Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

Summary QRadar Suite Software includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details...

Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Apache Commons-Codec version less than 1.13

Summary A vulnerability has been identified in Apache Commons-Codec version less than 1.13, which is used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details IBM X-Force ID: 177835...

Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Jdom-1.0

Summary A vulnerability has been identified in Jdom version 1.0, which is used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2021-33813 DESCRIPTION: JDOM is vulnerable to a...

Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to a remote attacker obtaining sensitive information, bypassing security restrictions, and a server-side request forgery due to multiple vulnerabilities.

Summary IBM HTTP Server powered by Apache for IBM i is vulnerable to a remote attacker obtaining sensitive information due to ignoring legacy content-type based configuration of handlers CVE-2024-39884 and improper validation of input CVE-2024-38476, a bypass of security restrictions due to a fla...

Security Bulletin: Vulnerability in certifi-2024.2.2-py3-none-any.whl can affect IBM Storage Scale

Summary There is a vulnerability in certifi-2024.2.2-py3-none-any.whl, used by IBM Storage Scale, which could provide weaker than expected security. CVE-2024-39689 Vulnerability Details CVEID:CVE-2024-39689 DESCRIPTION: Certifi python-certifi could provide weaker than expected security, caused by...

Security Bulletin: IBM SDK Java Technology Edition is vulnerable to CVEs (set out in the link below), affecting WebSphere Service Registry and Repository due to October 2024 CPU

Summary IBM SDK Java Technology Edition is vulnerable to CVE-2024-10917, used by WebSphere Service Registry and Repository. These issues were disclosed as part of the IBM Java SDK updates in December 2024. These issues are also addressed by WebSphere Application Server shipped with WebSphere...

Security Bulletin: Security vulnerabilities were discovered in IBM Java SE as shipped with IBM Security Directory Integrator.

Summary Multilple Security Vulnerabilities were addressed in IBM Java SE as shipped with IBM Security Directory Integrator Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE component: Hotspot. Difficult to exploit vulnerability allows unauthenticated attacker with...

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to Kerberos 5, OpenSSL, libexpat, golang-jwt, and GnuPG Libgcrypt

Summary Kerberos 5, OpenSSL, libexpat, golang-jwt, GnuPG Libgcrypt and IBM MQ used by IBM MQ Operator and Queue Manager container images are vulnerable to denial of service due to improper memory allocation and server configuration validation, spoofing attacks, and providing weaker than expected...

Security Bulletin: IBM Observability with Instana is vulnerable to Improper Validation of Specified Type of Input

Summary Golang Go is used by IBM Instana Observability as part of the elasticsearch-operator CVE-2024-24790 . This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-24790 DESCRIPTION: An unspecified error related to various Is methods...

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Denial of Service attacks vulnerability with snakeYaml library

Summary Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Denial of Service attacks vulnerability due to snakeYaml library. Vulnerability Details CVEID:CVE-2022-41854 DESCRIPTION: snakeYAML is vulnerable to a denial of service, caused by improper input validation. By...

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to cross-site scripting (CVE-2023-38722)

Summary IBM Sterling Partner Engagement Manager has addressed a reflected cross-site scripting vulnerability. Vulnerability Details CVEID:CVE-2022-38749 DESCRIPTION: SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a...

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable due to SnakeYAML issue

Summary IBM Sterling Partner Engagement Manager uses SnakeYAML, which is subject to stack overflow when parsing YAML files. Vulnerability Details CVEID:CVE-2022-38750 DESCRIPTION: SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a...

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to org.yaml:snakeyaml Denial of Service (DoS)

Summary IBM Sterling Partner Engagement Manager uses org.yaml:snakeyaml Denial of Service , affected for the CVE CVE-2022-25857 Vulnerability Details CVEID:CVE-2022-25857 DESCRIPTION: Java package org.yaml:snakeyam is vulnerable to a denial of service, caused by missing to nested depth limitation...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Eclipse Jetty

Summary Multiple vulnerabilities in Eclipse Jetty that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2024-9823 DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by a flaw in the DosFilter feature. By sending specially crafted...

Security Bulletin: Vulnerability in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to October 2024 CPU

Summary There are multiple vulnerabilities in the IBM® SDK, Java™ Technology Edition that is shipped with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty. The CVEs listed in this document might affect some configurations of IBM WebSphere Application Server traditiona...

Security Bulletin: IBM Sterling Secure Proxy is vulnerable to improper input validation

Summary IBM Sterling Secure Proxy is affected by an improper input validation vulnerability that is exploitable by authenticated, privileged users. Vulnerability Details CVEID:CVE-2024-41783 DESCRIPTION: IBM Sterling Secure Proxy could allow a privileged user to inject commands into the underlyin...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in OpenSSL

Summary Multiple vulnerabilities in OpenSSL used by IBM InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2023-3817 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw when using the DHcheck, DHcheckex or EVPPKEYparamcheck functions to check a D...

Security Bulletin: PowerSC is vulnerable to information disclosure, denial of service, and security restrictions bypass due to Curl

Summary Vulnerabilities in Curl could allow a local attacker to obtain sensitive information CVE-2024-7264 or a remote attacker to cause a denial of service CVE-2024-6197, CVE-2024-37371 or bypass security restrictions CVE-2024-37370. PowerSC uses Curl as part of PowerSC Trusted Network Connect...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Werkzeug

Summary Multiple vulnerabilities in Werkzeug used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2024-49766 DESCRIPTION: Werkzeug is a Web Server Gateway Interface web application library. On Python = 3.11, or not using Windows, are not vulnerable. Werkzeug versi...

Security Bulletin: IBM Sterling B2B Integrator is affected by multiple vulnerabilities in CKEditor

Summary IBM Sterling B2B Integrator is affected by multiple vulnerabilities in CKEditor Vulnerability Details CVEID:CVE-2021-32808 DESCRIPTION: CKEditor is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the clipboard Widget plugin if used alongside the...

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to information disclosure due to Apache Commons Codec (177835)

Summary IBM Sterling B2B Integrator uses Apache Commons Codec. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details IBM X-Force ID: 177835 DESCRIPTION: Apache Commons Codec could allow a remote attacker to obtain sensitive information, caused by the...

Security Bulletin: IBM Sterling B2B Integrator is affected by multiple security vulnerabilities in IBM WebSphere Application Server

Summary IBM Sterling B2B Integrator is affected by multiple security vulnerabilities in IBM WebSphere Application Server Vulnerability Details CVEID:CVE-2023-31582 DESCRIPTION: Jose4J could allow a remote attacker to obtain sensitive information, caused by allowing of a low iteration count of 100...

Security Bulletin: Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition

Summary This bulletin for IBM SDK, Java Technology Edition covers all applicable Java SE CVEs published by Oracle as part of their October 2024 Critical Patch Update, plus CVE-2024-10917. For more information please refer to Oracle's October 2024 CPU Advisory and the X-Force database entries...

Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates

Summary IBM App Connect Enterprise Certified Container ACEcc is built on the Red Hat Universal Base Images. ACEcc operator versions 5.0.22 LTS, 12.0.6 LTS and 12.6.0 contain fixes to the listed CVEs found in the base images. This bulletin provides patch information to address the reported...

Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager is vulnerable to multiple vulnerabilities.

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition used by IBM Tivoli Application Dependency Discovery Manager TADDM. Vulnerability Details CVEID:CVE-2024-21094 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager

Summary IBM Db2 is shipped as a component of IBM Security Key Lifecycle Manager SKLM/GKLM. Information about multiple security vulnerabilities affecting IBM Db2 has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: A security vulnerability in WebSphere Application Server Liberty affects IBM Robotic Process Automation which may result in spoofing attacks (CVE-2023-50314)

Summary A security vulnerability in WebSphere Application Server Liberty affects IBM Robotic Process Automation which may result in spoofing attacks. WebSphere Application Liberty is used by IBM Robotic Process Automation as part of Antivirus and Abbyy containers as well as UMS. This bulletin...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Liberty Profile affect IBM Robotic Process Automation.

Summary Multiple vulnerabilities in IBM WebSphere Liberty Profile affect IBM Robotic Process Automation. IBM WebSphere Liberty Profile is used by IBM Robotic Process Automation as part of UMS and as an application server for container deployments. This bulletin identifies the security fixes to...

Security Bulletin: Multiple security vulnerabilities in IBM MQ affect IBM Robotic Process Automation

Summary Multiple security vulnerabilities in IBM MQ affect IBM Robotic Process Automation. IBM MQ is used by IBM Robotic Process Automation as a system queue. This bulletin identifies the fixes to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-40681 DESCRIPTION: IBM MQ Operator...

Security Bulletin: Multiple vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak

Summary Multiple vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak. RedHat UBI is used as base imaged for IBM Robotic Process Automation for Cloud Pak images. This bulletin identifies the fixes required to address the vulnerabilites. Vulnerability Details...

Security Bulletin: Mutiple vulnerabilites in Python affect IBM Robotic Process Automation

Summary Mutiple vulnerabilites in Python affect IBM Robotic Process Automation. Python is used by IBM Robotic Process Automation as part of Watson NLP. This bulletin identifies the fixes required to resolve the vulnerabilities. Vulnerability Details CVEID:CVE-2019-11236 DESCRIPTION: Python urllib...

Security Bulletin: A vulnerability in Microsoft .NET Core may affect IBM Robotic Process Automation and result in a remote attacker obtaining sensitive information (CVE-2018-8292).

Summary Microsoft .NET Core is used by IBM Robotic Process Automation as part of the development platform CVE-2018-8292. Vulnerability Details CVEID:CVE-2018-8292 DESCRIPTION: Microsoft .NET Core could allow a remote attacker to obtain sensitive information, caused by an open redirect...

Security Bulletin: Multiple security vulnerabilities in Python affect IBM Robotic Process Automation

Summary Multiple security vulnerabilities in Python affect IBM Robotic Process Automation. Python is used by IBM Robotic Process Automation as part of Watson NLP. This bulletin identifies the fixes to resolve the vulnerabilities. Vulnerability Details CVEID:CVE-2019-20916 DESCRIPTION: pypa pip...

Security Bulletin: A vulnerability in Python affects IBM Robotic Process Automation and could allow a remote authenticated attacker to obtain sensitive information (CVE-2023-43804).

Summary A vulnerability in Python affects IBM Robotic Process Automation and could allow a remote authenticated attacker to obtain sensitive information CVE-2023-43804. IBM Robotic Process Automation uses Python as part of NLP and Abbyy. This security bulletin identifies the fixes that are requir...

Security Bulletin: Multiple vulnerabilies in Go affect IBM Robotic Process Automation for Cloud Pak.

Summary Multiple vulnerabilies in Go affect IBM Robotic Process Automation for Cloud Pak. Go is used by IBM Robotic Process Automation as part of it's operators. This bulletin identifies the fixes to resovle the vulnerabilities. Vulnerability Details CVEID:CVE-2024-21626 DESCRIPTION: Open Contain...

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 286 Vulnerability Details CVEID:CVE-2024-43382 DESCRIPTION: Snowflake JDBC driver could provide weaker than expected security, caused by an incorrect security setting. A...

Security Bulletin: IBM Observability with Instana for Synthetic PoP is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana for Synthetic PoP build 284 Vulnerability Details CVEID:CVE-2024-2398 DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a memory leak when allowing HTTP/2 server push. By sending a specially...

Security Bulletin: Security vulnerabilities may affect IBM Java shipped with IBM TXSeries for Multiplatforms.

Summary Security vulnerabilities may affect IBM Java shipped with IBM TXSeries for Multiplatforms. Updates to IBM TXSeries for Multiplatforms have been released to address these vulnerabilities. Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE relate...

Security Bulletin: Financial Transaction Manager v4 is impacted by multiple vulnerabilities in IBM Java SE

Summary Multiple vulnerabilities were addressed in Financial Transaction Manager v4.0.6.0 iFix4 Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality, high integrity...

Security Bulletin: Multiple vulnerabilities in Open JDK affecting Rational Functional Tester / DevOps Test UI

Summary There are multiple vulnerabilities in Open JDK used by Rational Functional Tester RFT / DevOps Test UI Test UI. RFT/Test UI has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-21208 DESCRIPTION: An unspecified vulnerability in Oracle Java SE, Oracle GraalVM for JDK,...

Security Bulletin: Financial Transaction Manager v4 is impacted by multiple vulnerabilities in WebSphere Liberty

Summary Multiple vulnerabilities were addressed in Financial Transaction Manager 4.0.6.0 iFix4 Vulnerability Details CVEID:CVE-2024-22354 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External...

Security Bulletin: IBM Analytics Content Hub is affected by security vulnerabilities

Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Analytics Content Hub. Additionally, IBM Analytics Content Hub is vulnerable to Buffer Overflow, Server Side Request Forgery SSRF and Improper Error Handling vulnerabilities. Please refer to the tabl...

Security Bulletin: The IBM® Engineering Lifecycle Management is vulnerable to cross-site scripting

Summary A cross-site scripting vulnerability has been identified on the URL "/jts/auth/authrequired". The web-url does not properly sanitise and escape xss payload before out-putting a 'layout' parameter that users supply to the response body leading to a Cross Site Scripting attack. This bulleti...

Security Bulletin: Insufficient verification of data authenticity might affect IBM Storage Defender – Resiliency Service

Summary IBM Storage Defender – Resiliency Service is vulnerable to insufficient verification of data authenticity. The vulnerability has been addressed. CVE-2023-37920 Vulnerability Details CVEID:CVE-2023-37920 DESCRIPTION: An unspecified error with the removal of e-Tugra root certificate in...

Security Bulletin: IBM Data Virtualization Manager for z/OS has a remote code execution (RCE) vulnerability

Summary IBM Data Virtualization Manager for z/OS has a remote code execution RCE vulnerability. Vulnerability Details CVEID:CVE-2024-52899 DESCRIPTION: IBM Data Virtualization Manager for z/OS could allow an authenticated user to inject malicious JDBC URL parameters and execute code on the server...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for Nov 2024

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 1.15.0 IF004 Vulnerability Details CVEID:CVE-2024-38821 DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security...

Security Bulletin: IBM Workload Scheduler stores user credentials in plain text.

Summary IBM Workload Scheduler stores user credentials in plain text which can be read by a local user. CVE-2024-49351 Vulnerability Details CVEID:CVE-2024-49351 DESCRIPTION: IBM Workload Scheduler stores user credentials in plain text which can be read by a local user. CWE:CWE-256: Plaintext...

Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Repodebug

Summary Repodebug shows Oracle password in the plain text. This only occurs with Oracle DB. Customer observed that repodebug shows the database username and password for Oracle jdbc connections which is a vulnerability. This bulletin contains information regarding the remediation actions...

Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in User Dashboards

Summary A vulnerability was reported in dashboard during pen testing. User's dashboard could be changed with a PUT request which did not check the user's identity, and this request enabled a user to change any dashboard the user has read access to. This bulletin contains information regarding the...

Security Bulletin: Apache uimaj-core.jar security vulnerability CVE-2017-15691

Summary Apache uimaj-core.jar security vulnerability CVE-2017-15691 in FileNet Content Manager FNCM Content Search Services CSS/Enterprise Content Management Text Search ECMTS. CSS/ECMTS is affected and is potentially vulnerable. Vulnerability Details CVEID:CVE-2017-15691 DESCRIPTION: Apache uima...