35702 matches found
Security Bulletin: IBM DataPower Gateway vulnerable to Denial of Service (CVE-2023-52881)
Summary This issue can affect TCP networking Vulnerability Details CVEID:CVE-2023-52881 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian...
Security Bulletin: IBM Operational Decision Manager for Oct 2024 - Multiple CVEs addressed
Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2023-5236...
Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities
Summary There are vulnerabilities in Open-Source Software OSS components consumed by IBM Cognos Dashboards on Cloud Pak for Data. Please refer to the Related Information section below for vulnerability impact. This Security Bulletin relates only to the direct usage of third-party components by IB...
Security Bulletin: IBM Data Product Hub is affected by several vulnerabilities
Summary IBM Data Product Hub has a dependencies on IBM WebSphere Application Server Liberty, IBM Semeru Runtime, and Node.js elliptic & path-to-regexp modules, which are vulnerable. This bulletin contains information regarding the vulnerabilities and their fixture. Vulnerability Details...
Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities
Summary IBM QRadar SIEM includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. These have been addressed in the update. Vulnerability Details CVEID:CVE-2024-23454 DESCRIPTION: Apache Hadoop could allow a local authenticated attacker t...
Security Bulletin: IBM Cloud Pak System is vulnerable to multiple vulnerabilities in IBM Java SDK.
Summary IBM Cloud Pak System is vulnerable to multiple vulnerabilities in IBM SDK. The fix removes these vulnerabilities as per IBM SDK, Java Technology Apr 2024. Vulnerability Details CVEID:CVE-2024-21085 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allo...
Security Bulletin: Multiple vulnerabilities affect IBM® Semeru Runtime
Summary This bulletin for IBM Semeru Runtime covers all applicable Java SE CVEs published by OpenJDK as part of their October 2024 Vulnerability Advisory, plus CVE-2024-10917 and CVE-2024-9143. For more information please refer to OpenJDK's October 2024 Vulnerability Advisory and the X-Force...
Security Bulletin: There is a vulnerability in the Flask library impacting IBM watsonx Code Assistant for Ansible
Summary There is a vulnerability in the Flask library impacting IBM watsonx Code Assistant for Ansible. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-30861 DESCRIPTION: Pallets Flask could allow a remote attacker to obtain sensitiv...
Security Bulletin: IBM® Db2® is vulnerable to denial of service under specific conditions (CVE-2024-45663)
Summary IBM® Db2® is vulnerable to denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2024-45663 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the...
Security Bulletin: IBM® Db2® is vulnerable to denial of service under specific conditions (CVE-2024-37071)
Summary IBM® Db2® is vulnerable to denial of service under certain conditions with a specially crafted query by an authenticated user. Vulnerability Details CVEID:CVE-2024-37071 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated user to cause...
Security Bulletin: IBM® Db2® is vulnerable to denial of service under specific conditions (CVE-2024-41761)
Summary IBM® Db2® is vulnerable to denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2024-41761 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the...
Security Bulletin: IBM® Db2® is vulnerable to denial of service under specific conditions (CVE-2024-41762)
Summary IBM® Db2® is vulnerable to denial of service as the server may crash under certain conditions with a specially crafted query. Vulnerability Details CVEID:CVE-2024-41762 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is vulnerable to a denial of service as the...
Security Bulletin: There are multiple vulnerabilities in IBM App Connect Enterprise due to IBM Semeru Runtime
Summary There are multiple vulnerabilities in IBM App Connect Enterprise due to IBM Semeru Runtime. Vulnerability Details CVEID:CVE-2024-21217 DESCRIPTION: An unspecified vulnerability in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition related to the Serialization...
Security Bulletin: A vulnerability in XML toolkit for Ruby affects IBM License Metric Tool.
Summary There is a vulnerability in the XML toolkit for Ruby component used by IBM License Metric Tool. Vulnerability Details CVEID:CVE-2024-49761 DESCRIPTION: Ruby REXML is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw. By sending a specially...
Security Bulletin: Promise based HTTP client for the browser and node.js
Summary Axios is vulnerable to Regular Expression Denial of Service ReDoS. When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of On^2. Server becomes unable to provide normal service due to the excessive cost and time wasted in...
Security Bulletin: User can inject the suspected code via URL passed
Summary A vulnerability in the packageindex module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to cod...
Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (CVE-2024-47107)
Summary IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability has been addressed in the update. Vulnerability Details CVEID:CVE-2024-47107 DESCRIPTION: IBM QRadar is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary...
Security Bulletin: IBM Business Automation Navigator is affected by a vulnerability in path-to-regexp (CVE-2024-45296)
Summary IBM Business Automation Navigator has addressed the following vulnerability. This does not impact IBM Content Navigator on-prem. Vulnerability Details CVEID:CVE-2024-45296 DESCRIPTION: pillarjs Path-to-RegExp is vulnerable to a denial of service, caused by a regular expression denial of...
Security Bulletin: "Carbon Charts" is vulnerable to Cross-site Scripting due to Improper Neutralization of Input During Web Page Generation (CWE-79)
Summary The issue arises from the library not sanitizing custom HTML provided by developers, allowing potentially harmful scripts to be executed in the user's browser when interacting with the chart. Vulnerability Details CVEID:CVE-2024-47117 DESCRIPTION: IBM Carbon Design System is vulnerable to...
Security Bulletin: Multiple vulnerabilities which can affect IBM Storage Scale are now fixed.
Summary There are several vulnerabilities in IBM Storage Scale which could provide weaker than expected security that are now fixed. Vulnerability Details CVEID:CVE-2024-39249 DESCRIPTION: Async is vulnerable to a denial of service, caused by the ReDoS Regular Expression Denial of Service while...
Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities
Summary QRadar Suite Software includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details...
Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Apache Commons-Codec version less than 1.13
Summary A vulnerability has been identified in Apache Commons-Codec version less than 1.13, which is used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details IBM X-Force ID: 177835...
Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Jdom-1.0
Summary A vulnerability has been identified in Jdom version 1.0, which is used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2021-33813 DESCRIPTION: JDOM is vulnerable to a...
Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to a remote attacker obtaining sensitive information, bypassing security restrictions, and a server-side request forgery due to multiple vulnerabilities.
Summary IBM HTTP Server powered by Apache for IBM i is vulnerable to a remote attacker obtaining sensitive information due to ignoring legacy content-type based configuration of handlers CVE-2024-39884 and improper validation of input CVE-2024-38476, a bypass of security restrictions due to a fla...
Security Bulletin: Vulnerability in certifi-2024.2.2-py3-none-any.whl can affect IBM Storage Scale
Summary There is a vulnerability in certifi-2024.2.2-py3-none-any.whl, used by IBM Storage Scale, which could provide weaker than expected security. CVE-2024-39689 Vulnerability Details CVEID:CVE-2024-39689 DESCRIPTION: Certifi python-certifi could provide weaker than expected security, caused by...
Security Bulletin: IBM SDK Java Technology Edition is vulnerable to CVEs (set out in the link below), affecting WebSphere Service Registry and Repository due to October 2024 CPU
Summary IBM SDK Java Technology Edition is vulnerable to CVE-2024-10917, used by WebSphere Service Registry and Repository. These issues were disclosed as part of the IBM Java SDK updates in December 2024. These issues are also addressed by WebSphere Application Server shipped with WebSphere...
Security Bulletin: Security vulnerabilities were discovered in IBM Java SE as shipped with IBM Security Directory Integrator.
Summary Multilple Security Vulnerabilities were addressed in IBM Java SE as shipped with IBM Security Directory Integrator Vulnerability Details CVEID:CVE-2024-21235 DESCRIPTION: Vulnerability in Java SE component: Hotspot. Difficult to exploit vulnerability allows unauthenticated attacker with...
Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to Kerberos 5, OpenSSL, libexpat, golang-jwt, and GnuPG Libgcrypt
Summary Kerberos 5, OpenSSL, libexpat, golang-jwt, GnuPG Libgcrypt and IBM MQ used by IBM MQ Operator and Queue Manager container images are vulnerable to denial of service due to improper memory allocation and server configuration validation, spoofing attacks, and providing weaker than expected...
Security Bulletin: IBM Observability with Instana is vulnerable to Improper Validation of Specified Type of Input
Summary Golang Go is used by IBM Instana Observability as part of the elasticsearch-operator CVE-2024-24790 . This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-24790 DESCRIPTION: An unspecified error related to various Is methods...
Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Denial of Service attacks vulnerability with snakeYaml library
Summary Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Denial of Service attacks vulnerability due to snakeYaml library. Vulnerability Details CVEID:CVE-2022-41854 DESCRIPTION: snakeYAML is vulnerable to a denial of service, caused by improper input validation. By...
Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to cross-site scripting (CVE-2023-38722)
Summary IBM Sterling Partner Engagement Manager has addressed a reflected cross-site scripting vulnerability. Vulnerability Details CVEID:CVE-2022-38749 DESCRIPTION: SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a...
Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable due to SnakeYAML issue
Summary IBM Sterling Partner Engagement Manager uses SnakeYAML, which is subject to stack overflow when parsing YAML files. Vulnerability Details CVEID:CVE-2022-38750 DESCRIPTION: SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a...
Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to org.yaml:snakeyaml Denial of Service (DoS)
Summary IBM Sterling Partner Engagement Manager uses org.yaml:snakeyaml Denial of Service , affected for the CVE CVE-2022-25857 Vulnerability Details CVEID:CVE-2022-25857 DESCRIPTION: Java package org.yaml:snakeyam is vulnerable to a denial of service, caused by missing to nested depth limitation...
Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Eclipse Jetty
Summary Multiple vulnerabilities in Eclipse Jetty that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2024-9823 DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by a flaw in the DosFilter feature. By sending specially crafted...
Security Bulletin: Vulnerability in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to October 2024 CPU
Summary There are multiple vulnerabilities in the IBM® SDK, Java™ Technology Edition that is shipped with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty. The CVEs listed in this document might affect some configurations of IBM WebSphere Application Server traditiona...
Security Bulletin: IBM Sterling Secure Proxy is vulnerable to improper input validation
Summary IBM Sterling Secure Proxy is affected by an improper input validation vulnerability that is exploitable by authenticated, privileged users. Vulnerability Details CVEID:CVE-2024-41783 DESCRIPTION: IBM Sterling Secure Proxy could allow a privileged user to inject commands into the underlyin...
Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in OpenSSL
Summary Multiple vulnerabilities in OpenSSL used by IBM InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2023-3817 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw when using the DHcheck, DHcheckex or EVPPKEYparamcheck functions to check a D...
Security Bulletin: PowerSC is vulnerable to information disclosure, denial of service, and security restrictions bypass due to Curl
Summary Vulnerabilities in Curl could allow a local attacker to obtain sensitive information CVE-2024-7264 or a remote attacker to cause a denial of service CVE-2024-6197, CVE-2024-37371 or bypass security restrictions CVE-2024-37370. PowerSC uses Curl as part of PowerSC Trusted Network Connect...
Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Werkzeug
Summary Multiple vulnerabilities in Werkzeug used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2024-49766 DESCRIPTION: Werkzeug is a Web Server Gateway Interface web application library. On Python = 3.11, or not using Windows, are not vulnerable. Werkzeug versi...
Security Bulletin: IBM Sterling B2B Integrator is affected by multiple vulnerabilities in CKEditor
Summary IBM Sterling B2B Integrator is affected by multiple vulnerabilities in CKEditor Vulnerability Details CVEID:CVE-2021-32808 DESCRIPTION: CKEditor is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the clipboard Widget plugin if used alongside the...
Security Bulletin: IBM Sterling B2B Integrator is vulnerable to information disclosure due to Apache Commons Codec (177835)
Summary IBM Sterling B2B Integrator uses Apache Commons Codec. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details IBM X-Force ID: 177835 DESCRIPTION: Apache Commons Codec could allow a remote attacker to obtain sensitive information, caused by the...
Security Bulletin: IBM Sterling B2B Integrator is affected by multiple security vulnerabilities in IBM WebSphere Application Server
Summary IBM Sterling B2B Integrator is affected by multiple security vulnerabilities in IBM WebSphere Application Server Vulnerability Details CVEID:CVE-2023-31582 DESCRIPTION: Jose4J could allow a remote attacker to obtain sensitive information, caused by allowing of a low iteration count of 100...
Security Bulletin: Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition
Summary This bulletin for IBM SDK, Java Technology Edition covers all applicable Java SE CVEs published by Oracle as part of their October 2024 Critical Patch Update, plus CVE-2024-10917. For more information please refer to Oracle's October 2024 CPU Advisory and the X-Force database entries...
Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates
Summary IBM App Connect Enterprise Certified Container ACEcc is built on the Red Hat Universal Base Images. ACEcc operator versions 5.0.22 LTS, 12.0.6 LTS and 12.6.0 contain fixes to the listed CVEs found in the base images. This bulletin provides patch information to address the reported...
Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager is vulnerable to multiple vulnerabilities.
Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition used by IBM Tivoli Application Dependency Discovery Manager TADDM. Vulnerability Details CVEID:CVE-2024-21094 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote...
Security Bulletin: Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager
Summary IBM Db2 is shipped as a component of IBM Security Key Lifecycle Manager SKLM/GKLM. Information about multiple security vulnerabilities affecting IBM Db2 has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...
Security Bulletin: A security vulnerability in WebSphere Application Server Liberty affects IBM Robotic Process Automation which may result in spoofing attacks (CVE-2023-50314)
Summary A security vulnerability in WebSphere Application Server Liberty affects IBM Robotic Process Automation which may result in spoofing attacks. WebSphere Application Liberty is used by IBM Robotic Process Automation as part of Antivirus and Abbyy containers as well as UMS. This bulletin...
Security Bulletin: Multiple vulnerabilities in IBM WebSphere Liberty Profile affect IBM Robotic Process Automation.
Summary Multiple vulnerabilities in IBM WebSphere Liberty Profile affect IBM Robotic Process Automation. IBM WebSphere Liberty Profile is used by IBM Robotic Process Automation as part of UMS and as an application server for container deployments. This bulletin identifies the security fixes to...
Security Bulletin: Multiple security vulnerabilities in IBM MQ affect IBM Robotic Process Automation
Summary Multiple security vulnerabilities in IBM MQ affect IBM Robotic Process Automation. IBM MQ is used by IBM Robotic Process Automation as a system queue. This bulletin identifies the fixes to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-40681 DESCRIPTION: IBM MQ Operator...
Security Bulletin: Multiple vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak
Summary Multiple vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak. RedHat UBI is used as base imaged for IBM Robotic Process Automation for Cloud Pak images. This bulletin identifies the fixes required to address the vulnerabilites. Vulnerability Details...