Security Bulletin: IBM Sterling Control Center is vulnerable to IBM Semeru Runtime Quarterly CPU - Apr 2024 - Includes OpenJDK Apr 2024 CPU

Summary IBM Semeru Runtime Quarterly CPU - Apr 2024 is affecting Sterling Control Center v6.2.1 and v6.3.1. Vulnerability Details CVEID:CVE-2024-21085 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts...

Security Bulletin: IBM Sterling Control Center is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU - Jul 2024 - Includes Oracle July 2024 CPU

Summary IBM SDK, Java Technology Edition Quarterly CPU - Jul 2024 is affecting Sterling Control Center v6.2.1 and v6.3.1. Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high...

Security Bulletin: IBM Sterling Control Center is vulnerable to IBM Semeru Runtime Quarterly CPU - Jul 2024 - Includes OpenJDK July 2024 CPU

Summary IBM Semeru Runtime Quarterly CPU - Jul 2024 is affecting Sterling Control Center v6.2.1 and v6.3.1. Vulnerability Details CVEID:CVE-2024-21145 DESCRIPTION: An unspecified vulnerability in Java SE related to the 2D component could allow a remote attacker to cause low confidentiality, low...

Security Bulletin: IBM Sterling Control Center is vulnerable due to Apache Commons issue

Summary Apache Commons is affecting IBM Sterling Control Center v6.2.1 and v6.3.1. Vulnerability Details CVEID:CVE-2024-29131 DESCRIPTION: Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending...

Security Bulletin: IBM Sterling Control Center is vulnerable to Directory Listing

Summary Directory Listing is affecting v6.2.1 and v6.3.1. Vulnerability Details CVEID:CVE-2024-35113 DESCRIPTION: IBM Sterling Control Center could allow an authenticated user to obtain sensitive information exposed through a directory listing. CWE:CWE-548: Exposure of Information Through Directo...

Security Bulletin: IBM Sterling Control Center is vulnerable to Improper Error Handling

Summary Improper Error Handling is affecting v6.2.1 and v6.3.1. Vulnerability Details CVEID:CVE-2024-35112 DESCRIPTION: IBM Sterling Control Center could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in PyTorch [CVE-2024-31583]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in PyTorch, caused by a use-after-free flaw in the torch/csrc/jit/mobile/interpreter.cpp component CVE-2024-31583. PyTorch is used by our Speech Service runtimes. This vulnerabilitiy has...

Security Bulletin: IBM PowerVM Novalink is vulnerable because VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation.

Summary IBM PowerVM Novalink is vulnerable because VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted Spring Expression Language SpEL expression, a remote attacker could exploit this vulnerability to cause a deni...

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty could allow an attacker with access to the network to conduct spoofing attacks. (CVE-2023-50314)

Summary IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to...

Security Bulletin: IBM DataPower Gateway potentially vulnerable to RCE vulnerability

Summary IBM DataPower Gateway does not support the affected character-set. Out of an abundance of caution, IBM has applied the remediation for this CVE. Vulnerability Details CVEID:CVE-2024-2961 DESCRIPTION: GNU C Library could allow a remote attacker to execute arbitrary code on the system, caus...

Security Bulletin: IBM CICS TX Advanced web pages are vulnerable to cross-site scripting and cross-site request forgery attacks.

Summary Webpages that are shipped as part of IBM CICS TX Advanced are vulnerable to cross-site scripting and cross-site request forgery attacks. Updates to IBM CICS TX Advanced have been released to address these vulnerabilities. Vulnerability Details CVEID:CVE-2024-41745 DESCRIPTION: IBM CICS TX...

Security Bulletin: Multiple vulnerabilities within WebSphere Application and IBM HTTP Server, affect IBM Tivoli Monitoring.

Summary Multiple vulnerabilities within WebSphere Application and IBM HTTP Server which is included as part of IBM Tivoli Monitoring ITM portal server. have been remediated Vulnerability Details CVEID:CVE-2024-45071 DESCRIPTION: IBM WebSphere Application Server is vulnerable to stored cross-site...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.6 is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.6 is vulnerable to multiple Operator package issues. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.6 is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.6 is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in TensorFlow [CVE-2023-33976]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in TensorFlow, caused by a a segfault when not given a rank 2 tensor in the arrayops.upperbound function CVE-2023-33976. TensorFlow is used by our Speech Service runtimes. This...

Security Bulletin: IBM Aspera Console has improved security for user input validation (CVE-2011-4969)

Summary This Security Bulletin addresses a vulnerability that has been remediated in IBM Aspera Console 3.4.5 PL1. Vulnerability Details CVEID:CVE-2011-4969 DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when handling the...

Security Bulletin: A vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2023-50315)

Summary WebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about an information disclosure vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Golang Go

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Golang Go. Vulnerability Details CVEID:CVE-2024-24787 DESCRIPTION: Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a flaw during build on darwin. By building a Go...

Security Bulletin: IBM MQ Explorer is affected by a vulnerability in the IBM Semeru Runtime (CVE-2024-21085)

Summary An issue was identified with IBM Semeru Runtime, Version 17, which is used in IBM MQ Explorer. Vulnerability Details CVEID:CVE-2024-21085 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts. CVSS...

Security Bulletin: IBM CICS TX Standard is vulnerable to Cross-site Scripting (Reflected) and Cross-Site Request Forgery (CSRF).

Summary Webpages that are shipped as part of IBM CICS TX Standard are vulnerable to Cross-site Scripting Reflected and Cross-Site Request Forgery CSFR. Updates to IBM CICS TX Standard have been released to address this vulnerability. Vulnerability Details CVEID:CVE-2024-41745 DESCRIPTION: IBM CIC...

Security Bulletin: Denial of service, DNS poisoning, and information disclosure might affect IBM Storage Defender – Resiliency Service

Summary IBM Storage Defender – Resiliency Service is vulnerable and can result in denial of service, DNS poisoning, and information disclosure. The vulnerabilities have been addressed. CVE-2024-34447, CVE-2024-30172, CVE-2024-30171, CVE-2024-29857, CVE-2024-45296, CVE-2023-44487, CVE-2024-29857...

Security Bulletin: IBM TXSeries for Multiplatforms is vulnerable to attacks attempting to obtain sensitive information or determine valid usernames.

Summary Webpages that are shipped as part of IBM TXSeries for Multiplatforms are vulnerable to attacks attempting to obtain sensitive information or determine valid usernames. Updates to IBM TXSeries for Multiplatforms have been released to address this vulnerability. Vulnerability Details...

Security Bulletin: IBM Db2 and IBM WebSphere Application Server traditional used by IBM Security Verify Governance have multiple vulnerabilities

Summary IBM Security Verify Governance ISVG ships with IBM Db2 and IBM WebSphere Application Server traditional. Information about security vulnerabilities affecting these dependencies has been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: A Security Vulnerability was fixed in IBM Security Verify Access. (CVE-2024-35133)

Summary An issue found in the IBM Security Verify Access OIDC code could allow a remote attacker to cause a Redirect URL vulerability Vulnerability Details CVEID:CVE-2024-35133 DESCRIPTION: IBM Security Verify Access OIDC Provider could allow a remote attacker to conduct phishing attacks, using a...

Security Bulletin: Multiple vulnerabilities in Java affect IBM Business Automation Workflow - July 2024 CPU

Summary IBM Business Automation Workflow containers package IBM® Java SDK 8 V21.0.3 or IBM® Semeru Runtime 17 V24.0.0. Information about security vulnerabilities in these Java runtumes have been published. IBM Business Automation Workflow includes IBM Java 8. Vulnerability Details...

Security Bulletin: IBM QRadar App SDK for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that might be identified and exploited with automated tools. IBM has addressed the vulnerabilities. This product is only used by IBM QRadar SIEM app developers and external business partners and is not relevant for users...

Security Bulletin: Vulnerability in dojo affects IBM Business Automation Workflow - CVE-2021-23450

Summary IBM Business Automation Workflow packages an outdated version of dojo. A security addressing CVE-2021-23450 has been back ported to this version. Vulnerability Details CVEID:CVE-2021-23450 DESCRIPTION: Dojo could allow a remote attacker to execute arbitrary code on the system, caused by a...

Security Bulletin: Unspecified Vulnerability in IBM Java SDK affect Cloud Pak System [CVE-2023-22045, CVE-2023-22049]

Summary Unspecified Vulnerability in IBM Java SDK affect WebSphere Application Server Patterns shipped with Cloud Pak System. Vulnerability Details CVEID:CVE-2023-22045 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low...

Security Bulletin: IBM MQ is affected by a vulnerability in IBM WebSphere Application Server Liberty (CVE-2023-50314)

Summary An issue was identified with IBM WebSphere Application Server Liberty, which IBM MQ ships and uses to supply IBM MQ Console and IBM MQ REST API functionality. Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could...

Security Bulletin: IBM MQ is affected by multiple vulnerabilities in the IBM Runtime Environment, Java Technology Edition

Summary Multiple issues were identified with IBM Runtime Environment, Java Technology Edition, version 8 which is shipped with IBM MQ. Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause...

Security Bulletin: IBM Sterling External Authentication Server is vulnerable to multiple issues

Summary Multple vulnerabilities affect IBM Sterling External Authentication Server and are addressed in the latest iFixes Vulnerability Details CVEID:CVE-2024-21094 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause no...

Security Bulletin: IBM Master Data Management is vulnerable to denial of service through OpenSSL by a specially crafted request (CVE-2023-2650)

Summary IBM Master Data Management v11.6, and v12.0 are vulnerable to denial of service through OpenSSL by a specially crafted request from no message size limit. OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJobj2txt directly, or use any of the OpenSSL subsystems...

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to OpenSSL and libexpat

Summary OpenSSL and Libexpat used by IBM MQ Operator and Queue Manager container images are vulnerable to denial of service due to improper memory allocation, and providing weaker than expected security which might allow an attacker to execute arbitrary code on the system. This bulletin identifie...

Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFix for September 2024.

Summary Security vulnerabilities are addressed with IBM Business Automation Insights 24.0.0-IF001 Vulnerability Details CVEID:CVE-2024-43799 DESCRIPTION: pillarjs send is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this...

Security Bulletin: Multiple Vulnerabilities in http-server affect Cloud Pak System

Summary Multiple Vulnerabilities in http-server affect Cloud Pak System. Vulnerability Details CVEID:CVE-2024-38474 DESCRIPTION: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by a substitution encoding issue in modrewrite. By sending a specially...

Security Bulletin: IBM Storage Protect Server is susceptible to multiple vulnerabilities due to key-value store "etcd". (CVE-2018-1098, CVE-2018-1099, CVE-2022-34038, CVE-2021-2823).

Summary The distributed key-value store, etcd, used by IBM Storage Protect Server is vulnerable to cross-site scripting, denial of service, or unauthorized access to the host system. This bulletin outlines the steps to address these vulnerabilities. Vulnerability Details CVEID:CVE-2018-1098...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer

Summary There are multiple vulnerabilities in IBM® SDK Java™ used by Rational Business Developer. Rational Business Developer has provided fixes for the applicable CVEs. These issues were disclosed as part of the IBM Java SDK and Runtime Environment updates in the Oracle July 2024 Critical Patch...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer

Summary There are multiple vulnerabilities in IBM® SDK Java™ used by Rational Business Developer. Rational Business Developer has provided fixes for the applicable CVEs. These issues were disclosed as part of the IBM Java SDK and Runtime Environment updates in the Oracle April 2024 Critical Patch...

Security Bulletin: IBM Concert is vulnerable to sensitive data disclosure (CVE-2024-49354)

Summary IBM Concert is vulnerable to sensitive information disclosure through specially crafted API Calls. Vulnerability Details CVEID:CVE-2024-49354 DESCRIPTION: IBM Concert is vulnerable to sensitive information disclosure through specially crafted API Calls. CWE:CWE-213: Exposure of Sensitive...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in axios

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of axios. Vulnerability Details CVEID:CVE-2024-39338 DESCRIPTION: Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in axios

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of axios. Vulnerability Details CVEID:CVE-2024-39338 DESCRIPTION: Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Nginx

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Nginx Vulnerability Details CVEID:CVE-2024-7646 DESCRIPTION: Kubernetes ingress-nginx could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an annotation validatio...

Security Bulletin: Vulnerabilities in Broadcom VMware ESXi affect IBM Cloud Pak System.

Summary Vulnerabilities in Broadcom VMware ESXi affect IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-22254 DESCRIPTION: VMware ESXi could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the VMX sandbox process. An...

Security Bulletin: Multiple vulnerabilities in XCC affect Cloud Pak System

Summary Multiple Vulnerabilities in XClarity Controller XCC affect IBM Cloud Pak System. XCC is used by Cloud Pak System. IBM Cloud Pak System has addressed these vulnerabilities. Vulnerability Details CVEID:CVE-2024-38510 DESCRIPTION: Lenovo XClarity Controller XCC could allow a remote...

Security Bulletin: Multiple Vulnerabilities in components for Cloud Pak System

Summary Vulnerabilities found in components packaged with Cloud Pak System, Node.js, Express, Axios. Vulnerability Details CVEID:CVE-2024-4068 DESCRIPTION: Node.js braces module is vulnerable to a denial of service, caused by the failure to limit the number of characters it can handle. leading to...

Security Bulletin: Multiple Vulnerabilities in VMware vCenter affect Cloud Pak System [CVE-2024-22274, CVE-2024-22275, CVE-2024-37087]

Summary Vulnerabilities in Broadcom VMware vCenter affect IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-22274 DESCRIPTION: Broadcom VMware vCenter Server and Cloud Foundation could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an...

Security Bulletin: Multiple Vulnerabilities in Open Source affect Cloud Pak System

Summary Vulnerabilities in Open Source openssl, glibc, expat affect Cloud Pak System . Vulnerability Details CVEID:CVE-2024-28757 DESCRIPTION: libexpat could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity XXE declarations by the...

Security Bulletin: IBM Master Data Management vulnerable to remote attack and denial of service from vulnerabilites in OpenSSL (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286)

Summary IBM Master Data Management v11.6, and v12.0 are vulnerable to remote attack and denial of service from vulnerabilites found in OpenSSL. OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By...

Security Bulletin: IBM Master Data Management vulnerable to denial of service from Apache Commons FileUpload (CVE-2023-24998)

Summary IBM Master Data Management v11.6, v12.0, and v14.0 are vulnerable to a denial of service caused by not limiting the number of requests processed in the file upload function in Apache Commons FileUpload. Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by...

Security Bulletin: Vulnerabilities in OpenSSL affect Cloud Pak System

Summary Vulnerabilities identified in OpenSSL affect Cloud Pak System. Vulnerability Details CVEID:CVE-2023-2650 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJobj2txt directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS...