Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2024-45073)

Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Refer to the security bulletins...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2024-45071)

Summary WebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about a stored cross-site scripting vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security...

Security Bulletin: A vulnerability in Microsoft .NET affects IBM Robotic Process Automation and may lead to a denial of service (CVE-2024-30105).

Summary A vulnerability in Microsoft .NET affects IBM Robotic Process Automation and may lead to a denial of service. Microsoft .NET is used as the development framework for IBM Robotic Process Automaion. This bulletin identifies the security fix to apply to address the vulnerability. Vulnerabili...

Security Bulletin: IBM Security SOAR is vulnerable to denial of service (CVE-2024-45296)

Summary IBM Security SOAR was using a UI component which contained a vulnerability that could lead to a client-side regular expression denial of service CVE-2024-45296. The vulnerable component has been removed from the UI. Please upgrade to IBM Security SOAR version 51.0.4.0 or later...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2024-45086)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera,...

Security Bulletin: A vulnerability in Nest affects IBM Robotic Process Automation and may result in a denial of service (CVE-2024-45590).

Summary A vulnerability in Nest affects IBM Robotic Process Automation and may result in a denial of service. Nest is used by IBM Robotic Process Automation as part of its server side application framework. This bulletin identifies the security fix to apply to address the vulnerability...

Security Bulletin: IBM Maximo Application Suite uses zipp-3.15.0-py3-none-any.whl which is vulnerable to CVE-2024-5569

Summary IBM Maximo Application Suite uses zipp-3.15.0-py3-none-any.whl which is vulnerable to CVE-2024-5569. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-5569 DESCRIPTION: zipp is vulnerable to a denial of service, caused by ...

Security Bulletin: A vulnerability in Microsoft.BotBuilder affects IBM Robotic Process Automation which may result in elevated privileges (CVE-2024-35255).

Summary A vulnerability in Microsoft.BotBuilder affects IBM Robotic Process Automation which may result in elevated privileges. Microsoft.BotBuilder is used to enable communication between Azure Bot Services and the ChatBot API. This bulletin identifies the security fixes to apply to address the...

Security Bulletin: IBM Maximo Application Suite - IoT Compoenet uses zipp-3.15.0-py3-none-any.whl which is vulnerable to CVE-2024-5569

Summary IBM Maximo Application Suite - IoT Component uses zipp-3.15.0-py3-none-any.whl which is vulnerable to CVE-2024-5569. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-5569 DESCRIPTION: zipp is vulnerable to a denial of...

Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by an OpenSSH security vulnerability (CVE-2024-6387)

Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability found in OpenSSH which could allow a remote attacker to execute arbitrary commands on the system with root privileges CVE-2024-6387. Vulnerability Details CVEID: CVE-2024-6387 Description: OpenSSH could allow a remote...

Security Bulletin: IBM® Db2® is vulnerable to an information disclosure under specific conditions (CVE-2024-40679)

Summary IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file under specific conditions. Vulnerability Details CVEID:CVE-2024-40679 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to an...

Security Bulletin: Vulnerability in Apache Tomcat ( CVE-2024-34750) may affect IBM watsonx Assistant for IBM Cloud Pak for Data

Summary A potential denial of service vulnerability CVE-2024-34750 has been identified related to Apache Tomcat that may affect IBM watsonx Assistant for IBM Cloud Pak for Data. vulnerability have been addressed. Refer to details for additional information. Vulnerability Details...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2024-45086)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to an XML External Entity Injection XXE vulnerability in the administrative console. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...

Security Bulletin: IBM App Connect Enterprise is vulnerable to Regular Expression Denial of Service (ReDoS) due to cross-spawn(CVE-2024-21538)

Summary IBM App Connect Enterprise is vulnerable to Regular Expression Denial of Service ReDoS due to cross-spawn. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS due to improper...

Security Bulletin: IBM Match 360 vulnerable to OpenSSH code execution (CVE-2024-6387)

Summary IBM Match 360 is vulnerable to remote OpenSSH code execution. OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary...

Security Bulletin: Vulnerability in linux affects IBM Integrated Analytics System [CVE-2024-50243]

Summary Redhat provided linux is used by IBM Integrated Analytics System. IBM Integrated Analytics System has addressed the applicable CVE CVE-2024-50243 Vulnerability Details CVEID:CVE-2024-50243 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by general protection fault i...

Security Bulletin: Vulnerability in GNU glibc affects IBM Integrated Analytics System [CVE-2024-33600]

Summary Redhat provided GNU glibc is used by IBM Integrated Analytics System. IBM Integrated Analytics System has addressed the applicable CVE CVE-2024-33600 Vulnerability Details CVEID:CVE-2024-33600 DESCRIPTION: glibc is vulnerable to a denial of service, caused by a NULL pointer dereference wh...

Security Bulletin: AIX is vulnerable to arbitrary command execution due to invscout (CVE-2024-47115)

Summary A vulnerability in the AIX invscout command could allow a non-privileged local user to execute arbitrary commands CVE-2024-47115. Vulnerability Details CVEID:CVE-2024-47115 DESCRIPTION: IBM AIX could allow a local user to execute arbitrary commands on the system due to improper...

Security Bulletin: Vulnerability in GNU glibc affects IBM Integrated Analytics System [CVE-2024-33601]

Summary Redhat provided GNU glibc is used by IBM Integrated Analytics System. IBM Integrated Analytics System has addressed the applicable CVE CVE-2024-33601 Vulnerability Details CVEID:CVE-2024-33601 DESCRIPTION: glibc is vulnerable to a denial of service, caused by a memory allocation failure...

Security Bulletin: Vulnerability in Apache HTTP Server (CVE-2024-38474) affects Power HMC.

Summary The Apache HTTP Server library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-38474 DESCRIPTION: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by a substitution...

Security Bulletin: IBM TXSeries for Multiplatforms is vulnerable to a denial-of-service attack (DoS) (CVE-2024-41742 and CVE-2024-41743).

Summary IBM TXSeries for Multiplatforms is vulnerable to a denial-of-service attack DoS CVE-2024-41742 and CVE-2024-41743. The settings that can be used to secure the IBM WebSphere Liberty profile of IBM TXSeries for Multiplatforms are provided in the following documentation. Vulnerability Detail...

Security Bulletin: Apache Commons IO used by IBM InfoSphere Identity Insight has a potential vulnerability (CVE-2024-47554)

Summary The Apache Commons IO used by Identity Insight is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the org.apache.commons.io.input.XmlStreamReader class. By sending a specially crafted input, a remote attacker could exploit this vulnerability to...

Security Bulletin: IBM DataPower Operator vulnerable to DoS due to use of Go (CVE-2024-34155, CVE-2024-34156)

Summary The affected calls are used by DataPower Operator for processing messages exchanged with Kubernetes and IBM DataPower Gateway. Vulnerability Details CVEID:CVE-2024-34156 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in Decoder.Decode. By sending...

Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to Elasticsearch denial of service vulnerabilitiy( CVE-2024-37280)

Summary Potential Elasticsearch denial of service vulnerabilitiy CVE-2024-37280 has been identified that may affect IBM Watson CP4D Data Stores. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-37280 DESCRIPTION: Elasticsearc...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2024-45072)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to an XML External Entity Injection XXE in the administrative console. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...

Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities (CVE-2024-52316, CVE-2024-52317, CVE-2024-52318)

Summary IBM Security SOAR uses an older version of Apache Tomcat that can be identified and exploited. An update has been released which addresses these issues. It is recommended upgrading to Version 51.0.4.1 or later of IBM Security SOAR. Vulnerability Details CVEID:CVE-2024-52318 DESCRIPTION:...

Security Bulletin: IBM Tivoli Composite Application Manager for Application Diagnostics installed IBM WebSphere Application Server traditional is vulnerable to stored cross-site scripting (CVE-2024-45073).

Summary The security issue described in CVE-2024-45073 has been identified in the WebSphere Application Server included as part of IBM Tivoli Composite Application Manager for Application Diagnostics. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and server-side request forgery [CVE-2024-45590] [CVE-2024-39338]

Summary Node.js modules expressjs and axios are used by IBM App Connect Enterprise Certified Container for making and responding to HTTP communications. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and server-side request forgery. This bulletin...

Security Bulletin: Vulnerability in MIT Kerberos krb5 (CVE-2024-37371) affects Power HMC.

Summary The MIT Kerberos krb5 library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-37371 DESCRIPTION: MIT Kerberos 5 aka krb5 is vulnerable to a denial of service, caused by an invalid memory reads during GSS message...

Security Bulletin: sqlparse Vulnerability Affects IBM Data Observability by Databand Self-Hosted (CVE-2024-4340)

Summary A vulnerability in sqlparse was addressed in IBM Data Observability by Databand Self-Hosted Vulnerability Details CVEID:CVE-2024-4340 DESCRIPTION: sqlparse is vulnerable to a denial of service, caused by a flaw when passing a heavily nested list to the parse function. By sending a special...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to cross-site scripting (CVE-2024-45087)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to cross-site scripting in the administrative console. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected...

Security Bulletin: There is a Denial of Service vulnerability in IBM WebSphere Liberty that is shipped with IBM CICS TX Standard (CVE-2024-7254).

Summary There is a Denial of Service vulnerability in IBM WebSphere Liberty that is shipped with IBM CICS TX Standard CVE-2024-7254. An update to IBM CICS TX Standard has been released to address this vulnerability. Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Google Protocol Buffers...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a a denial of service in PyTorch [CVE-2024-31580]

Summary IBM Watson Speech Services Cartridge is vulnerable to a a denial of service in PyTorch, caused by a heap-based buffer overflow in the /runtime/varargfunctions.cpp component CVE-2024-31580. PyTorch is used by our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to stored cross-site scripting (CVE-2024-45071)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to stored cross-site scripting in the administrative console. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...

Security Bulletin: IBM SPSS Collaboration and Deployment Services is vulnerable to a denial of service attack originating in IBM WebSphere Application Server Liberty (CVE-2024-27268)

Summary IBM WebSphere Application Server Liberty that is embedded in IBM SPSS Collaboration and Deployment Services is vulnerable to a denial of service. This vulnerability is addressed. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Product...

Security Bulletin: IBM Watson CP4D Data Stores is vulnerable to Elastic Elasticsearch denial of service vulnerabilitiy.( CVE-2024-23450)

Summary Potential Elastic Elasticsearch denial of service vulnerabilitiy. CVE-2024-23450 has been identified that may affect IBM Watson CP4D Data Stores. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-23450 DESCRIPTION:...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to Google Protocol Buffers (CVE-2024-7254)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, contains a vulnerability in the Google Protocol Buffers protobuf library with the grpc-1.0 or grpcClient-1.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: A vulnerability in messagepack affects IBM Robotic Process Automation and my result in excessive CPU consumption (CVE-2024-48924).

Summary A vulnerability in messagepack affects IBM Robotic Process Automation and my result in excessive CPU consumption. Messagepack is used by IBM Robotic Process Automation to serialize and deserialize data. This bulleten identifies the fixes required to resolve the vulnerability. Vulnerabilit...

Security Bulletin: Vulnerability in GNU glibc affects IBM Integrated Analytics System [CVE-2024-33602]

Summary Redhat provided GNU glibc is used by IBM Integrated Analytics System. IBM Integrated Analytics System has addressed the applicable CVE CVE-2024-33602 Vulnerability Details CVEID:CVE-2024-33602 DESCRIPTION: glibc is vulnerable to a denial of service, caused by a memory corruption by the Na...

Security Bulletin: IBM SPSS Collaboration and Deployment Services is vulnerable to server-side request forgery (CVE-2024-22329)

Summary IBM WebSphere Application Server Liberty that is embedded in IBM SPSS Collaboration and Deployment Services is vulnerable to server-side request forgery Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a a denial of service in PyTorch [CVE-2024-31583]

Summary IBM Watson Speech Services Cartridge is vulnerable to a a denial of service in PyTorch, caused by a use-after-free flaw in the torch/csrc/jit/mobile/interpreter.cpp component. CVE-2024-31583. PyTorch is used by our Speech Service runtimes. This vulnerabilitiy has been addressed. Please re...

Security Bulletin: IBM MQ for HPE NonStop Server is vulnerable to a denial of service attack (CVE-2024-51470)

Summary IBM MQ for HPE NonStop Server has addressed a denial of service vulnerability CVE-2024-51470. Vulnerability Details CVEID:CVE-2024-51470 DESCRIPTION: IBM MQ could allow an authenticated user to cause a denial-of-service due to messages with improperly set values. CWE:CWE-754: Improper Che...

Security Bulletin: There is a Denial of Service vulnerability in IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced (CVE-2024-7254).

Summary There is a Denial of Service vulnerability in IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced CVE-2024-7254. An update to IBM CICS TX Advanced has been released to address this vulnerability. Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Google Protocol Buffers...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an arbitrary code execution in libexpat [CVE-2024-45492]

Summary IBM Watson Speech Services Cartridge is vulnerable to an arbitrary code execution in libexpat, caused by an integer overflow in the nextScaffoldPart function in xmlparse.c. CVE-2024-45492. libexpat is used by our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read...

Security Bulletin: Vulnerabilities in Apache Commons IO library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2024-47554)

Summary Apache Commons IO library is used by Tivoli Netcool/OMNIbus WebGUI as part of Apache POI dependency for Seasonal Event Graphs export feature. Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Apache Commons IO is vulnerable to a denial of service, caused by an uncontrolled resource...

Security Bulletin: Vulnerability in nghttp2 (CVE-2024-28182) affects Power HMC.

Summary The nghttp2 library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-28182 DESCRIPTION: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0...

Security Bulletin: Vulnerability in libxml2 (CVE-2024-25062) affects Power HMC.

Summary The libxml2 library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-25062 DESCRIPTION: An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD...

Security Bulletin: IBM Security QRadar EDR Software contains a vulnerability (CVE-2024-6345)

Summary IBM Security QRadar EDR Software includes a vulnerable component e.g., framework libraries that could be identified and exploited with automated tools. This has been addressed in the update. Vulnerability Details CVEID:CVE-2024-6345 DESCRIPTION: pypa/setuptools could allow a remote attack...

Security Bulletin: Vulnerability in Apache HTTP Server (CVE-2024-38475) affects Power HMC.

Summary The Apache HTTP Server library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-38475 DESCRIPTION: Improper escaping of output in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs ...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to requests-2.31.0-py3-none-any.whl CVE-2024-35195

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to requests-2.31.0-py3-none-any.whl CVE-2024-35195. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-35195 DESCRIPTION: Psf Requests could allow a local...