Security Bulletin: There is an Information Disclosure vulnerability in IBM WebSphere Application Server Liberty that is shipped with CICS Transaction Gateway Desktop Edition and CICS Transaction Gateway for Multiplatforms (CVE-2023-50314).

Summary There is an Information Disclosure vulnerability in IBM WebSphere Application Server Liberty that is shipped with CICS Transaction Gateway Desktop Edition and CICS Transaction Gateway for Multiplatforms CVE-2023-50314. An update to CICS Transaction Gateway Desktop Edition and CICS...

Security Bulletin: IBM Security Guardium is affected by an http2-common-9.4.44.v20210927.jar vulnerability (CVE-2023-44487)

Summary IBM Security Guardium has addressed this vulnerability in an update. Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests...

Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities found in Java and IBM WebSphere Application Server Liberty

Summary There are multiple vulnerabilities in Java and IBM WebSphere Application Server Liberty used by IBM Cloud Transformation Advisor CVE-2024-7254, CVE-2022-46363, CVE-2015-2156, CVE-2020-11612. Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Any project that parses untrusted Protocol...

Security Bulletin: Due to use of IBM WebSphere Application Server Liberty, IBM Tivoli Application Dependency Discovery Manager is vulnerable to disclosure of information.

Summary IBM WebSphere Application Server Liberty is used by IBM Tivoli Application Dependency Discovery Manager CVE-2023-50314 Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the...

Security Bulletin: IBM Cognos Transformer is affected by vulnerabilities in IBM® Java™ and Bouncy Castle Crypto Package For Java

Summary There are vulnerabilities in IBM® Java™ and Bouncy Castle Crypto Package For Java consumed by IBM Cognos Transformer. For more information about the vulnerability impact, refer to the table in the "Related Information" section. This Security Bulletin relates only to third-party components...

Security Bulletin: Vulnerabilities in Node.js Elliptic module may affect IBM watsonx Assistant for IBM Cloud Pak for Data

Summary Potential information disclosure vulnerabilities has been identified related toNode.js Elliptic module that may affect IBM watsonx Assistant for IBM Cloud Pak for Data. These vulnerabilities have been addressed. Refer to details for additional information. Vulnerability Details...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Informix 14.10.xC10W2

Summary In addition to various updates, the security vulnerabilities mentioned in the Remediation/Fixes section have been addressed with IBM Informix 14.10.xC10W2. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected...

Security Bulletin: Multiple vulnerabilities which can affect IBM Storage Scale are now fixed.

Summary There are several vulnerabilities in IBM Storage Scale which could provide weaker than expected security that are now fixed. Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to th...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2015-7450)

Summary WebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes Affected...

Security Bulletin: IBM Fusion HCI Installer is vulnerable to arbitrary code execution, gaining of elevated privileges, obtaining sensitive information, and denial of service due to various Python packages

Summary The IBM Fusion Installer is affected by vulnerabilities in Ansible and Python packages dnspython, requests, certifi and idna. Vulnerabilities include arbitrary code execution, gaining of elevated privileges, obtaining sensitive information, and denial of service. CVE-2023-5764,...

Security Bulletin: Security Vulnerabilities have been identified in IBM Java Runtime as shipped with Tivoli Federated Identity Manager

Summary IBM Java Runtime as shipped with Tivoli Federated Identity Manager. Information about security vulnerabilities affecting IBM Java Runtime have been published in a security bulletin. Vulnerability Details CVEID:CVE-2019-2766 DESCRIPTION: Vulnerability in the Java SE, Java SE Embedded...

Security Bulletin: IBM Fusion HCI and IBM Fusion are vulnerable to a denial of service

Summary The IBM Fusion HCI and IBM Fusion Backup and Restore services are affected by a vulnerability in the Go package protobuf. The vulnerability allows for a denial of service if processing certain forms of invalid JSON. CVE-2024-24786. Vulnerability Details CVEID:CVE-2024-24786 DESCRIPTION:...

Security Bulletin: IBM Fusion HCI and IBM Fusion are vulnerable to a denial of service

Summary IBM Fusion HCI and IBM Fusion are affected by a vulnerability in the Kubernetes package k8s.io/Apimachinery. The HTTP/2 protocol allows for a denial of service. CVE-2023-44487. Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are vulnerable to a denial of service,...

Security Bulletin: IBM Fusion and IBM Fusion HCI are vulnerable to retrieval of senstive informtion, arbitrary code execution, denial of service, and security restrictions bypass

Summary IBM Fusion and IBM Fusion HCI's backup and restore service, due to the use of python package urllib3, setuptools, Werkzeug, zipp, Requests and Dnspython, are vulnerable to the retrieval of senstive informtion, arbitrary code execution, denial of service, and the bypass of security...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to python - setuptools

Summary IBM Sterling Connect:Direct Web Service uses python - setuptools , pypa/setuptools could allow a remote attacker to execute arbitrary code on the system, caused by an error in the packageindex module. Vulnerability Details CVEID:CVE-2024-6345 DESCRIPTION: pypa/setuptools could allow a...

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to os - glib2

Summary IBM Sterling Connect:Direct Web Service uses os - glib2 ,GNOME GLib could allow a remote attacker to conduct spoofing attacks, caused by a flaw when a GDBus-based client subscribes to signals from a trusted system service Vulnerability Details CVEID:CVE-2024-34397 DESCRIPTION: GNOME GLib...

Security Bulletin: IBM Operational Decision Manager for Nov 2024 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-47554...

Security Bulletin: IBM WebSphere Application Server is vulnerable to a denial of service (CVE-2024-45085)

Summary IBM WebSphere Application Server is vulnerable to a denial of service when a JSF application configured with Sun Reference Implementation 1.2 is deployed. Vulnerability Details CVEID:CVE-2024-45085 DESCRIPTION: IBM WebSphere Application Server is vulnerable to a denial of service, under...

Security Bulletin: IBM Storage Scale System may be affected by vulnerabilities in OpenSSL

Summary Security vulnerabilities have been discovered in OpenSSL that are now fixed. Vulnerability Details CVEID:CVE-2023-3446 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw when using the DHcheck, DHcheckex or EVPPKEYparamcheck functions to check a DH key or DH...

Security Bulletin: Vulnerability in linux-firmware (CVE-2023-31346) affects Power HMC.

Summary The linux-firmware library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2023-31346 DESCRIPTION: AMD SEV-SNP Firmware could allow a local authenticated attacker to obtain sensitive information, caused by the failure...

Security Bulletin: Vulnerabilities in libssh (CVE-2023-6004, CVE-2023-6918) affect Power HMC.

Summary The libssh library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2023-6004 DESCRIPTION: libssh could allow a local authenticated attacker to execute arbitrary commands on the system, caused by a flaw in the...

Security Bulletin: Vulnerability in openssh (CVE-2020-15778) affects Power HMC.

Summary The openssh library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2020-15778 DESCRIPTION: OpenSSH could allow a remote attacker to execute arbitrary commands on the system, caused by improper input validation in the...

Security Bulletin: Vulnerability in Apache HTTP Server (CVE-2023-38709) affects Power HMC.

Summary The Apache HTTP Server library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2023-38709 DESCRIPTION: Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by improper input validation in the...

Security Bulletin: Vulnerability in Apache HTTP Server (CVE-2023-45802) affects Power HMC.

Summary The Apache HTTP Server library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2023-45802 DESCRIPTION: When a HTTP/2 stream was reset RST frame by a client, there was a time window were the request's memory resources...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Node.js.

Summary Multiple vulnerabilities in Node.js that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2024-27980 DESCRIPTION: Node.js could allow a remote attacker to execute arbitrary commands on the system, caused by the improper handling of batch files in...

Security Bulletin: Platform UI and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Node.js vulnerability 351136

Summary Platform UI and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Node.js vulnerability 351136 with details below. The vulnerabilities have been addressed. Vulnerability Details IBM X-Force ID: 351136 DESCRIPTION: Node.js npm inflight module is...

Security Bulletin: Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server.

Summary IBM Storage Protect Server, which uses IBM Db2, may be affected by multiple vulnerabilities that could result in denial of service or the loss of confidentiality, integrity. These vulnerabilities include CVE-2024-31882, CVE-2024-29857, CVE-2024-30172, CVE-2024-30171, CVE-2024-35136,...

Security Bulletin: Loss of confidentiality in IBM WebSphere Application Server Liberty may affect IBM Storage Protect Operations Center (CVE-2023-50314).

Summary IBM Storage Protect Operations Center may be affected by loss of confidentiality caused by using a certificate issues by trusted authority in IBM WebSphere Application Server Liberty. Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3...

Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to a spoofing attack [CVE-2023-50314].

Summary IBM WebSphere Application Server Liberty for IBM i is vulnerable to an attacker with access to the network to conduct spoofing attacks as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v5.0.3 is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v5.0.3 is vulnerable to multiple Operator package issues.. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for...

Security Bulletin: IBM DataPower Gateway vulnerable to Denial of Service (CVE-2023-52881)

Summary This issue can affect TCP networking Vulnerability Details CVEID:CVE-2023-52881 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian...

Security Bulletin: IBM Operational Decision Manager for Oct 2024 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2023-5236...

Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities

Summary There are vulnerabilities in Open-Source Software OSS components consumed by IBM Cognos Dashboards on Cloud Pak for Data. Please refer to the Related Information section below for vulnerability impact. This Security Bulletin relates only to the direct usage of third-party components by IB...

Security Bulletin: IBM Data Product Hub is affected by several vulnerabilities

Summary IBM Data Product Hub has a dependencies on IBM WebSphere Application Server Liberty, IBM Semeru Runtime, and Node.js elliptic & path-to-regexp modules, which are vulnerable. This bulletin contains information regarding the vulnerabilities and their fixture. Vulnerability Details...

Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities

Summary IBM QRadar SIEM includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. These have been addressed in the update. Vulnerability Details CVEID:CVE-2024-23454 DESCRIPTION: Apache Hadoop could allow a local authenticated attacker t...

Security Bulletin: IBM Cloud Pak System is vulnerable to multiple vulnerabilities in IBM Java SDK.

Summary IBM Cloud Pak System is vulnerable to multiple vulnerabilities in IBM SDK. The fix removes these vulnerabilities as per IBM SDK, Java Technology Apr 2024. Vulnerability Details CVEID:CVE-2024-21085 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allo...

Security Bulletin: Multiple vulnerabilities affect IBM® Semeru Runtime

Summary This bulletin for IBM Semeru Runtime covers all applicable Java SE CVEs published by OpenJDK as part of their October 2024 Vulnerability Advisory, plus CVE-2024-10917 and CVE-2024-9143. For more information please refer to OpenJDK's October 2024 Vulnerability Advisory and the X-Force...

Security Bulletin: There is a vulnerability in the Flask library impacting IBM watsonx Code Assistant for Ansible

Summary There is a vulnerability in the Flask library impacting IBM watsonx Code Assistant for Ansible. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-30861 DESCRIPTION: Pallets Flask could allow a remote attacker to obtain sensitiv...

Security Bulletin: IBM® Db2® is vulnerable to denial of service under specific conditions (CVE-2024-45663)

Summary IBM® Db2® is vulnerable to denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2024-45663 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the...

Security Bulletin: IBM® Db2® is vulnerable to denial of service under specific conditions (CVE-2024-37071)

Summary IBM® Db2® is vulnerable to denial of service under certain conditions with a specially crafted query by an authenticated user. Vulnerability Details CVEID:CVE-2024-37071 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated user to cause...

Security Bulletin: IBM® Db2® is vulnerable to denial of service under specific conditions (CVE-2024-41761)

Summary IBM® Db2® is vulnerable to denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2024-41761 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the...

Security Bulletin: IBM® Db2® is vulnerable to denial of service under specific conditions (CVE-2024-41762)

Summary IBM® Db2® is vulnerable to denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2024-41762 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the...

Security Bulletin: There are multiple vulnerabilities in IBM App Connect Enterprise due to IBM Semeru Runtime

Summary There are multiple vulnerabilities in IBM App Connect Enterprise due to IBM Semeru Runtime. Vulnerability Details CVEID:CVE-2024-21217 DESCRIPTION: An unspecified vulnerability in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition related to the Serialization...

Security Bulletin: A vulnerability in XML toolkit for Ruby affects IBM License Metric Tool.

Summary There is a vulnerability in the XML toolkit for Ruby component used by IBM License Metric Tool. Vulnerability Details CVEID:CVE-2024-49761 DESCRIPTION: Ruby REXML is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw. By sending a specially...

Security Bulletin: Promise based HTTP client for the browser and node.js

Summary Axios is vulnerable to Regular Expression Denial of Service ReDoS. When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of On^2. Server becomes unable to provide normal service due to the excessive cost and time wasted in...

Security Bulletin: User can inject the suspected code via URL passed

Summary A vulnerability in the packageindex module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to cod...

Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (CVE-2024-47107)

Summary IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability has been addressed in the update. Vulnerability Details CVEID:CVE-2024-47107 DESCRIPTION: IBM QRadar is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary...

Security Bulletin: IBM Business Automation Navigator is affected by a vulnerability in path-to-regexp (CVE-2024-45296)

Summary IBM Business Automation Navigator has addressed the following vulnerability. This does not impact IBM Content Navigator on-prem. Vulnerability Details CVEID:CVE-2024-45296 DESCRIPTION: pillarjs Path-to-RegExp is vulnerable to a denial of service, caused by a regular expression denial of...

Security Bulletin: "Carbon Charts" is vulnerable to Cross-site Scripting due to Improper Neutralization of Input During Web Page Generation (CWE-79)

Summary The issue arises from the library not sanitizing custom HTML provided by developers, allowing potentially harmful scripts to be executed in the user's browser when interacting with the chart. Vulnerability Details CVEID:CVE-2024-47117 DESCRIPTION: IBM Carbon Design System is vulnerable to...

Security Bulletin: Multiple vulnerabilities which can affect IBM Storage Scale are now fixed.

Summary There are several vulnerabilities in IBM Storage Scale which could provide weaker than expected security that are now fixed. Vulnerability Details CVEID:CVE-2024-39249 DESCRIPTION: Async is vulnerable to a denial of service, caused by the ReDoS Regular Expression Denial of Service while...