Security Bulletin: Multiple Vulnerabilities in Db2 affect Cloud Pak System

Summary Vulnerabilities in Db2 affect Cloud Pak System. Vulnerability Details CVEID:CVE-2023-38729 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server10.5, 11.1, and 11.5 is vulnerable to sensitive information disclosure when using ADMINCMD with IMPORT or EXPORT. IBM...

Security Bulletin: IBM Master Data Management vulnerable to a denial of service from OpenSSL generate key function (CVE-2023-5678)

Summary IBM Master Data Management v11.6, and v12.0 are vulnerable to a denial of service from OpenSSL and an exploit found in using the DHgeneratekey function. Openssl is vulnerable to a denial of service, caused by a flaw when using DHgeneratekey function to generate an X9.42 DH key. By sending...

Security Bulletin: IBM Master Data Management is vulnerable to denial of service from a vulnerability found in OpenSSL (CVE-2022-0778)

Summary IBM Master Data Management v11.6, and v12.0 are vulnerable to a denial of service from a vulnerability found in OpenSSL. OpenSSL is vulnerable to a denial of service, caused by a flaw in the BNmodsqrt function when parsing certificates. By using a specially-crafted certificate with invali...

Security Bulletin: IBM Master Data Management has vulnerabilites from use of vulnerable Dojo 1.3.2 in WebReports (CVE-2010-2276, CVE-2018-15494, CVE-2010-2274, CVE-2010-2275, CVE-2010-2273, CVE-2018-1000665)

Summary IBM Master Data Management v11.6, v,12.0, and v14.0 are vulnerable to exploits and vulnerabilites found in Dojo 1.3.2. Dojo has an unspecified vulnerability in the default configuration of the build process and is vulnerable to cross-site scripting, caused by improper validation of...

Security Bulletin: IBM Master Data Management is vulnerable to a denial of service from a flaw in DH keys or parameters in OpenSSL (CVE-2023-3446)

Summary IBM Master Data Management v11.6, and v12.0 are vulnerable to a denial of service from a flaw in DH keys or parameters in OpenSSL. OpenSSL is vulnerable to a denial of service, caused by a flaw when using the DHcheck, DHcheckex or EVPPKEYparamcheck functions to check a DH key or DH...

Security Bulletin: IBM Master Data Management is vulnerable to a denial of service from a flaw in DH keys or parameters in OpenSSL (CVE-2023-3817)

Summary IBM Master Data Management v11.6, and v12.0 are vulnerable to a denial of service from a flaw in DH keys or parameters in OpenSSL. OpenSSL is vulnerable to a denial of service, caused by a flaw when using the DHcheck, DHcheckex or EVPPKEYparamcheck functions to check a DH key or DH...

Security Bulletin: IBM Master Data Management vulnerable to remote attacker due to flaws found in OpenSSL (CVE-2023-0466, CVE-2023-0465)

Summary IBM Master Data Management v11.6, and v12.0 are vulnerable to remote attackers due to flaws found in OpenSSL. OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the X509VERIFYPARAMadd0policy function. By using invalid certificate policies, an attack...

Security Bulletin: IBM Master Data Management is vulnerable to specially crafted certificate chains in OpenSSL leading to a denial of service (CVE-2023-0464)

Summary IBM Master Data Management v11.6, and v12.0 are vulnerable to denial of service from specially crafted certificate chains in OpenSSL leading to a denial of service. OpenSSL is vulnerable to a denial of service, caused by an error related to the verification of X.509 certificate chains tha...

Security Bulletin: IBM Datapower Operations Dashboard could allow remote attacker to execute arbitrary commands on the system CVE-2017-16100

Summary dns-sync is used by the IBM Datapower Operations Dashboard implementation of networking operations Vulnerability Details CVEID:CVE-2017-16100 DESCRIPTION: Node.js dns-sync module could allow a remote attacker to execute arbitrary commands on the system, caused by the improper validation o...

Security Bulletin: IBM Master Data Management may provide weaker than expected security due to OpenSSL through a carry propogation flaw (CVE-2021-4160)

Summary IBM Master Data Management v11.6, and v12.0 are vulnerable to a carry propogation flaw found in OpenSSL. OpenSSL could provide weaker than expected security, caused by a carry propagation flaw in the MIPS32 and MIPS64 squaring procedure. An attacker could exploit this vulnerability to...

Security Bulletin: Security vulnerability found in packages shipped with IBM CICS TX Advanced

Summary Security vulnerability found in packages cURL, krb5 and Python shipped with IBM CICS TX Advanced. The versions of the packages have been updated. Vulnerability Details CVEID:CVE-2024-37370 DESCRIPTION: MIT Kerberos 5 aka krb5 could allow a remote attacker to bypass security restrictions,...

Security Bulletin: A security vulnerability has been identified in WebSphere Liberty shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2022-46364)

Summary WebSphere Liberty is shipped as a component of IBM Security Guardium Key Lifecycle Manager SKLM/GKLM. Information about a security vulnerability affecting WebSphere Liberty has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: IBM Sterling Connect:Direct Web Services is uses xmltooling-1.4.4.jar, which contains a vulnerability

Summary IBM Sterling Connect:Direct Web Services uses Shibboleth Identity Provider, which could allow a remote attacker to bypass security restrictions. It's caused by an error in the PKIX trust component. Vulnerability Details CVEID:CVE-2015-1796 DESCRIPTION: Shibboleth Identity Provider could...

Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable by disclosing private IP addresses

Summary IBM Sterling Connect:Direct Web Services could disclose sensitive IP address information to authenticated users in responses that could be used in further attacks against the system. Vulnerability Details CVEID:CVE-2024-45653 DESCRIPTION: IBM Sterling Connect:Direct Web Services could...

Security Bulletin: Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2023-50314 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses WebSphere Application Server Liberty which is vulnerable to CVE-2023-50314. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere Application...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in async

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of async. Vulnerability Details CVEID:CVE-2024-39249 DESCRIPTION: Async is vulnerable to a denial of service, caused by the ReDoS Regular Expression Denial of Service while parsing function in autoinject functio...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in rexml

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of rexml. Vulnerability Details CVEID:CVE-2024-43398 DESCRIPTION: Ruby REXML is vulnerable to a denial of service, caused by improper input validation. By using a specially crafted XML content, a remote attacker...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in send-0.18.0.tgz

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of send-0.18.0.tgz Vulnerability Details CVEID:CVE-2024-43799 DESCRIPTION: pillarjs send is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could explo...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in serve-static-1.15.0.tgz

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of serve-static-1.15.0.tgz Vulnerability Details CVEID:CVE-2024-43800 DESCRIPTION: expressjs serve-static is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in body-parser-1.20.2.tgz

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of body-parser-1.20.2.tgz Vulnerability Details CVEID:CVE-2024-45590 DESCRIPTION: expressjs body-parser is vulnerable to a denial of service, caused by a flaw when url encoding is enabled. By sending a specially...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of WebSphere Application Server Liberty Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Google Protocol Buffers a.k.a., protobuf is vulnerable to a denial of service, caused by a stack-based buffer overfl...

Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM SOAR QRadar Plugin App has addressed the applicable CVEs with an update. Vulnerability Details CVEID:CVE-2024-6345 DESCRIPTION: pypa/setuptools could allow a...

Security Bulletin: IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7

Summary cURL libcurl, Apache Xerces2 Java, Apache Jena, Spring Framework, json-smart-v1 and json-smart-v2 , libxml2, Apache Standard Taglibs , Apache ActiveMQ, Apache Commons Codec are identified as vulnerable components with multiple reported vulnerabilities, CVE-2022-35260, CVE-2022-42915,...

Security Bulletin: The IBM SPSS Collaboration and Deployment Services impacted by multiple vulnerabilities disclosed in IBM Semeru Runtime

Summary The IBM SPSS Collaboration and Deployment Services using IBM Semeru Runtime Quarterly CPU - Jan 2023 - Includes OpenJDK January 2023 CPU plus CVE-2022-4304. These vulnerabilities are addressed. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: IBM Security Guardium is affected by vulnerabilities in Oracle MySQL

Summary IBM Security Guardium has addressed these vulnerabilities in an update. Vulnerability Details CVEID:CVE-2024-21137 DESCRIPTION: An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow a remote authenticated attacker to cause high...

Security Bulletin: IBM WebSphere Application Server is vulnerable to stored cross-site scripting (CVE-2024-45071)

Summary IBM WebSphere Application Server is vulnerable to stored cross-site scripting in the administrative console. Vulnerability Details CVEID:CVE-2024-45071 DESCRIPTION: IBM WebSphere Application Server is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user t...

Security Bulletin: IBM WebSphere Application Server is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2024-45072)

Summary IBM WebSphere Application Server is vulnerable to an XML External Entity Injection XXE in the administrative console. Vulnerability Details CVEID:CVE-2024-45072 DESCRIPTION: IBM WebSphere Application Server is vulnerable to an XML External Entity Injection XXE attack when processing XML...

Security Bulletin: IBM Observability with Instana using third-party Kubernetes Operators is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana using third-party Kubernetes Operators build 283 Vulnerability Details CVEID:CVE-2024-35195 DESCRIPTION: Psf Requests could allow a local authenticated attacker to bypass security restrictions, caused by an incorre...

Security Bulletin: IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL

Summary OpenSSL is used by IBM Sterling Connect:Express for UNIX. IBM Sterling Connect:Express for UNIX has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-6119 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error when performing certificate name checks...

Security Bulletin: Multiple Vulnerabilities in Java affecting IBM Knowledge Catalog On Cloud Pak for Data

Summary Lineage component is an internal component of IBM Knowledge Catalog On Cloud Pak for Data. Vulnerabilities in Java are affecting Lineage component of IBM Cloud Pak for Data. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-21145 DESCRIPTION: An unspecified...

Security Bulletin: There are multiple vulnerabilities that can affect IBM Storage Scale System that are now included

Summary There are multiple vulnerabilities used by IBM Storage Scale System, which could provide weaker than expected security that are now fixed. Vulnerability Details CVEID:CVE-2024-36005 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an error related to netfilter:...

Security Bulletin: IBM Watson Query (Data Virtualization) does not govern all of the columns of a published object

Summary IBM Watson Query Data Virtualization on Cloud Pak for Data integrates with IBM Knowledge Catalog IKC - formerly Watson Knowledge Catalog WKC - to enforce data protection rules on governed objects. When you publish objects from Watson Query to catalogs or projects, only the first n where...

Security Bulletin: IBM B2B Advanced Communications is vulnerable to issues due to Data Mapper for Jackson

Summary IBM B2B Advanced Communications has addressed vulnerabilities in Data Mapper for Jackson shipped with product. Vulnerability Details CVEID:CVE-2019-10172 DESCRIPTION: Jackson-mapper-asl could allow a remote attacker to obtain sensitive information, caused by an XML external entity XXE err...

Security Bulletin: IBM Storage Insights is vulnerable to weaknesses related to IBM® SDK, Java™ Technology Edition

Summary Vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Storage Insights which could allow a remote attacker to cause low integrity impact, low availability impat. Vulnerability Details CVEID:CVE-2024-21094 DESCRIPTION: An unspecified vulnerability in Java SE related to the V...

Security Bulletin: Apache Lucene denial of service Vulnerability Affects IBM Jazz Reporting Service

Summary There is a vulnerability in Apache Lucene used by IBM Jazz Reporting Service. This vulnerability has been addressed. 216835 Vulnerability Details IBM X-Force ID: 216835 DESCRIPTION: Apache Lucene is vulnerable to a denial of service. By sending a specific regular expression query, a remot...

Security Bulletin: Apache Xerces vulnerability Affects IBM Jazz Reporting Service

Summary Apache Xerces-J XML parser XML4J shipped with IBM Jazz Reporting Service is vulnerable to a denial of service attack that can be triggered by malformed XML data. Vulnerability Details CVEID:CVE-2020-14338 DESCRIPTION: Wildfly could allow a remote attacker to bypass security restrictions,...

Security Bulletin: Apache Commons Configuration Vulnerability Affects IBM Jazz Reporting Service

Summary There is a vulnerability in Apache Commons used by IBM Jazz Reporting Service. This vulnerability has been addressed. CVE-2024-29131, CVE-2024-29133 Vulnerability Details CVEID:CVE-2024-29131 DESCRIPTION: Apache Commons Configuration could allow a remote attacker to execute arbitrary code...

Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-4921, CVE-2023-4622, CVE-2023-4623)

Summary IBM Security Guardium has addressed these vulnerabilities in an update. Vulnerability Details CVEID:CVE-2023-4921 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free flaw in the net/sched: schqfq...

Security Bulletin: There are multiple vulnerabilities in IBM WebSphere Application Server that can affect IBM Elastic Storage System that are now included

Summary There are multiple vulnerabilities in IBM WebSphere Application Server, used by IBM Storage Scale Elastic Storage System, which could provide weaker than expected security that are now fixed. Vulnerability Details CVEID:CVE-2024-25026 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0...

Security Bulletin: IBM Cognos Analytics Mobile (Android) is affected by multiple vulnerabilities

Summary There are vulnerabilities in Open Source Software OSS libraries consumed by IBM Cognos Analytics Mobile. These issues have been addressed by upgrading or removing the vulnerable libraries. Additionally, vulnerabilites related to CORS misconfiguration and Certificate Pinning have been...

Security Bulletin: IBM Cognos Analytics Mobile (iOS) is affected by multiple vulnerabilities

Summary There are vulnerabilities in Open Source Software OSS libraries consumed by IBM Cognos Analytics Mobile. These issues have been addressed by upgrading or removing the vulnerable libraries. Additionally, vulnerabilites related to CORS misconfiguration and Certificate Pinning have been...

Security Bulletin: IBM B2B Advanced Communications is vulnerable to issues in Eclipse Paho Client Mqttv3

Summary IBM B2B Advanced Communications has addressed vulnerabilities in Eclipse Paho Client Mqttv3. Vulnerability Details CVEID:CVE-2019-11777 DESCRIPTION: Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when...

Security Bulletin: IBM Tivoli Application Dependency Discovery Manager is vulnerable to server-side request forgery due to Apache CXF

Summary This security bulletin addresses the vulnerabilitiy in Open Source Apache CXF that affect IBM Tivoli Application Dependency Discovery Manager CVE-2024-32007, CVE-2024-29736. IBM Tivoli Application Dependency Discovery Manager is using Apache CXF for its SOAP API and REST API implementatio...

Security Bulletin: IBM Asset Data Dictionary Component uses grpc-protobuf-1.50.2.jar and jettison-1.5.2.jar which is vulnerable to CVE-2023-32731 and CVE-2023-1436

Summary IBM Asset Data Dictionary Component uses grpc-protobuf-1.50.2.jar and jettison-1.5.2.jar which is vulnerable to CVE-2023-32731 and CVE-2023-1436. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-32731 DESCRIPTION: gRPC...

Security Bulletin: IBM® Db2® is vulnerable to denial of service with a specially crafted query (CVE-2024-37529)

Summary If you use IBM® Db2® as your database in your IBM Datacap deployment, please follow the Db2 security bulletin referred in the Title to remedy the vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2024-45071)

Summary IBM WebSphere Application Server is used by IBM Tivoli System Automation Application Manager and is vulnerable to cross-site scripting in the Admin Console. Required fixes for affected WebSphere Application Server has been published in the security bulletin links below. Vulnerability...

Security Bulletin: IBM WebSphere Application Server traditional shipped with IBM Tivoli System Automation Application Manager is vulnerable to an XML External Entity Injection (XXE) vulnerability

Summary A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager CVE-2024-45072 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affect...

Security Bulletin: IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager is vulnerable to a denial of service

Summary A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application ManagerCVE-2024-45085 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affecte...

Security Bulletin: IBM SPSS Collaboration and Deployment Services is vulnerable to a denial of service due to jose4j (CVE-2023-51775)

Summary IBM WebSphere Application Server Liberty that is embedded in IBM SPSS Collaboration and Deployment Services is vulnerable to a denial of service due to jose4j Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...

Security Bulletin: vulnerability in OpenSSL affects IBM Workload Automation.

Summary IBM Workload Automation is potentially affected by a vulnerability in OpenSSL that can cause denial of service CVE-2024-0727 Vulnerability Details CVEID:CVE-2024-0727 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to...