Security Bulletin: Multiple Vulnerabilities in moment.js used by IBM Jazz Reporting Service (JRS) (CVE-2022-24785, CVE-2017-18214, CVE-2016-4055, CVE-2022-31129)

Summary There are multiple vulnerabilities identified in IBM Jazz Reporting Service JRS. These vulnerabilities have been fixed. Please apply the latest version to obtain the fixes. Vulnerability Details CVEID:CVE-2022-24785 DESCRIPTION: Moment.js could allow a remote attacker to traverse...

Security Bulletin: Vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI - October 2024 CPU

Summary Websphere Application Server WAS is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about security vulnerabilities affecting WAS has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: Multiple vulnerabilties affect IBM Db2 Big SQL on Cloud Pak for Data

Summary Multiple vulnerabilities affect IBM Db2 Big SQL 7.6 and earlier on Cloud Pak for Data 4.8 and earlier Vulnerability Details CVEID:CVE-2023-35116 DESCRIPTION: Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow. By persuading a victim to open a...

Security Bulletin: A vulnerability in the follow-redirect module affects IBM Db2 Big SQL on Cloud Pak for Data

Summary A vulnerability in the node.js follow-redirect module affects IBM Db2 Big SQL 7.6 on Cloud Pak for Data 4.8 Vulnerability Details CVEID:CVE-2024-28849 DESCRIPTION: Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the...

Security Bulletin: Vulnerabilities exists in IBM Netezza Performance Server for Cloud Pak for Data

Summary Vulnerabilities existis in IBM Netezza Performance Server for Cloud Pak for Data is fixed in 11.2.3.3 Vulnerability Details CVEID:CVE-2023-37920 DESCRIPTION: An unspecified error with the removal of e-Tugra root certificate in Certifi has an unknown impact and attack vector. CWE:CWE-345:...

Security Bulletin: IBM Maximo Application Suite uses IBM WebSphere Application Server Liberty 24.0.0.x which is vulnerable information disclosure

Summary IBM Maximo Application Suite uses IBM WebSphere Application Server Liberty 24.0.0.x which is vulnerable information disclosure. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere Application...

Security Bulletin: IBM WebSphere Application Server Liberty shipped with IBM OpenPages affected by information disclosure vulnerability (CVE-2023-50314)

Summary IBM WebSphere Application Server Liberty is shipped as a supporting program of IBM OpenPages. Information about an information disclosure security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. These products have addressed the...

Security Bulletin: Multiple IBM® Db2® security vulnerability fixes

Summary If you use IBM® Db2® as your database in your IBM Datacap deployment, please follow the Db2 security bulletins referred here to remedy the vulnerabilities. IBM® Db2® is vulnerable to denial of service under specific conditions CVE-2024-45663, CVE-2024-41761, CVE-2024-41762, CVE-2024-37071...

Security Bulletin: IBM Security QRadar EDR Software contains multiple vulnerabilities

Summary IBM Security QRadar EDR Software includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. These have been addressed in the update. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn befor...

Security Bulletin: Security Vulnerabilities in node.js packages affect IBM Voice Gateway

Summary Security Vulnerabilities in node.js packages affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION: Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS due to...

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM® Db2® Big SQL.

Summary There are multiple vulnerabilities in OpenSSL used by IBM® Db2® Big SQL 7 on IBM Cloud Pak for Data 4.6.0 and earlier. Vulnerability Details CVEID:CVE-2022-3602 DESCRIPTION: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note...

Security Bulletin: Multiple vulnerabilities in IBM® Db2® affect IBM® Db2® Big SQL.

Summary There are multiple vulnerabilities in IBM® Db2® 11.5 used by IBM® Db2® Big SQL 7 on IBM Cloud Pak for Data 4.8 and earlier. These issues were disclosed in an IBM® Db2® Security Bulletin in January 2024. Vulnerability Details CVEID:CVE-2023-47158 DESCRIPTION: IBM DB2 for Linux, UNIX and...

Security Bulletin: Multiple security vulnerabilties are affecting IBM Db2 Big SQL on Cloud Pak for Data

Summary Multiple security vulnerabilties are affecting IBM Db2 Big SQL 7.4 and earlier on Cloud Pak for Data 4.6 and earlier Vulnerability Details CVEID:CVE-2022-43929 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows 11.1 and 11.5 may be vulnerable to a Denial of Service when executing a speciall...

Security Bulletin: A vulnerability affects IBM Db2 Big SQL on Cloud Pak for Data

Summary A vulnerability in the node.js ejs module affects IBM Db2 Big SQL 7.4 and earlier on Cloud Pak for Data 4.6 and earlier Vulnerability Details CVEID:CVE-2023-29827 DESCRIPTION: Node.js ejs module could allow a remote authenticated attacker to execute arbitrary code on the system, caused by...

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to issues in IBM Semeru Runtime version 17

Summary There are vulnerabilities in IBM Semeru Runtime version 17 used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-21217 DESCRIPTION: Vulnerability in Java SE...

Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Publishing uses a web link with untrusted references to an external site.

Summary When an user clicks a link to an external site, and that link has the target="blank" attribute, then the new site will be opened into a new tab or window, but will share its process with the original tab or window. The window.opener object stores information from the original window, so i...

Security Bulletin: BM Engineering Lifecycle Optimization - Publishing uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

Summary Weak cryptographic hashes cannot guarantee data integrity and should not be used in security-critical contexts. MD5 and SHA-1 are popular cryptographic hash algorithms often used to verify the integrity of messages and other data. Recent advances in cryptanalysis have discovered weaknesse...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing could allow a remote attacker to cause a denial of service using a complex regular expression.

Summary Regular expressions are a formal language for identifying strings of text, parsing, and matching them. Most regular expressions engines are built over a non-deterministic Finite Automaton NFA. They use backtracking and, while these regular expression engines can quickly confirm a positive...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing could allow a remote attacker to cause an unhandled SSL exception which could leave the connection in an unexpected or insecure state.

Summary TLS/SSL error handling in Java typically throws an java.net.ssl.SSLException or subtypes SSLHandshakeException, SSLKeyException, SSLPeerUnverifiedException or SSLProtocolException when there is a protocol or security problem detected by the SSL subsytem, particularly during SSL handshake ...

Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Publishing could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser..

Summary When an error message is generated, care should be taken to ensure that it does not contain sensitive information about the environment, users or any other information that may be considered sensitive. Such information may be valuable itself or may be useful for further attacks with a...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow

Summary The software constructs all or part of an SQL command using externally-controlled input, but it does not neutralize properly that input that could modify the intended SQL command when it is sent to a database interaction method e.g. JDBC. Commonly a database table contains information tha...

Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Publishing Apache Commons IO is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the org.apache.commons.io.input.XmlStreamReader class.

Summary Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing dot dot sequences /../ to view arbitrary files on the system...

Security Bulletin: Multiple Vulnerabilities in Java Runtime affecting IBM Knowledge Catalog On Cloud Pak for Data

Summary Lineage component is an internal component of IBM Knowledge Catalog On Cloud Pak for Data. Vulnerabilities in Java Runtime are affecting Lineage component of IBM Cloud Pak for Data. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-21217 DESCRIPTION:...

Security Bulletin: Vulnerability in follow-redirects-1.15.3.tgz affects IBM Db2 Big SQL

Summary A vulnerability in node.js follow-redirects-1.15.3.tgz package affects I|BM Db2 Big SQL 7.6 and earlier on Cloud Pak for Data 4.8 and earlier. Vulnerability Details CVEID:CVE-2023-26159 DESCRIPTION: follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an...

Security Bulletin: Vulnerability in Golang affects IBM Db2 Big SQL

Summary A vulnerability in Golang golang.org/x/net-v0.2.0 package affects I|BM Db2 Big SQL 7.6 and earlier on Cloud Pak for Data 4.8 and earlier. Vulnerability Details CVEID:CVE-2022-41723 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sendi...

Security Bulletin: A vulnerability in body-parser-1.20.2.tgz affects IBM Db2 Big SQL on Cloud Pak for Data

Summary A vulnerability in open source package expressjs body-parser-1.20.2.tgz affects IBM Db2 Big SQL 7.x on Cloud Pak for Data 5.x Vulnerability Details CVEID:CVE-2024-45590 DESCRIPTION: expressjs body-parser is vulnerable to a denial of service, caused by a flaw when url encoding is enabled. ...

Security Bulletin: A vulnerability in python certifi package affects IBM Db2 Big SQL

Summary There is a vulnerability in python package certifi-2024.6.2-py3-none-any.whl affecting IBM Db2 Big SQL 7.7.0 on CP4D 5.0 Vulnerability Details CVEID:CVE-2024-39689 DESCRIPTION: Certifi python-certifi could provide weaker than expected security, caused by the use of GLOBALTRUST root...

Security Bulletin: Multiple vulnerabilities in IBM® Db2® affect IBM® Db2® Big SQL.

Summary There are multiple vulnerabilities in IBM® Db2® 11.5 used by IBM® Db2® Big SQL 7 on IBM Cloud Pak for Data 4.7 and earlier. Vulnerability Details CVEID:CVE-2023-39976 DESCRIPTION: ClusterLabs libqb is vulnerable to a buffer overflow, caused by improper bounds checking by the...

Security Bulletin: Multiple Vulnerabilities of IBM Java SDK have affected Linux KVM Agent from IBM Tivoli Monitoring for Virtual Environments product

Summary Linux KVM Agent is from IBM Tivoli Monitoring for Virtual Environments product vulnerable to IBM java SDK. The fix includes IBM Java SDK upgraded to 8.0.8.25. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component...

Security Bulletin: Multiple Vulnerabilities of IBM Java SDK have affected VMware Agent from IBM Tivoli Monitoring for Virtual Environments product

Summary VMware Agent from IBM Tivoli Monitoring for Virtual Environments product is vulnerable to IBM java SDK. The fix includes IBM Java SDK upgraded to 08.08.25.00 version. Vulnerability Details CVEID:CVE-2023-22081 DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE...

Security Bulletin: Vulnerabilities in VMware vCenter affect Cloud Pak System [CVE-2024-38812, CVE-2024-38813]

Summary Vulnerabilities in VMware vCenter affect Cloud Pak System. Vulnerability Details CVEID:CVE-2024-38812 DESCRIPTION: Broadcom VMware vCenter Server is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the implementation of the DCERPC protocol. By sending a...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to tensorflow-2.12.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl CVE-2023-33976

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to tensorflow-2.12.0-cp39-cp39-manylinux217x8664.manylinux2014x8664.whl CVE-2023-33976. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-33976 DESCRIPTION:...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. CVE-2023-27043

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. CVE-2023-27043. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Detail...

Security Bulletin: IBM SPSS Analytic Server is affected by netty vulnerability (CVE-2024-29025)

Summary IBM SPSS Analytic Server uses netty-codec-http-4.1.100.Final.jar which is vulnerable to CVE-2024-29025. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-29025 DESCRIPTION: Netty is an asynchronous event-driven network...

Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Insights uses a web link with untrusted references to an external site.

Summary IBM Engineering Lifecycle Optimization - Engineering Insights uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims' web browser. The web application...

Security Bulletin: IBM Engineering Lifecycle Optimization - Engineering Insights could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

Summary IBM Engineering Lifecycle Optimization - Engineering Insights could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. When an error message is...

Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications

Summary Multiple Vulnerabilities were disclosed as part of the Oracle July 2024 Critical Patch Update Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality, high...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server Liberty may affect IBM Storage Protect Backup-Archive Client

Summary IBM Storage Protect Backup-Archive Client can be affected by security flaws in IBM WebSphere Application Server Liberty. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information, as described in the "Vulnerability...

Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty may affect IBM Storage Protect for Virtual Environments: Data Protection for VMware

Summary IBM Storage Protect for Virtual Environments: Data Protection for VMware can be affected by a security flaw in IBM WebSphere Application Server Liberty. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information, as...

Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty may affect IBM Storage Protect for Virtual Environments: Data Protection for Hyper-V

Summary IBM Storage Protect for Virtual Environments: Data Protection for Hyper-V can be affected by a security flaw in IBM WebSphere Application Server Liberty. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information, as...

Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Storage Protect for Space Management

Summary IBM Storage Protect for Space Management can be affected by security flaws in IBM WebSphere Application Server. Network to conduct spoofing attacks, as described in the "Vulnerability Details" section. CVE-2023-50314. Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere...

Security Bulletin: There are multiple vulnerabilities that can affect IBM Storage Scale System that are now included

Summary There are multiple vulnerabilities that can affect IBM Storage Scale System, which could provide weaker than expected security that are now fixed. Vulnerability Details CVEID:CVE-2023-52451 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error related to acces...

Security Bulletin: Multiple Security Vulnerabilities were discovered in IBM Security Directory Integrator (CVE-2023-32328, CVE-2023-43017, CVE-2022-2068)

Summary Multiple Security Vulnerabilities have been addressed in the IBM Security Directory Integrator Container affecting other products. Vulnerability Details CVEID:CVE-2023-32328 DESCRIPTION: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that...

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect v10.0.9.0 Vulnerability Details CVEID:CVE-2024-5535 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a buffer over-read flaw in the SSLselectnextproto API function when calling with an empty supported client...

Security Bulletin: IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. This update addresses these CVEs. Vulnerability Details CVEID:CVE-2020-15250 DESCRIPTION: JUnit4 could allow a local attacker to obtain sensitive information,...

Security Bulletin: This Power System update is being released to address CVE-2023-52881

Summary The Linux kernel is used by the Virtualization Management Interface in PowerVM to support network communication with the Hardware Management Console. This bulletin provides a remediation for the impacted vulnerability, CVE-2023-52881, by upgrading PowerVM and thus addressing the exposure ...

Security Bulletin: Due to the use of Apache HttpClient, IBM EntireX is vulnerable to security restrictions being bypassed (CVE-2020-13956).

Summary Due to the use of Apache HttpClient, IBM EntireX is vulnerable to security restrictions being bypassed CVE-2020-13956. Apache HttpClient has been removed from IBM EntireX in order to address the vulnerability. Vulnerability Details CVEID:CVE-2020-13956 DESCRIPTION: Apache HttpClient could...

Security Bulletin: TADDM is vulnerable to a denial of service due to vulnerability in SBLIM and Apache Commons Library

Summary SBLIM and Apache Commons used by IBM Tivoli Application Dependency Discovery Manager and is vulnerable to CVE-2008-7230, CVE-2010-1937 and CVE-2012-2328 Vulnerability Details CVEID:CVE-2008-7230 DESCRIPTION: An unspecified vulnerability in SBLIM-SFCB Small Footprint CIM Broker has an...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to python - requests

Summary IBM Sterling Connect:Direct Web Service uses python - requests , python-requests could allow a remote attacker to obtain sensitive information, caused by the leaking of Proxy-Authorization headers to destination servers during redirects to an HTTPS origin. Vulnerability Details...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to python - urllib3

Summary IBM Sterling Connect:Direct Web Service uses python - urllib3 ,urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip the Proxy-Authorization header during cross-origin redirects. Vulnerability Details CVEID:CVE-2024-37891...