Security Bulletin: IBM Transformation Extender Advanced v10.0.x is affected by a IBM WebSphere Application Server Liberty vulnerability

Summary IBM Transformation Extender Advanced, also known as IBM Standards Processing Engine, is vulnerable to IBM WebSphere Application Server Liberty's server-side request forgery vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affecte...

Security Bulletin: IBM SPSS Collaboration and Deployment Services is vulnerable to a denial of service (CVE-2024-22353)

Summary IBM WebSphere Application Server Liberty that is embedded in IBM SPSS Collaboration and Deployment Services is vulnerable to a denial of service with the openidConnectClient-1.0 or socialLogin-1.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: SPSS Collaboration and Deployment Services is affected by IBM WebSphere Application Server Liberty cross-site scripting (CVE-2024-27270)

Summary IBM WebSphere Application Server Liberty is vulnerable to cross-site scripting CVE-2024-27270 may affect SPSS Collaboration and Deployment Services Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Product...

Security Bulletin: IBM Transformation Extender Advanced v10.0.x is affected by a IBM WebSphere Application Server Liberty vulnerability

Summary IBM Transformation Extender Advanced, also known as IBM Standards Processing Engine, is vulnerable to IBM WebSphere Application Server Liberty's denial of service vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products...

Security Bulletin: Multiple Vulnerabilities have been identified in IBM MQ shipped with IBM WebSphere Remote Server

Summary IBM MQ is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM MQ have been published in a security bulletin CVE-2024-40681, CVE-2024-40680, CVE-2024-2511, CVE-2024-21085 Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin:IBM Asset Data Dictionary Component uses aircompressor-0.21.jar which is vulnerable to CVE-2024-36114

Summary IBM Asset Data Dictionary Component uses aircompressor-0.21.jar which is vulnerable to CVE-2024-36114. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-36114 DESCRIPTION: airlift aircompressor could allow a local attacker...

Security Bulletin: IBM Maximo Application Suite uses certifi-2024.6.2-py3-none-any.whl which is vulnerable to CVE-2024-39689.

Summary IBM Maximo Application Suite uses certifi-2024.6.2-py3-none-any.whl which is vulnerable to CVE-2024-39689. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-39689 DESCRIPTION: Certifi python-certifi could provide weaker th...

Security Bulletin: IBM Truststore Manager uses Jinja2-3.1.3-py3-none-any.whl which is vulnerable to CVE-2024-34064

Summary IBM Truststore Manager uses Jinja2-3.1.3-py3-none-any.whl which is vulnerable to CVE-2024-34064. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-34064 DESCRIPTION: Jinja is vulnerable to cross-site scripting, caused by t...

Security Bulletin: IBM Maximo Application Suite uses tinymce-6.8.3.tgz which is vulnerable to CVE-2024-38357, CVE-2024-38356

Summary IBM Maximo Application Suite uses tinymce-6.8.3.tgz which is vulnerable to CVE-2024-38357, CVE-2024-38356. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-38357 DESCRIPTION: TinyMCE is vulnerable to cross-site scripting,...

Security Bulletin: IBM Transformation Extender Advanced v10.0.x is affected by a IBM WebSphere Application Server Liberty vulnerability

Summary IBM Transformation Extender Advanced, also known as IBM Standards Processing Engine, is vulnerable to IBM WebSphere Application Server Liberty's XML External Entity XXE injection vulnerability Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects App Connect Professional

Summary There are multiple vulnerabilities in the IBM SDK Java Technology used by App Connect Professional. These issue were disclosed as part of the IBM Java SDK updates in July 2024, App Connect Professional has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-21147...

Security Bulletin: Vulnerability with Apache HTTP, OpendJDK, python3 and spring-web affect IBM Cloud Object Storage Systems (Sept 2024v1)

Summary Vulnerability with Apache HTTP CVE-2024-38474, CVE-2024-39573,CVE-2024-38477,CVE-2024-38473,CVE-2024-38476,CVE-2024-38475, OpenJDK CVE-2024-21131, CVE-2024-21147, CVE-2024-21138, CVE-2024-21140, CVE-2024-21145, python3 CVE-2024-37891,CVE-2024-39689,CVE-2024-6345,CVE-2024-3651 and SpringWe...

Security Bulletin: Vulnerability in Spring Framework affects IBM watsonx.data

Summary Spring Framework running on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. This may affect IB...

Security Bulletin: Vulnerability in jackson-databind affects IBM watsonx.data

Summary FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization. This could affect IBM watsonx.data. Vulnerability Details CVEID:CVE-2020-36188 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to...

Security Bulletin: Vulnerabilities in Moby BuildKit affect IBM watsonx.data

Summary Moby BuildKit could allow a remote attacker to bypass security restrictions, allow a remote attacker to traverse directories on the system, or allow a remote attacker to gain elevated privileges on the system. These can affect IBM watsonx.data. Vulnerability Details CVEID:CVE-2024-23651...

Security Bulletin: Vulnerabilities in Apache Hadoop affect IBM watsonx.data

Summary Apache Hadoop has multiple vulnerabilities that can affect IBM watsonx.data. Vulnerability Details CVEID:CVE-2022-26612 DESCRIPTION: Apache Hadoop for Windows could allow a remote attacker to bypass security restrictions, caused by the use of an unTarUsingJava function on Windows and the...

Security Bulletin: Vulnerability in Perl affects IBM watsonx.data

Summary Perl could allow a remote attacker to bypass security restrictions, caused by improper handling of property name by the Sparseunipropstring function in regcomp.c. This can affect IBM watsonx.data. Vulnerability Details CVEID:CVE-2023-47100 DESCRIPTION: Perl could allow a remote attacker t...

Security Bulletin: Vulnerabilities in Maven affect IBM watsonx.data

Summary Apache Maven could allow a remote attacker to either bypass security restrictions or to execute arbitrary commands on the system. These can affect IBM watsonx.data. Vulnerability Details CVEID:CVE-2021-26291 DESCRIPTION: Apache Maven could allow a remote attacker to bypass security...

Security Bulletin: Vulnerability in jackson-databind affects IBM watsonx.data

Summary There are multiple CVEs fixed for this Security Bulletin. For the FasterXML jackson-databind CVEs, jackson-databind could allow a remote attacker to execute arbitrary code on the system. For CVE-2017-7525, Apache Struts could also allow a remote attacker to execute arbitrary code on the...

Security Bulletin: Vulnerability in Perl affects IBM watsonx.data

Summary For CVE-2020-10878, if a user submits a specially-crafted regular expression and it is used in a regex by watsonx.data, this may cause an instruction injection. Currently, IBM watsonx.data is not vulnerable to the vulnerabilities described in CVE-2020-10543, CVE-2020-12723 and...

Security Bulletin: Vulnerability in jackson-databind affects IBM watsonx.data

Summary FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system and could allow a remote attacker to obtain sensitive information. This can affect watsonx.data. This can affect IBM watsonx.data Vulnerability Details CVEID:CVE-2019-12384 DESCRIPTION:...

Security Bulletin: Vulnerability in Hibernate Validator affects IBM watsonx.data

Summary Hibernate Validator allows a remote attacker to bypass security restrictions, such as escaping or stripping, that may be in place when handling user-controlled data in error messages in IBM watsonx.data. Vulnerability Details CVEID:CVE-2021-23463 DESCRIPTION: h2database com.h2database:h2...

Security Bulletin: Vulnerability in Perl affects IBM watsonx.data

Summary Perl is vulnerable to buffer overflow issues. CVE-2020-10543: This vulnerability is identified in 32 bit, but watsonx.data is deployd in 64 bit platform. Hence watsonx.data is not affected. CVE-2020-10878, CVE-2020-12723: If user supplied string and it is used in a regex in our code, this...

Security Bulletin: Vulnerabilities in jackson-databind affect IBM watsonx.data

Summary FasterXML jackson-databind has multiple vulnerabilities including the possibility of remote attackers executing arbitrary code on the system. These can affect IBM watsonx.data. Vulnerability Details CVEID:CVE-2017-15095 DESCRIPTION: Jackson Library could allow a remote attacker to execute...

Security Bulletin: Vulnerabilities in Golang Go affect IBM watsonx.data

Summary Golang Go could allow a remote attacker to execute arbitrary code on the system and is vulnerable to HTML injection. These can affect watsonx.data. Vulnerability Details CVEID:CVE-2023-24538 DESCRIPTION: Golang Go could allow a remote attacker to execute arbitrary code on the system, caus...

Security Bulletin: Vulnerabilities in Go affects IBM watsonx.data

Summary Vulnerabilities in the Go package could allow a remote attacker to either inject malicious HTML code into a template causing an HTML injection or execute arbritray code on the system. These vulnerabilities may impact watsonx.data. Vulnerability Details CVEID:CVE-2023-24540 DESCRIPTION: Go...

Security Bulletin: Vulnerabilities in GoLang Go and Kubernetes affect IBM watsonx.data

Summary Kubernetes vulnerabilities could allow a local authenticated attack to obtain sensitive information and could allow a denial of service attack. GoLang Go could allow denial of service attacks, HTTP request smuggling, HTML injections, local attacks to execute arbritray code execution, and...

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors

Summary OpenSSL is used by IBM Tivoli Netcool System Service Monitors/Application Service Monitors for Network Transport. CVE-2024-2511 is identified as a potential risk for products using older versions of OpenSLL. These potential risks are resolved by updating IBM Tivoli Netcool System Service...

Security Bulletin: Multiple Vulnerabilities in Rational Asset Manager

Summary Multiple vulnerabilities were addressed in Rational Asset Manager version 7.5.4.15 Vulnerability Details CVEID:CVE-2015-5262 DESCRIPTION: Apache Commons is vulnerable to a denial of service, caused by the failure to apply a configured connection during the initial handshake of an HTTPS...

Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities

Summary IBM QRadar SIEM includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. These have been addressed in the update. Vulnerability Details CVEID:CVE-2024-25629 DESCRIPTION: C-ares is vulnerable to a denial of service, caused by an...

Security Bulletin: IBM Operational Decision Manager for Aug 2024 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2023-44487...

Security Bulletin: Maximo Application Suite - IBM WebSphere Application Server is vulnerable to CVE-2024-25026 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses WebSphere Application Server which is vulnerable to CVE-2024-25026. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-25026 DESCRIPTION: IBM WebSphere Application Server 8.5...

Security Bulletin: AIX is affected by a denial of service (CVE-2024-0397) and information disclosure (CVE-2024-4032, CVE-2024-37891) due to Python

Summary Vulnerabilities in Python could allow a remote attacker to cause a denial of service CVE-2024-0397 or obtain sensitive information CVE-2024-4032, CVE-2024-37891. Python is used by AIX as part of Ansible node management automation. Vulnerability Details CVEID:CVE-2024-4032 DESCRIPTION: An...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in LibTIFF

Summary Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in LibTIFF Vulnerability Details CVEID:CVE-2023-41175 DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by an integer overflow in raw2tiff.c. By persuading a victim to open a...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Node.js Vulnerability Details CVEID:CVE-2024-30261 DESCRIPTION: Node.js undici module could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw with fetch with integrity...

Security Bulletin: Vulnerabilities in Node.js and packages affect IBM Voice Gateway

Summary Security Vulnerabilities in node.js and package affects IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-39338 DESCRIPTION: Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get process...

Security Bulletin: IBM DataPower Gateway vulnerable to physical attacks and DoS.

Summary CVE-2023-1073, CVE-2023-1079, CVE-2023-4132 require physical access to the appliance with malicious USB device. CVE-2023-1206 can allow an attacker with a high bandwidth connection to consume excessive CPU resources. Vulnerability Details CVEID:CVE-2023-1073 DESCRIPTION: Linux Kernel coul...

Security Bulletin: Insufficient input validation in IBM Business Automation Workflow Center - CVE-2024-43188

Summary IBM Business Automation Workflow Center is vulnerable because of insufficient user input validation. Vulnerability Details CVEID:CVE-2024-43188 DESCRIPTION: IBM Business Automation Workflow could allow a privileged user to perform unauthorized activities due to improper client side...

Security Bulletin: Mutiple vulnerabilities in Bouncy Castle Crypto Package For Java may affect IBM Storage Scale GUI (CVE-2024-30171, CVE-2024-29857)

Summary There are vulnerabilities in Bouncy Castle Crypto Package For Java, used by IBM Storage Scale GUI, which could allow a remote attacker to exploit and obtain sensitive information. Vulnerability Details CVEID:CVE-2018-20676 DESCRIPTION: Bootstrap is vulnerable to cross-site scripting, caus...

Security Bulletin: PrototypeJS shipped with IBM Tivoli Business Service Manager is vulnerable to cross-site request forgery (CVE-2008-7220)

Summary PrototypeJS is shipped as part of front-end component for IBM Tivoli Business Service Manager. Information about security vulnerabilities affecting PrototypeJS has been published in a security bulletin. Vulnerability Details CVEID:CVE-2008-7220 DESCRIPTION: An unspecified error in the...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager

Summary IBM® SDK, Java™ Technology Edition is shipped as a component of IBM Tivoli Business Service Manager. Information about security vulnerabilities affecting IBM® SDK, Java™ Technology Edition has been published in a security bulletin. Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: A...

Security Bulletin: This Power System update is being released to address CVE-2023-45871

Summary The Linux kernel is used by the Virtualization Management Interface in PowerVM to support network communication with the Hardware Management Console. This bulletin provides a remediation for the impacted vulnerability, CVE-2023-45871, by upgrading PowerVM and thus addressing the exposure ...

Security Bulletin: This Power System update is being released to address CVE-2023-1206

Summary The Linux kernel is used by the Virtualization Management Interface in PowerVM to support network communication with the Hardware Management Console. This bulletin provides a remediation for the impacted vulnerability, CVE-2023-1206, by upgrading PowerVM and thus addressing the exposure t...

Security Bulletin: IBM Security QRadar Analyst Workflow for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. The update addresses these issues. Vulnerability Details CVEID:CVE-2023-45857 DESCRIPTION: Axios is vulnerable to cross-site request forgery, caused by improper...

Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities (CVE-2024-5569, CVE-2024-39689)

Summary IBM Security Guardium Insights has addressed these vulnerabilities with an update. Vulnerability Details CVEID:CVE-2024-5569 DESCRIPTION: zipp is vulnerable to a denial of service, caused by an infinite loop flaw in the Path module. By using a specially crafted zip file, a local attacker...

Security Bulletin: Security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool.

Summary There is security vulnerability in IBM WebSphere Application Server Liberty used by IBM License Metric Tool. Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9.

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 used by IBM License Metric Tool. These issues were disclosed as part of the IBM Java SDK updates in Jul 2024. Vulnerability Details CVEID:CVE-2024-21147 DESCRIPTION: An unspecified vulnerability in Java SE...

Security Bulletin: A vulnerability in JavaScript affects IBM License Metric Tool v9 (CVE-2024-39338).

Summary There is a vulnerability in JavaScript library Axios that is used by IBM License Metric Tool. Vulnerability Details CVEID:CVE-2024-39338 DESCRIPTION: Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relativ...

Security Bulletin: A vulnerability in XML toolkit for Ruby affects IBM License Metric Tool.

Summary There is a vulnerability in the XML toolkit for Ruby component used by IBM License Metric Tool. Vulnerability Details CVEID:CVE-2024-43398 DESCRIPTION: Ruby REXML is vulnerable to a denial of service, caused by improper input validation. By using a specially crafted XML content, a remote...

Security Bulletin: A vulnerability in fugit gem affects IBM License Metric Tool (CVE-2024-43380).

Summary There is a vulnerability in one of the Ruby gems used by IBM License Metric Tool. Vulnerability Details CVEID:CVE-2024-43380 DESCRIPTION: floraison fugit is vulnerable to a denial of service, caused by improper input validation by the natural parser. By sending a specially crafted request...