Security Bulletin: IBM Instana Observability is vulnerable to AuthZ Plugin Bypass and Privilege Escalation

Summary Vulnerability in Docker Engine that could allow attackers to bypass authorization plugins AuthZ was remediated in IBM Observability with Instana Build 279. CVE-2024-41110 Vulnerability Details CVEID:CVE-2024-41110 DESCRIPTION: Moby is an open-source project created by Docker for software...

Security Bulletin: IBM App Connect Enterprise is vulnerable to an attacker with deploy privilege (CVE-2025-0799)

Summary Malicious bar files could allow an attacker with deploy privilege to write arbitrary files on the file system for a running IBM App Connect Enterprise installation. Vulnerability Details CVEID:CVE-2025-0799 DESCRIPTION: IBM App Connect enterprise could allow an authenticated user to write...

Security Bulletin: IBM Storage Insights is vulnerable to weaknesses related to IBM® SDK, Java™ Technology Edition

Summary Vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Storage Insights which could allow a remote attacker to cause high integrity impact, low confidentiality impat. Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE related to t...

Security Bulletin: The IBM® Engineering Lifecycle Engineering products using IBM SDK, Java Technology Edition Quarterly CPU - Oct 2024 - Includes Oracle October 2024 CPU plus CVE-2024-10917 are affected by multiple vulnerabilities

Summary This bulletin for IBM SDK, Java Technology Edition covers all applicable Java SE CVEs published by Oracle as part of their October 2024 Critical Patch Update, plus CVE-2024-10917. Following IBM® Engineering Lifecycle Engineering products are vulnerable to this attack, it has been addresse...

Security Bulletin: Vulnerability with Eclipse Jetty, e2fsprogs, dnsjava , Apache Commons IO, Apache HTTP Server and Java SE affect IBM Cloud Object Storage Systems (Dec 2024)

Summary Vulnerability with Eclipse Jetty CVE-2024-9823, CVE-2024-6763, CVE-2024-8184, e2fsprogs CVE-2022-1304 dnsjava CVE-2024-25638, Apache Commons IO. CVE-2024-47554 , Apache HTTP ServerCVE-2024-40725 and Java SE CVE-2024-21217,CVE-2024-21235, CVE-2024-21210. This vulnerability has been address...

Security Bulletin: IBM Cloud Pak for Network Automation 2.7.5 addresses multiple security vulnerabilities.

Summary IBM Cloud Pak for Network Automation 2.7.5 addresses multiple security vulnerabilities. Vulnerability Details CVEID:CVE-2024-32879 DESCRIPTION: Python Social Auth Django could allow a remote authenticated attacker to bypass security restrictions, caused by improper handling of case...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Mozilla Firefox arbitrary code execution vulnerability [CVE-2024-4367]

Summary Potential Mozilla Firefox arbitrary code execution vulnerability CVE-2024-4367 have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-436...

Security Bulletin: IBM Cloud Pak for Data has a vulnerable base OS image due to kernel-headers ( CVE-2022-1012, CVE-2022-32250 )

Summary Kernel-headers used by IBM Cloud Pak for Data as part of the base OS image. CVE-2022-1012, CVE-2022-32250. Vulnerability Details CVEID:CVE-2022-1012 DESCRIPTION: A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb...

Security Bulletin: IBM Cloud Pak System is vulnerable to multiple vulnerabilities in Golang Go and Apache OpenSSH.

Summary IBM Cloud Pak System is vulnerable to multiple vulnerabilities in Golang Go and Apache OpenSSH. Vulnerability Details CVEID:CVE-2024-24785 DESCRIPTION: Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the MarshalJSON methods in the html/template...

Security Bulletin: Multiple vulnerabilities in Java affect IBM Robotic Process Automation.

Summary Multiple vulnerabilities in Java affect IBM Robotic Process Automation. java is used by IBM Robotic Process Automation as part of metrics and licening, and UMS. This bulletin identifies the security fixes to apply to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-21094...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in IBM SDK, Java Technology Edition Quarterly CPU - Apr 2024

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of IBM SDK, Java Technology Edition Quarterly CPU - Apr 2024 Vulnerability Details CVEID:CVE-2024-21094 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote...

Security Bulletin: Multiple vulnerabilities in IBM® SDK Java™ affect Cloud Pak System

Summary Vulnerabilities in IBM® SDK Java™ Technology Edition affect IBM Cloud Pak System . These issues were disclosed as part of the IBM Java SDK updates in January 2024. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security...

Security Bulletin: Vulnerabilities in Java SE affect watsonx.data

Summary Unspecified vulnerabilities in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact. These can impact watsonx.data. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Jav...

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from kerberos 5, libxml2, go-jose, runc

Summary IBM MQ Operator and Queue manager container images are vulnerable to kerberos 5, libxml2, go-jose, runc. This bulletin identifies the steps required to address these vulnerabilities Vulnerability Details CVEID:CVE-2024-26461 DESCRIPTION: Kerberos 5 is vulnerable to a denial of service,...

Security Bulletin: Operations Dashboard in IBM Cloud Pak for Integration is vulnerable to denial of service due to Netty vulnerability CVE-2024-29025

Summary Operations Dashboard in IBM Cloud Pak for Integration is vulnerable to denial of service due to Netty vulnerability CVE-2024-29025. This has been remediated. Vulnerability Details CVEID:CVE-2024-29025 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rap...

Security Bulletin: Multiple vulnerabilities fixed in IBM Security Verify Governance - Containerized Identity Manager

Summary Multiple security vulnerabilities have been addressed in the update to IBM Security Verify Governance - Containerized Identity Manager component. Vulnerability Details CVEID:CVE-2019-11358 DESCRIPTION: jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improp...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Netty

Summary IBM Cloud Pak for Data contains a vulnerable version of Netty Vulnerability Details CVEID:CVE-2024-29025 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The...

Security Bulletin: Due to the use of VMWare Tanzu Spring Framework, IBM DevOps Build is vulnerable to remote attacker to conduct phising attacks

Summary IBM DevOps Build 7.0.0.2 addresses CVE-2024-22259 by updating spring-web jar.. Vulnerability Details CVEID:CVE-2024-22259 DESCRIPTION: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL e.g. through a query parameter AND perform validation...

Security Bulletin: Multiple Vulnerabilities in IBM Event Streams

Summary Multiple vulnerabilities were addressed in IBM Event Streams version 11.5.1. Vulnerability Details CVEID:CVE-2023-0466 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the X509VERIFYPARAMadd0policy function. By using invalid certifica...

Security Bulletin: IBM Cloud Pak for Data is vulnerable due to github.com/golang/net ( CVE-2023-3978, CVE-2023-45288 )

Summary github.com/golang/net is used by IBM Cloud Pak for Data as part of the platform. CVE-2023-3978, CVE-2023-45288. Vulnerability Details CVEID:CVE-2023-3978 DESCRIPTION: Golang html package is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote...

Security Bulletin: Information disclosure vulnerability affects IBM Business Automation Workflow - CVE-2024-38321

Summary IBM Business Automation Workflow is vulnerable to an information disclosure attack. Vulnerability Details CVEID:CVE-2024-38321 DESCRIPTION: IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 stores potentially sensitive information in log files under certain situations th...

Security Bulletin: IBM Planning Analytics Cartridge for IBM Cloud Pak for Data is affected but not considered vulnerable to CVE-2023-45288

Summary IBM Planning Analytics Cartridge for IBM Cloud Pak for Data is affected but not considered vulnerable, based on current information, to CVE-2023-45288 in Golang Go used by the IBM Planning Analytics Engine. This has been resolved by upgrading Golang Go to a non-vulnerable version. This...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, in Golang Go [CVE-2023-45288]

Summary Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, in Golang Go, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack in the net/http and x/net/http2 packagesCVE-2023-45288...

Security Bulletin: IBM InfoSphere Information Server is vulnerable due to improper error handling (CVE-2024-39751)

Summary A vulnerability related to improper error handling in InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2024-39751 DESCRIPTION: IBM InfoSphere Information Server could allow a remote attacker to obtain sensitive information when a detailed technical error messag...

Security Bulletin: IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is affected by vulnerability in Netty (CVE-2024-29025)

Summary Netty is used by IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library. CVE-2024-29025 The below vulnerability have been addressed. Vulnerability Details CVEID:CVE-2024-29025 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid...

Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the Eclipse Vert.x component (CVE-2024-1023,CVE-2024-1300).

Summary IBM Event Streams is vulnerable to a denial of service attack due to the Vert.x component.It is a toolkit for writing reactive, non-blocking, asynchronous applications that run on the JVM Java Virtual Machine and it provides a non-prescriptive and flexible way to write efficient,...

Security Bulletin: Recommended mitigation for SSH "Terrapin" vulnerability in IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products

Summary The SSH "Terrapin" vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products when using the [email protected] cipher. This cipher can be disabled with a chsecurity command to fix the vulnerability. Vulnerability Details...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.6.1 Vulnerability Details CVEID:CVE-2024-32465 DESCRIPTION: Git could allow a physical attacker to bypass security restrictions, caused by a directory traversal flaw. By sending a specially crafted request, an...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run Designer Flows containing event nodes are vulnerable to loss of confidentiality [CVE-2024-38372]

Summary Node.js undici module is used by IBM App Connect Enterprise Certified Container for HTTP calls. IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run Designer flows that contain event nodes are vulnerable to loss of confidentiality. This...

Security Bulletin: Vulnerabilites in the IBM WebSphere Application Server Liberty version 17.0.0.3 - 24.0.0.5 affects Watson Machine Learning Accelerator on Cloud Pak for Data

Summary Vulnerabilites in the IBM WebSphere Application Server Liberty version 17.0.0.3 - 24.0.0.5 affects Watson Machine Learning Accelerator on Cloud Pak for Data several releases. It has be fixed in Watson Machine Learning Accelerator on Cloud Pak for Data 5.0.1 release. Vulnerability Details...

Security Bulletin: Business Automation Manager Open Editions 8.0.5 - jgit vulnerability

Summary Business Automation Manager Open Editions in version 8.0.5 contains a vulnerability in jgit library, that is used as part of the release. For more information, please see the vulnerability description in the Vulnerability Details section. Vulnerability Details CVEID:CVE-2023-4759...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Apache Maven (CVE-2021-26291)

Summary A vulnerability in Apache Maven that is used by InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2021-26291 DESCRIPTION: Apache Maven could allow a remote attacker to bypass security restrictions, caused by the use of http non-SSL repository references by...

Security Bulletin: IBM i is vulnerable to bypassing Navigator for i interface restrictions and a server-side request forgery [CVE-2024-51463, CVE-2024-51464].

Summary IBM i is vulnerable to bypassing IBM Navigator for i interface restrictions and a server-side request forgery SSRF as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section...

Security Bulletin: IBM i is vulnerable to an authenticated user gaining elevated privilege to a physical file [CVE-2024-47104].

Summary IBM i is vulnerable to an authenticated user gaining elevated privilege to a physical file by altering based-on file attributes as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes...

Security Bulletin: IBM i is vulnerable to a file level denial of service due to an insufficient authority requirement. [CVE-2024-35122]

Summary IBM i is vulnerable to a file level local denial of service caused by an insufficient authority requirement as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section below...

Security Bulletin: A Security Vulnerability was discovered in IBM Semeru Runtime Certified Edition provided with IBM Security Verify Directory (CVE-2023-33850)

Summary A Security Vulnerability was addressed in IBM Semeru Runtime Certified Edition provided with IBM Security Verify Directory. Vulnerability Details CVEID:CVE-2023-33850 DESCRIPTION: IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side...

Security Bulletin: A Security Vulnerability was discovered in IBM Runtime Environment, Java Technology Edition provided with IBM Security Directory Suite (CVE-2023-33850)

Summary A Security Vulnerability was addressed in IBM Semeru Runtime Certified Edition provided with IBM Security Verify Directory and IBM Runtime Environment, Java Technology Edition provided with IBM Security Directory Suite. Vulnerability Details CVEID:CVE-2023-33850 DESCRIPTION: IBM...

Security Bulletin: IBM Financial Transaction Manager for SWIFT Services for Multiplatforms is vulnerable to cross-site scripting.

Summary IBM Financial Transaction Manager for SWIFT Services for Multiplatforms is vulnerable to cross-site scripting CVE-2024-49349. Vulnerability Details CVEID:CVE-2024-49349 DESCRIPTION: IBM Financial Transaction Manager for SWIFT Services is vulnerable to cross-site scripting. This...

Security Bulletin: Cross-site scripting vulnerability in IBM Financial Transaction Manager for SWIFT Services

Summary Cross-site scripting vulnerability in IBM Financial Transaction Manager for SWIFT Services Vulnerability Details CVEID:CVE-2024-49339 DESCRIPTION: IBM Financial Transaction Manager is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitra...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java

Summary IBM Sterling Connect:Direct Web Service uses IBM Java SE. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE component: Hotspot. Difficult to exploit vulnerability allows unauthenticat...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Golang Go [CVE-2024-24789]

Summary IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Golang Go, caused by a flaw with EOCDR comment length handling is inconsistent with other ZIP implementations in the archive/zip package CVE-2024-24789. Golang Go is included as part of the speech...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Kubernetes kubelet [CVE-2024-5321]

Summary IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Kubernetes kubelet, caused by incorrect permissions on Windows containers logs CVE-2024-5321. Kubernetes is included as part of the speech utilities used in our product. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an arbitrary code execution in libexpat [CVE-2024-45492]

Summary IBM Watson Speech Services Cartridge is vulnerable to an arbitrary code execution in libexpat, caused by an integer overflow in the nextScaffoldPart function in xmlparse.c CVE-2024-45492. libexpat is used by our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in OpenSSL [CVE-2024-6119]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in OpenSSL, caused by an error when performing certificate name checks CVE-2024-6119. OpenSSL is used by our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation...

Security Bulletin: Security Vulnerability in protobuf-java Affects the B2B API of IBM Sterling B2B Integrator (CVE-2024-7254)

Summary IBM Sterling B2B Integrator has addressed the security vulnerability in protobuf-java Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by...

Security Bulletin: The Dashboard of IBM Sterling B2B Integrator is Vulnerable to Denial of Service Due to Prototype (CVE-2020-27511)

Summary IBM Sterling B2B Integrator has addressed the denial of service security vulnerability Vulnerability Details CVEID:CVE-2020-27511 DESCRIPTION: Prototype is vulnerable to a denial of service, caused by a regular expression denial of service ReDOS flaw in the stripTags and unescapeHTML...

Security Bulletin: IBM Sterling B2B Integrator is Vulnerable to Denial of Service due to Apache Kafka (CVE-2022-34917)

Summary IBM Sterling B2B Integrator has addressed the denail of service vulnerability from Apache Kafka Vulnerability Details CVEID:CVE-2022-34917 DESCRIPTION: Apache Kafka is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request, a remote...

Security Bulletin: The B2B API of IBM Sterling B2B Integrator is Vulnerable to Denial of Service due to Snappy (CVE-2024-36124)

Summary IBM Sterling B2B Integrator has addressed the denial of service vulnerablity from Snappy Vulnerability Details CVEID:CVE-2024-36124 DESCRIPTION: Snappy is vulnerable to a denial of service, caused by an out-of-bounds read flaw when uncompressing data. By sending a specially crafted reques...

Security Bulletin: Vulnerability in DasterXML Jackson Core affect watsonx.data

Summary FasterXML Jackson Core is vulnerable to a denial of service attack which could impact watsonx.data Vulnerability Details IBM X-Force ID: 256137 DESCRIPTION: FasterXML Jackson Core is vulnerable to a denial of service, caused by improper input validation by the StreamReadConstraints value...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for Jan 2025

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 2.0.0 IF001 Vulnerability Details CVEID:CVE-2024-43796 DESCRIPTION: expressjs express is vulnerable to cross-site scripting, caused by improper...