Security Bulletin: Vulnerability in Netty affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary A potential vulnerability in Netty has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-29025 DESCRIPTION: Netty is an asynchronous...

Security Bulletin: Vulnerability in MIT Kerberos 5 (aka krb5) affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary Potential vulnerabilities in MIT Kerberos 5 aka krb5 has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. These vulnerabilities have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-37370 DESCRIPTION: MIT...

Security Bulletin: Vulnerability in cURL libcurl affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary A potential vulnerability in cURL libcurl has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-2398 DESCRIPTION: cURL libcurl is vulnerabl...

Security Bulletin: Vulnerability in Netty affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary A potential vulnerability in Netty has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-29025 DESCRIPTION: Netty is an asynchronous...

Security Bulletin: Vulnerabilities in GStreamer affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary Potential vulnerabilities in GStreamer has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerabilities have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-47538 DESCRIPTION: GStreamer is a library fo...

Security Bulletin: Vulnerability in Eclipse Jetty affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary A potential vulnerability in Eclipse Jetty has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-8184 DESCRIPTION: Eclipse Jetty is...

Security Bulletin: Vulnerability in http-proxy-middleware affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary A potential vulnerability in http-proxy-middleware has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-21536 DESCRIPTION:...

Security Bulletin: Vulnerabilities in Java SE affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary Potential vulnerabilities in Java SE has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerabilities have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-21208 DESCRIPTION: Vulnerability in Java SE...

Security Bulletin: IBM Maximo Application Suite uses werkzeug-3.0.4-py3-none-any.whl, cookie-0.4.1.tgz and cross-spawn-7.0.3.tgz which is vulnerable to CVE-2024-49767, CVE-2024-49766, CVE-2024-47764 and CVE-2024-21538

Summary IBM Maximo Application Suite uses werkzeug-3.0.4-py3-none-any.whl, cookie-0.4.1.tgz and cross-spawn-7.0.3.tgz which is vulnerable to CVE-2024-49767, CVE-2024-49766, CVE-2024-47764 and CVE-2024-21538. This bulletin contains information regarding the vulnerability and its fixture...

Security Bulletin: IBM Instana Observability is vulnerable to Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip

Summary A vulnerability that could cause unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip was remediated in IBM Observability with Instana Build 289 CVE-2024-24790. The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6...

Security Bulletin: IBM B2B Advanced Communications is vulnerable to issues due to Java SDK (CVE-2022-40609)

Summary IBM B2B Advanced Communications has addressed vulnerabilities in Java SDK shipped with product. Vulnerability Details CVEID:CVE-2022-40609 DESCRIPTION: IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an...

Security Bulletin: The IBM® Engineering Lifecycle Engineering products using IBM WebSphere Application Server traditional is vulnerable to cross-site scripting

Summary IBM WebSphere Application Server is vulnerable to cross-site scripting in the administrative console. Following IBM® Engineering Lifecycle Engineering products is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Test Management Vulnerability Details Refer...

Security Bulletin: The IBM® Engineering Lifecycle Engineering products using WebSphere Application Server traditional is vulnerable to a XML External Entity (XXE) injection vulnerability in the administrative console

Summary IBM WebSphere Application Server is vulnerable to an XML External Entity Injection XXE vulnerability in the administrative console. Following IBM® Engineering Lifecycle Engineering products is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Test Manageme...

Security Bulletin: IBM B2B Advanced Communications is vulnerable to multiple issues due to Java SDK (CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937, CVE-2023-21938, CVE-2023-2597)

Summary IBM B2B Advanced Communications has addressed vulnerabilities in Java SDK shipped with product. Vulnerability Details CVEID:CVE-2023-21930 DESCRIPTION: An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an...

Security Bulletin: The IBM® Engineering Lifecycle Engineering products using IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java

Summary There is a vulnerability in the GraphQL Java library used by IBM WebSphere Application Server Liberty with the mpGraphQL-1.0 or mpGraphQL-2.0 feature enabled. Following IBM® Engineering Lifecycle Engineering products are vulnerable to this attack, it has been addressed in this bulletin:...

Security Bulletin: IBM Engineering Lifecycle Optimization - Apache Derby: LDAP Injection Vulnerability In Authenticator

Summary A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware...

Security Bulletin: Multiple Vulnerabilities in IBM Application Performance Management Core Framework.

Summary Multiple vulnerabilities were addressed in IBM Application Performance Management 8.1.4.0 Core Framework IF28 patch. Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high...

Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities

Summary There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. Golang html package is vulnerable to cross-site scripting CVE-2023-3978. Golang Go is vulnerable to a denial of service CVE-2023-4528...

Security Bulletin: spring-web-5.3.30.jar may affect SPSS Collaboration and Deployment Services (CVE-2024-22259)

Summary spring-web-5.3.30.jar may affect SPSS Collaboration and Deployment Services CVE-2024-22259 Vulnerability Details CVEID:CVE-2024-22262 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in...

Security Bulletin: Multiple security vulnerabilities have been identified in DB2 JDBC driver shipped with IBM Tivoli Business Service Manager

Summary DB2 JDBC driver is shipped as part of the XMLToolkit component for IBM Tivoli Business Service Manager. Information about security vulnerabilities affecting DB2 JDBC driver has been published in a security bulletin. Vulnerability Details CVEID:CVE-2023-45853 DESCRIPTION: MiniZip in zlib...

Security Bulletin: Vulnerabilities in Linux Kernel might affect IBM Storage Copy Data Management

Summary IBM Storage Copy Data Management can be affected by vulnerabilities in Linux Kernel. Vulnerabilities include an authenticated or local authenticated attacker could exploit these vulnerabilities to cause a kernel panic, to cause a denial of service condition as described by the CVEs in the...

Security Bulletin: IBM Watson Query (Data Virtualization) on Cloud Pak for Data Vulnerable to Insufficient Session Expiration (CVE-2024-35160)

Summary IBM Watson Query, also known as Data Virtualization, is affected by insufficient session expiration when handling authorizations. Vulnerability Details CVEID:CVE-2024-35160 DESCRIPTION: IBM Watson Query on Cloud Pak for Data 1.8, 2.0, 2.1, 2.2 and IBM Db2 Big SQL on Cloud Pak for Data 7.3...

Security Bulletin: IBM Security Guardium is affected by Kernel vulnerabilities

Summary IBM Security Guardium has addressed these vulnerabilities in an update. Vulnerability Details CVEID:CVE-2024-26930 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by double free of the ha-vpmap pointer. By sending a specially crafted request, a local authenticated...

Security Bulletin: Vulnerabilities in OpenPrinting affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary Potential vulnerability in OpenPrinting has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. These vulnerabilities have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-35235 DESCRIPTION: OpenPrinting CUPS coul...

Security Bulletin: IBM Technical Suppport Appliance - possible security flaws or denial of service

Summary Numerous fixes to the Linux kernel for reported issues related to various security vulnerabilities such as demnial of service, unauthorized access, or leakage of sensitive data. Vulnerability Details CVEID:CVE-2021-46939 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caus...

Security Bulletin: IBM Technical Suppport Appliance - possible security flaws or denial of service

Summary Numerous fixes to the Linux kernel for reported issues related to various security vulnerabilities such as demnial of service, unauthorized access, or leakage of sensitive data. Vulnerability Details CVEID:CVE-2020-26555 DESCRIPTION: Bluetooth Core and Mesh Specifications could allow a...

Security Bulletin: Financial Transaction Manager for Digital Payments is impacted by multiple vulnerabilities in IBM Java SE

Summary Multiple vulnerabilities were addressed in Financial Transaction Manager 3.2.13 for Digital Payments, Corporate Payment Services and High Value Payments. Vulnerability Details CVEID:CVE-2024-21094 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow...

Security Bulletin: TSSC/IMC is vulnerable to 6 unspecified vulnerabilities in Java SE

Summary TSSC/IMC is vulnerable to 6 unspecified vulnerabilities in Java SE. The latest code level has an upgrade to the relevant libaries to fix CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20932, CVE-2024-20945, CVE-2024-20952 Vulnerability Details CVEID:CVE-2024-20918 DESCRIPTION: A...

Security Bulletin: IBM DataPower Gateway vulnerable to DoS (CVE-2024-25062)

Summary libxml2 is used in the DataPower Gateway's DB2 connector. Vulnerability Details CVEID:CVE-2024-25062 DESCRIPTION: An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing...

Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues

Summary Multple vulnerabilities affect IBM Sterling Secure Proxy and are addressed in the latest release and iFix Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high...

Security Bulletin: IBM Sterling External Authentication Server is vulnerable to multiple issues

Summary Multple vulnerabilities affect IBM Sterling External Authentication Server and are addressed in the latest iFixes Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high...

Security Bulletin: Multiple vulnerabilities in Go affect IBM Robotic Process Automation for Cloud Pak

Summary Multiple vulnerabilities in Go affect IBM Robotic Process Automation for Cloud Pak. This bulletin identifies fixes required to resolve the vulnerabilities. Vulnerability Details CVEID:CVE-2023-39325 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by an uncontrolled...

Security Bulletin: Multiple security vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak.

Summary Multiple security vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak. RedHat UBI images are used by IBM Robotic Process Automation base containers. This bulletin identifies the security fixes to apply to address the vulnerabilities. Vulnerability Details...

Security Bulletin: IBM QRadar Network Packet Capture includes components with multiple known vulnerabilities

Summary The product includes multiple vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. IBM has addressed the relevant CVEs. Vulnerability Details CVEID:CVE-2024-37891 DESCRIPTION: urllib3 could allow a remote authenticated attacker to...

Security Bulletin: IBM Sterling B2B Integrator is Vulnerable to Remote Code Execution

Summary IBM Sterling B2B Integrator has addressed the remote code execution vulnerabilty Vulnerability Details CVEID:CVE-2024-31903 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition allow an attacker on the local network to execute arbitrary code on the system, caused by the deserializati...

Security Bulletin: Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server.

Summary IBM Storage Protect Server, which uses IBM Db2, may be affected by multiple vulnerabilities that could result in denial of service or the loss of confidentiality, integrity, or availability. These vulnerabilities include CVE-2023-45853, CVE-2023-29267, CVE-2024-25710, CVE-2024-26308,...

Security Bulletin: IBM Storage Protect Server is susceptible to vulnerability in Golang Go (CVE-2023-45288).

Summary Golang Go is used by the IBM Storage Protect Server OSSM component. Golang Go is vulnerable to loss of availability of host system. This bulletin identifies the steps to address the vulnerability. Vulnerability Details CVEID:CVE-2023-45288 DESCRIPTION: An attacker may cause an HTTP/2...

Security Bulletin: There are multiple vulnerabilities that can affect IBM Storage Scale System that are now included

Summary There are multiple vulnerabilities, used by IBM Storage Scale System, which could provide weaker than expected security that are now fixed. Vulnerability Details CVEID:CVE-2024-26643 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error related to page fault...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js vulnerabilities [ CVE-2024-27982, CVE-2024-27983]

Summary Potential vulnerabilities in Node.js CVE-2024-27982, CVE-2024-27983 have been identified that could affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-27982...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in pdfjs-dist

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of pdfjs-dist Vulnerability Details CVEID:CVE-2024-4367 DESCRIPTION: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This...

Security Bulletin: IBM Sterling Control Center v6.2.1 and v6.3.1 is vulnerable with IBM Semeru Runtime Quarterly CPU - Apr 2023

Summary IBM Semeru Runtime Quarterly CPU - Apr 2023 - Includes OpenJDK April 2023 CPU plus CVE-2023-25193 and CVE-2023-2597 and affecting Sterling Control Center v6.2.1 and v6.3.1. Vulnerability Details CVEID:CVE-2023-21930 DESCRIPTION: An unspecified vulnerability in Oracle Java SE, Oracle Graal...

Security Bulletin: vulnerability in Netty affects IBM Workload Scheduler.

Summary IBM Workload Scheduler is affected by a vulnerability in Netty that can cause denial of service CVE-2024-29025 Vulnerability Details CVEID:CVE-2024-29025 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance...

Security Bulletin: Vulnerabilities in Node.js, Golang Go, HTTP/2, NGINX, OpenSSH, Linux kernel might affect IBM Spectrum Protect Plus

Summary IBM Spectrum Protect Plus can be affected by vulnerabilities in Node.js, Golang Go, HTTP/2, NGINX, OpenSSH and Linux. Vulnerabilities include, causing a denial-of-service condition, the elevation of privileges, remote execution of arbitrary code, HTTP header injection, HTML injection,...

Security Bulletin: Multiple Vulnerabilities in Golang Affect IBM Cloud Pak System

Summary Vulnerabilities in Golang affect IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-24789 DESCRIPTION: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an...

Security Bulletin: TSSC/IMC is vulnerable to a Prefix truncation attack on Binary Packet Protocol

Summary TSSC/IMC is vulnerable to a Prefix truncation attack on Binary Packet Protocold. A patch has been provided that updates the systemd library. CVE-2023-48795, CVE-2023-51385 Vulnerability Details CVEID:CVE-2023-48795 DESCRIPTION: The SSH transport protocol with certain OpenSSH extensions,...

Security Bulletin: Vulnerabilities in jackson-databind affect IBM watsonx.data

Summary FasterXML jackson-databind has multiple vulnerabilities including the possibility of remote attackers executing arbitrary code on the system. These can affect IBM watsonx.data. Vulnerability Details CVEID:CVE-2017-15095 DESCRIPTION: Jackson Library could allow a remote attacker to execute...

Security Bulletin: TSSC/IMC is vulnerable to a Prefix truncation attack on Binary Packet Protocol

Summary TSSC/IMC is vulnerable to a Prefix truncation attack on Binary Packet Protocold. A patch has been provided that updates the libssh library. CVE-2023-48795. Vulnerability Details CVEID:CVE-2023-48795 DESCRIPTION: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH...

Security Bulletin: Multiple Security Vulnerabilities were found in IBM Security Verify Access Appliance. (CVE-2024-49803, CVE-2024-49804, CVE-2024-49805, CVE-2024-49806)

Summary Multiple Security Vulnerabilities were addressed in the IBM Security Verify Access Appliance management interface. Vulnerability Details CVEID:CVE-2024-49803 DESCRIPTION: IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a remote authenticated attacker to execute...

Security Bulletin: IBM Cloud Pak for Network Automation 2.7.7 addresses multiple security vulnerabilities

Summary IBM Cloud Pak for Network Automation 2.7.7 addresses multiple security vulnerabilities, listed in the CVEs below. Vulnerability Details CVEID:CVE-2021-46984 DESCRIPTION: Linux Kernel could allow a local attacker to obtain sensitive information, caused by an out-of-bounds read flaw when...

Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

Summary QRadar Suite Software includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details...