Security Bulletin: Vulnerability in RabbitMQ Java Client affects IBM watsonx.data

Summary RabbitMQ Java Client is vulnerable to a denial of service, caused by no message size limit in maxBodyLebgth. By sending a specially crafted message, a remote attacker could exploit this vulnerability to cause a memory overflow, and results in a denial of service condition. This can affect...

Security Bulletin: Vulnerability in Async Http Client affects IBM watsonx.data

Summary Async Http Client aka async-http-client could allow a remote attacker to bypass security restrictions, caused by the failure to parse the fragment identifier of the URL when handling '?' character. By using a specially-crafted URL with '?' character, an attacker could exploit this...

Security Bulletin: Vulnerabilities in netplex JSON Smart affect watsonx.data

Summary Netplex JSON Smart is vulnerable to a denial of service, caused by either a flaw in the indexOf function of JSONParserByteArray or by not limiting the nesting of arrays or objects. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2021-31684 DESCRIPTION: netplex JSON Smart is...

Security Bulletin: Vulnerability in Guava affects IBM watsonx.data

Summary Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access...

Security Bulletin: Vulnerablity in Okio GzipSource affects watsonx.data

Summary Okio GzipSource is vulnerable to a denial of service, caused by unhandled exception. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2023-3635 DESCRIPTION: Okio GzipSource is vulnerable to a denial of service, caused by unhandled exception. By sending a specially crafted gzi...

Security Bulletin: Vulnerability in pytest-dev py affects IBM watsonx.data

Summary pytest-dev py is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw by the InfoSvnCommand argument. By sending a specially-crafted regex info data, a remote attacker could exploit this vulnerability to cause a denial of service condition. This c...

Security Bulletin: Vulnerability in Apache Solr affects IBM watsonx.data

Summary Apache Solr could allow a remote attacker to bypass security restrictions, caused by improper access control by the Configsets API. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. This vulnerability can be exploited when...

Security Bulletin: Vulnerability in Google Guava affects IBM watsonx.data

Summary Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using Java's default temporary directory for file creation in FileBackedOutputStream. By sending a specially crafted request, an attacker could exploit this vulnerability to acce...

Security Bulletin: Vulnerabilities in Protobuf-java affect IBM watsonx.data

Summary Protobuf-java core and lite are vulnerable to denial of service attacks which can affect watsonx.data. Vulnerability Details CVEID:CVE-2022-3171 DESCRIPTION: protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for binary and text...

Security Bulletin: Vulnerability in Protobuf-core affects IBM watsonx.data

Summary Protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for Message-Type Extensions. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause lo...

Security Bulletin: Vulnerabilities in Netty affect watsonx.data

Summary Netty has multiple vulnerabilities such as HTTP request smuggling, weaker than expected security, and denial of service attacks. These can affect watsonx.data. Vulnerability Details CVEID:CVE-2019-20444 DESCRIPTION: Netty is vulnerable to HTTP request smuggling, caused by a flaw in the...

Security Bulletin: Vulnerability in Async Http Client affects IBM watsonx.data

Summary Async Http Client aka async-http-client could allow a remote attacker to bypass security restrictions, caused by the failure to parse the fragment identifier of the URL when handling '?' character. By using a specially-crafted URL with '?' character, an attacker could exploit this...

Security Bulletin: Vulnerability in Node.js affects IBM watsonx.data

Summary Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials when clearing authorization header during cross-domain redirect, but keeping the proxy-authentication header. An attacker could exploit this...

Security Bulletin: Vulnerabilities in Jettison affect IBM watsonx.data

Summary Jettison is vulerable to denial of service attacks. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2022-40150 DESCRIPTION: jettison-json Jettison is vulnerable to a denial of service, caused by an out of memory flaw. By sending a specially-crafted XML or JSON data, a remote...

Security Bulletin: Vulnerability in PyArrow Affects IBM watsonx.data

Summary PyArrow could allow a remote authenticated attacker to execute arbitrary code on the system. This can affect IBM watsonx.data Vulnerability Details CVEID:CVE-2023-47248 DESCRIPTION: PyArrow could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an...

Security Bulletin: Vulnerability in Oracle MySQL Connectors Affects IBM watsonx.data

Summary An unspecified vulnerability in Oracle MySQL Connectors related to the Connector/J component could allow a remote attacker to cause high confidentiality, integrity and availability impacts. This can affect IBM watsonx.data. Vulnerability Details CVEID:CVE-2023-22102 DESCRIPTION: An...

Security Bulletin: Vulnerabilityies in Google Guava affect IBM watsonx.data

Summary Google Guava has vulnerabilities that could allow a local authenticated attacker to obtain sensitive information, allow a remote authenticated attacker to bypass security restrictions and be vulnerable to demial of service attacks. This can affect watsonx.data. Vulnerability Details...

Security Bulletin: Vulnerabilities in Netty affect IBM watsonx.data

Summary Netty is vulnerable to a denial of service attcaks and could allow a local authenticated attacker to obtain sensitive information. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2023-34462 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw with...

Security Bulletin: Vulnerabilities in Apache ZooKeeper affect IBM watsonx.data

Summary Apache ZooKeeper could allow a remote authenticated attacker to obtain sensitive information or allow a remote attacker to bypass security restrictions. These can affect IBM watsonx.data. Vulnerability Details CVEID:CVE-2024-23944 DESCRIPTION: Apache ZooKeeper could allow a remote...

Security Bulletin: Vulnerability in Apache Tomcat affects IBM watsonx.data

Summary Apache Tomcat is vulnerable to a denial of service, caused by a flaw when processing an HTTP/2 stream. By sending specially crafted HTTP headers, a remote attacker could exploit this vulnerability to cause a denial of service condition. This can affect watsonx.data. Vulnerability Details...

Security Bulletin: Vulnerability in dnsjava affects IBM watsonx.data

Summary dnsjava could allow a remote attacker to bypass security restrictions, caused by improper response validation. By sending a specially crafted request, an attacker could exploit this vulnerability to perform DNSSEC bypass. This may affect watsonx.data. Vulnerability Details...

Security Bulletin: Vulnerability in Gorilla Web Toolkit affects IBM watsonx.data

Summary Gorilla web toolkit schema is vulnerable to a denial of service, caused by a memory exhaustion flaw due to sparse slice deserialization. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. This can affect...

Security Bulletin: Vulnerability in Axios affects IBM watsonx.data

Summary Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack. This can affect watsonx.data...

Security Bulletin: Multiple Vulnerabilities in IBM Cloud Pak for Multicloud Management

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for Multicloud Management version 2.3 Fix Pack 9 Vulnerability Details CVEID:CVE-2024-1135 DESCRIPTION: Gunicorn is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding headers. By sending a...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for Sept 2024

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 1.15.0 IF002 Vulnerability Details CVEID:CVE-2024-22262 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing...

Security Bulletin: IBM Cognos Analytics Reports mobile client application (iOS) is vulnerable to unauthorized attacks due to an exposed API key (CVE-2024-40703)

Summary An exposed API key in IBM Cognos Analytics could allow an unauthorized attacker to send unsolicited push notification alerts to IBM Cognos Analytics Reports mobile client applications. IBM Cognos Analytics has addressed the applicable CVE by revoking the exposed API key. Revocation of thi...

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 282 Vulnerability Details CVEID:CVE-2024-24790 DESCRIPTION: An unspecified error related to various Is methods IsPrivate, IsLoopback, etc did not work as expected for...

Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM SDK, Java Technology Edition Quarterly CPU - Apr 2024 - Includes Oracle April 2024 CPU plus CVE-2023-38264

Summary IBM SDK, Java Technology Edition is vulnerable to CVE-2023-38264. Following IBM® Engineering Lifecycle Engineering product is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Workflow Management Vulnerability Details Refer to the security bulletins listed...

Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer (CVE-2024-22354)

Summary IBM WebSphere Application Server and IBM WebSphere Application Server Liberty is used by IBM Watson Explorer. IBM Watson Explorer has addressed the applicable CVE CVE-2024-22354. Vulnerability Details CVEID:CVE-2024-22354 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM...

Security Bulletin: A vulnerability in glibc affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary A vulnerability in glibc affects IBM Storage Virtualize products and could cause impacts to integrity, confidentiality and availability. CVE-2024-2961. Vulnerability Details CVEID:CVE-2024-2961 DESCRIPTION: GNU C Library could allow a remote attacker to execute arbitrary code on the syste...

Security Bulletin: Vulnerabilities in libmaxminddb, dnsmasq and bind affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem product

Summary Vulnerabilities in libmaxminddb, dnsmasq and bind affect IBM Storage Virtualize products and could cause impacts to integrity and availability. CVE-2023-50387 CVE-2023-50868 CVE-2020-28241 CVE-2023-4408. Vulnerability Details CVEID:CVE-2023-50387 DESCRIPTION: ISC BIND is vulnerable to a...

Security Bulletin: Vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary Vulnerabilities in the Linux kernel affect IBM Storage Virtualize products and could cause various impacts. CVE-2023-1073 CVE-2023-45871 CVE-2023-6356 CVE-2023-6535 CVE-2023-6536 CVE-2023-1206 CVE-2023-5178. Vulnerability Details CVEID:CVE-2023-1073 DESCRIPTION: Linux Kernel could allow a...

Security Bulletin: Vulnerabilitiy in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products

Summary Vulnerability in IBM® Runtime Environment Java™ Technology Edition affects the product's management GUI. The Command Line Interface is unaffected. CVE-2024-21131. Vulnerability Details CVEID:CVE-2024-21131 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component...

Security Bulletin: Vulnerabilities in Node.js, AngularJS, Golang Go, libcURL, PostgreSQL, Linux kernel might affect IBM Spectrum Protect Plus

Summary IBM Spectrum Protect Plus can be affected by vulnerabilities in Node.js, AngularJS, Golang Go, libcURL, PostgreSQL, and Linux. Vulnerabilities include obtaining sensitive information, causing denial of service condition, heap-based buffer overflow, bypassing of security restrictions,...

Security Bulletin: Vulnerability in Node.js affects IBM Rational Developer for i RPG and COBOL + Modernization Tools, Java Edition (CVE-2024-36138)

Summary Node.js is used as runtime and SDK for Apache Cordova applications within IBM Rational Developer for i RPG and COBOL + Modernization Tools, Java Edition. Information about security vulnerabilities affecting Node.js has been published in a security bulletin. This bulletin identifies the...

Security Bulletin: Denial of service and SQL injection might affect IBM Storage Defender – Resiliency Service

Summary IBM Storage Defender – Resiliency Service is vulnerable and can result in data confidentiality and service availabilty issues. The vulnerabilities have been addressed. CVE-2024-38325, CVE-2024-41990, CVE-2024-41989, CVE-2024-42005, CVE-2024-42005, CVE-2024-41991, CVE-2024-38324...

Security Bulletin: IBM DevOps Release addresses denial of service vulnerability caused by a flaw in processing HTTP/2 stream.

Summary IBM DevOps Release7.0.0.3 addresses denial of service vulnerability caused by a flaw in processing HTTP/2 stream. Vulnerability Details CVEID:CVE-2024-34750 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by a flaw when processing an HTTP/2 stream. By sending...

Security Bulletin: IBM Decision Optimization for Cloud Pak for Data is vulnerable to a denial of service (CVE-2024-39249)

Summary There is a vulnerability in Async used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-39249 DESCRIPTION: Async is vulnerable to a denial of service, caused...

Security Bulletin: IBM Cognos Analytics is vulnerable to unauthorized attacks due to an exposed API key (CVE-2024-40703)

Summary An exposed API key in IBM Cognos Analytics could allow an unauthorized attacker to send unsolicited push notification alerts to IBM Cognos Analytics Mobile client applications. IBM Cognos Analytics has addressed the applicable CVE by revoking the exposed API key. Revocation of this API ke...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in es5-ext-0.10.53.tgz

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of es5-ext-0.10.53.tgz Vulnerability Details CVEID:CVE-2024-27088 DESCRIPTION: medikoo es5-ext is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw. By providing...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in urllib3-1.26.18-py2.py3-none-any.whl

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of urllib3-1.26.18-py2.py3-none-any.whl Vulnerability Details CVEID:CVE-2024-37891 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Certifi python-certifi

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Certifi python-certifi Vulnerability Details CVEID:CVE-2024-39689 DESCRIPTION: Certifi python-certifi could provide weaker than expected security, caused by the use of GLOBALTRUST root certificate. An attacke...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in setuptools

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of setuptools Vulnerability Details CVEID:CVE-2024-6345 DESCRIPTION: pypa/setuptools could allow a remote attacker to execute arbitrary code on the system, caused by an error in the packageindex module. By...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in IBM WebSphere Application Server Liberty

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of IBM WebSphere Application Server Liberty Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Tensorflow

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Tensorflow Vulnerability Details CVEID:CVE-2023-30767 DESCRIPTION: Intel Optimization for TensorFlow could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2019-4505)

Summary WebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: IBM App Connect Enterprise has multiple vulnerabilities due to IBM Semeru Runtime (CVE-2024-21131, CVE-2024-21144, CVE-2024-21145)

Summary IBM App Connect Enterprise has multiple vulnerabilities due to IBM Semeru Runtime CVE-2024-21131, CVE-2024-21144, CVE-2024-21145. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-21145 DESCRIPTION: An unspecified vulnerability...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to OpenSSL (CVE-2024-2511)

Summary IBM App Connect Enterprise is vulnerable to a denial of service due to OpenSSL CVE-2024-2511. This bulletin identifies the steps to take to address these vulnerabilities. Vulnerability Details CVEID:CVE-2024-2511 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by imprope...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js modules (CVE-2024-39338, CVE-2024-43800, CVE-2024-43799, CVE-2024-43796).

Summary IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js modules axios CVE-2024-39338, expressjs serve-static CVE-2024-43800, pillarjs send CVE-2024-43799 and expressjs express CVE-2024-43796. This bulletin identifies the steps to take to address the...

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to multiple vulnerabilities in IBM Java SDK, Java Technology Edition

Summary There are multiple vulnerabilities in IBM Java SDK, Java Technology Edition used by IBM App Connect Enterprise and IBM Integration Bus for z/OS. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecifie...