Information about multiple security vulnerabilities affecting IBM Installation Manager has been published in a security bulletin. Vulnerability Details Refer to the security...

Security Bulletin: Vulnerabilities in Linux Kernel might affect IBM Storage Copy Data Management

Summary IBM Storage Copy Data Management can be affected by vulnerabilities in Linux Kernel. Vulnerabilities include an authenticated or local authenticated attacker could exploit these vulnerabilities to gain elevated privileges on the system, to cause a denial of service condition, to cause the...

Security Bulletin: IBM Sterling Control Center v6.2.1 and v6.3.1 is vulnerable with IBM Semeru Runtime Quarterly CPU - Jan 2024

Summary IBM Semeru Runtime Quarterly CPU - Jan 2024 - Includes OpenJDK Jan 2024 CPU plus CVE-2024-22361 and affecting Sterling Control Center v6.2.1 and v6.3.1. Vulnerability Details CVEID:CVE-2024-20932 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could...

Security Bulletin: Vulnerability in Jsonpath-plus affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary Potential vulnerability in Jsonpath-plus has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-21534 DESCRIPTION: Jsonpath-plus could allow...

Security Bulletin: IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. IBM QRadar Deployment Intelligence app for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-42461 DESCRIPTION: Node.js...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to Werkzeug-2.3.4-py3-none-any.whl CVE-2023-46136

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to Werkzeug-2.3.4-py3-none-any.whl CVE-2023-46136. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-46136 DESCRIPTION: Pallets Werkzeug is vulnerable to a denial o...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to nanoid-3.3.7.tgz CVE-2024-55565

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to nanoid-3.3.7.tgz CVE-2024-55565. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-55565 DESCRIPTION: nanoid aka Nano ID before 5.0.9 mishandles non-integer...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to WebSphere Application Server Liberty CVE-2024-7254

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to WebSphere Application Server Liberty CVE-2024-7254. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Any project that parses untrusted Protoco...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to cross-spawn-7.0.3.tgz CVE-2024-21538

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to cross-spawn-7.0.3.tgz CVE-2024-21538. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 7.0.5 are...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to cookie-0.5.0.tgz CVE-2024-47764

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to cookie-0.5.0.tgz CVE-2024-47764. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-47764 DESCRIPTION: jshttp cookie could allow a remote attacker to bypass...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to cryptography-42.0.7-cp37-abi3-manylinux_2_28_x86_64.whl CVE-2024-6119

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to cryptography-42.0.7-cp37-abi3-manylinux228x8664.whl CVE-2024-6119. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-6119 DESCRIPTION: OpenSSL is vulnerable to a...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to cookie-0.4.0.tgz CVE-2024-47764

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to cookie-0.4.0.tgz CVE-2024-47764. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-47764 DESCRIPTION: jshttp cookie could allow a remote attacker to bypass...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to setuptools-68.0.0-py3-none-any.whl CVE-2024-6345

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to setuptools-68.0.0-py3-none-any.whl CVE-2024-6345. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-6345 DESCRIPTION: pypa/setuptools could allow a remote attack...

Security Bulletin: Vulnerability in Apache Avro Java SDK affects watsonx.data

Summary Apache Avro Java SDK is vulnerable to a denial of service attack, and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2023-39410 DESCRIPTION: Apache Avro Java SDK is vulnerable to a denial of service, caused by an unsafe deserialization flaw. By sending specially crafted...

Security Bulletin: Vulnerability in Spring Core affect watsonx.data

Summary Spring Core is vulnerable to security restriction bypass attacks, to denial of service attacks, and to arbritrary code excution attacks. These could affect watsonx.data. Vulnerability Details CVEID:CVE-2018-1199 DESCRIPTION: Pivotal Spring Security and Spring Framework could allow a remot...

Security Bulletin: Vulnerability in Apache Zookeeper affects watsonx.data

Summary Apache ZooKeeper is vulnerable to a remote attack bypassing security restrictions which could allow the attacker to bypass authentication. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2024-51504 DESCRIPTION: Apache ZooKeeper could allow a remote attacker to bypass securit...

Security Bulletin: Vulnerability in Pivota Spring Framework affects watsonx.data

Summary Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2016-1000027 DESCRIPTION: Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by...

Security Bulletin: Vulnerabilities in Spring Web affect watsonx.data

Summary Spring Web is vulnerable to open re-direct attacks, to phishing attacks, to denial of service attack, to elevation of privilege attacks to reflected file download attacks, to security restrictions bypass attacks, to arbitrary code execution attacks, and to security restrictions bypass...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to object recycling and reuse vulnerability in Apache Tomcat (CVE-2024-52318)

Summary IBM DevOps Deploy / IBM UrbanCode Deploy UCD is susceptible to incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. Vulnerability Details CVEID:CVE-2024-52318 DESCRIPTION: Incorrect object recycling and reuse...

Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFix for Junuary 2025.

Summary Security vulnerabilities are addressed with IBM Business Automation Insights 24.0.0-IF002 Vulnerability Details CVEID:CVE-2024-47561 DESCRIPTION: Apache Avro could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in schema parsing in the Java...

Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2®

Summary IBM has released the following fix for IBM Db2® Warehouse in response to multiple vulnerabilities found in IBM Db2®. Vulnerability Details CVEID:CVE-2015-8383 DESCRIPTION: PCRE is vulnerable to a heap-based buffer overflow, caused by the improper handling of certain repeated conditional...

Security Bulletin: Multiple vulnerabilities in spring packaged with CMIS affect IBM Business Automation Workflow - CVE-2024-22262, CVE-2024-38809

Summary IBM Business Automation Workflow is vulnerable repackages a FileNet Content Manager's CMIS interface, which in turn repackages parts of a version of the Spring framework. Vulnerabilities have been reported for spring. Vulnerability Details CVEID:CVE-2024-22262 DESCRIPTION: VMware Tanzu...

Security Bulletin: XML External Entity Injection vulnerability affect IBM Business Automation Workflow - CVE-2024-28168

Summary IBM Business Automation Workflow is vulnerable to a XML External Entity Injection attack. Vulnerability Details CVEID:CVE-2024-28168 DESCRIPTION: Apache XML Graphics FOP is vulnerable to an XML External Entity Injection XXE attack when processing XML data. By sending specially crafted XML...

Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow - CVE-2024-52364

Summary IBM Business Automation Workflow is vulnerable to a Cross-Site Scripting attack. Vulnerability Details CVEID:CVE-2024-52364 DESCRIPTION: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2...

Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow - CVE-2024-21538

Summary IBM Business Automation Workflow is vulnerable to a Denial of Service attack. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS due to improper input sanitization. An attack...

Security Bulletin: Denial of Service in Spring vulnerability affect IBM Business Automation Workflow - CVE-2024-38808

Summary IBM Business Automation Workflow is vulnerable to a Denial of Service attack. Vulnerability Details CVEID:CVE-2024-38808 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted Spring Expression...

Security Bulletin: Weak authorization IBM Business Automation Workflow - CVE-2024-49348

Summary IBM Business Automation Workflow is vulnerable may return sensitive information in unexpected scenarios. Vulnerability Details CVEID:CVE-2024-49348 DESCRIPTION: IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2,...

Security Bulletin: Server Side Request Forgery vulnerability affect IBM Business Automation Workflow - CVE-2024-39338

Summary IBM Business Automation Workflow is vulnerable to a Server Side Request Forgery SSRF attack. Vulnerability Details CVEID:CVE-2024-39338 DESCRIPTION: Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative...

Security Bulletin: Denial of Service vulnerability in Apache Commons IO affects IBM Business Automation Workflow - CVE-2024-47554

Summary IBM Business Automation Workflow packages a vulnerable version of Apache Commons IO. Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Apache Commons IO is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the...

Security Bulletin: Vulnerability in protobuf-java affects watsonx.data

Summary protobuf-java is vulnerable to stack overflow attacks. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by...

Security Bulletin: Due to the use of Apache Commons IO, IBM WebSphere eXtreme Scale Liberty Deployment is vulnerable to an Uncontrolled Resource Consumption vulnerability

Summary YAJSW service is used for registering XSLD services with operating system. commons-io-2.11.0.jar bundled in YAJSW is vulnerable to CVE-2024-47554. This is fixed in yajsw-stable-13.13. Applying ifix PH65060 will upgrade YAJSW to 13.13 version. Vulnerability Details CVEID:CVE-2024-47554...