Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to an information disclosure (CVE-2023-50315)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to an information disclosure. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and Versions|...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to information disclosure (CVE-2023-50314)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to information disclosure. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and...

Security Bulletin: IBM License Key Server Administration and Reporting Tool, and its Agent is vulnerable to Password Exposure via UI inspection

Summary A vulnerability in IBM License Key Server Administration and Reporting Tool, and Agent allowed users' stored passwords to be exposed through the browser's console. This issue could potentially lead to unauthorized access to user accounts if an attacker gained access to the logged-in user'...

Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager is vulnerable to multiple vulnerabilities.

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition used by IBM Tivoli Application Dependency Discovery Manager TADDM. These issues were disclosed as part of the IBM Java SDK updates in January 2024. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecifie...

Security Bulletin: The IBM QRadar SIEM Amazon Web Services protocol is vulnerable to access restriction bypass and sensitive information exposure (CVE-2020-8908, CVE-2023-2976)

Summary Google Guava is used by IBM QRadar SIEM Amazon Web Services protocol, and it has known vulnerabilities. The issues have been addressed in an update. Vulnerability Details CVEID:CVE-2020-8908 DESCRIPTION: Guava could allow a remote authenticated attacker to bypass security restrictions,...

Security Bulletin: IBM Security QRadar EDR Software contains multiple vulnerabilities (CVE-2024-37890, CVE-2024-37891)

Summary IBM Security QRadar EDR Software includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. These have been addressed in an update. Vulnerability Details CVEID:CVE-2024-37890 DESCRIPTION: Node.js ws module is vulnerable to a denia...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server CVE-2024-35153

Summary IBM WebSphere Application Server is shipped with IBM WebSphere Remote Server. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: Vulnerability in Netplex JSON Smart affects watsonx.data

Summary netplex json-smart-v2 is vulnerable to a denial of service, caused by not limiting the nesting of arrays or objects. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2023-1370 DESCRIPTION: netplex json-smart-v2 is vulnerable to a denial of service, caused by not limiting the...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to Node.js module ws (CVE-2024-37890)

Summary IBM App Connect Enterprise is vulnerable to a denial of service due to Node.js module ws. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-37890 DESCRIPTION: Node.js ws module is vulnerable to a denial of service, caused by a NU...

Security Bulletin: Several Security Vulnerabilities were discovered in IBM Security Directory Suite. (CVE-2023-24998, CVE-2023-28867, CVE-2023-0482)

Summary Several vulnerabilities were addressed in WebSphere Application Server Liberty components shipped with the IBM Security Directory Suite Vulnerability Details CVEID:CVE-2023-24998 DESCRIPTION: Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit t...

Security Bulletin: Several Security Vulnerabilities have been addressed in IBM Security Directory Suite. (CVE-2022-21426, CVE-2023-21830, CVE-2023-21843)

Summary Mulitiple Security Vulnerabilities have been discovered in the Java SE component as shipped with IBM Security Directory Suite. These have been addressed in an update. Vulnerability Details CVEID:CVE-2022-21426 DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP...

Security Bulletin: IBM Planning Analytics is affected by vulnerabilities in IBM Java and IBM Websphere Application Server Liberty

Summary There are vulnerabilities in IBM® Java™ Version 8 and IBM WebSphere Application Server Liberty used by both IBM Planning Analytics and IBM Planning Analytics Workspace. With respect to IBM Planning Analytics, applicable CVEs have been addressed by upgrading to non-vulnerable versions of...

Security Bulletin: IBM WebSphere Application Server is vulnerable to an information disclosure (CVE-2023-50315)

Summary IBM WebSphere Application Server is vulnerable to an information disclosure. Vulnerability Details CVEID:CVE-2023-50315 DESCRIPTION: IBM WebSphere Application Server could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerabilit...

Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to information disclosure (CVE-2023-50314)

Summary IBM WebSphere Application Server Liberty is vulnerable to information disclosure. Vulnerability Details CVEID:CVE-2023-50314 DESCRIPTION: IBM WebSphere Application Server Liberty could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this...

Security Bulletin: Vulnerability in CRI-O affects watsonx.data

Summary CRI-O could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an arbitrary systemd property injection. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-3154 DESCRIPTION: CRI-O could allow a remote authenticated attacker to...

Security Bulletin: Vulnerability in VMware Tanzu Spring Framework affects watsonx.data

Summary VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-22262 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct...

Security Bulletin: Vulnerabilities in jackson-databind affect watsonx.data

Summary FasterXML jackson-databind has multiple vulnerabilities including the possibility of remote attackers executing arbitrary code on the system. These can affect watsonx.data. Vulnerability Details CVEID:CVE-2018-12022 DESCRIPTION: FasterXML jackson-databind could allow a remote attacker to...

Security Bulletin: Vulnerability in Apache Calcite Avatica affects watsonx.data

Summary Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via httpclientimpl connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via...

Security Bulletin: Vulnerability in jackson-databind affects watsonx.data

Summary FasterXML jackson-databind is vulnerable to a denial of service, caused by a Java StackOverflow exception and other causes Vulnerability Details CVEID:CVE-2020-36518 DESCRIPTION: FasterXML jackson-databind is vulnerable to a denial of service, caused by a Java StackOverflow exception. By...

Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2024 CPU

Summary There are multiple vulnerabilities in the IBM® SDK, Java™ Technology Edition that is shipped with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty. The CVEs listed in this document might affect some configurations of IBM WebSphere Application Server traditiona...

Security Bulletin: Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition

Summary This bulletin for IBM SDK, Java Technology Edition covers all applicable Java SE CVEs published by Oracle as part of their July 2024 Critical Patch Update, plus CVE-2024-27267. For more information please refer to Oracle's July 2024 CPU Advisory and the X-Force database entries referenced...

Security Bulletin: PyMySQL allows SQL injection [CVE-2024-36039]

Summary PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escapedict. Vulnerability Details CVEID:CVE-2024-36039 DESCRIPTION: PyMySQL is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which cou...

Security Bulletin: Pillow versions have a Denial of Service vulnerability due to uncontrolled memory allocation in ImageFont's

Summary An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance...

Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

Summary QRadar Suite Software includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details...

Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM SDK, Java Technology Edition Quarterly CPU - Apr 2024 - Includes Oracle April 2024 CPU plus CVE-2023-38264

Summary IBM SDK, Java Technology Edition is vulnerable to CVE-2023-38264. Following IBM® Engineering Lifecycle Engineering product is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Test Management, IBM Engineering Lifecycle Optimization - Publishing, Global...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service when querying certain tables using a specially crafted statement (CVE-2024-35152)

Summary IBM® Db2® is vulnerable to a denial of service when querying certain tables using a specially crafted statement. Vulnerability Details CVEID:CVE-2024-35152 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated user to cause a denial of...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted query on columnar tables in a database partitioned environment (CVE-2024-31882)

Summary IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted query on columnar tables in a database partitioned environment. Vulnerability Details CVEID:CVE-2024-31882 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server is...

Security Bulletin: Multiple vulnerabilities affect IBM® Semeru Runtime

Summary This bulletin for IBM Semeru Runtime covers all applicable Java SE CVEs published by OpenJDK as part of their July 2024 Vulnerability Advisory. For more information please refer to OpenJDK's July 2024 Vulnerability Advisory and the X-Force database entries referenced below. Vulnerability...

Security Bulletin: IBM OpenPages may write sensitive information with System tracing enabled (CVE-2024-35117)

Summary IBM OpenPages may write sensitive data to server log files when the 'UI API' tracing is enabled per the System Tracing feature. Vulnerability Details CVEID:CVE-2024-35117 DESCRIPTION: IBM OpenPages may write sensitive information, under specific configurations, in clear text to the system...

Security Bulletin: Moment.js issue of validating, manipulating, and formatting dates

Summary Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm server users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale...

Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities

Summary There are vulnerabilities in IBM Websphere Application Liberty and Open-Source Software OSS components consumed by IBM Cognos Dashboards on Cloud Pak which have been resolved by upgrading or removing the vulnerable libraries. Please refer to the Related Information section below for...

Security Bulletin: AIX is affected by information disclosure (CVE-2023-45803) and arbitrary code execution (CVE-2024-6345) due to Python

Summary Vulnerabilities in Python could allow a remote attacker to obtain sensitive information CVE-2023-45803 or execute arbitrary code CVE-2024-6345. Python is used by AIX as part of Ansible node management automation. Vulnerability Details CVEID:CVE-2023-45803 DESCRIPTION: urllib3 could allow ...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Liberty Profile affects IBM Robotic Process Automation and may result in a denial of service ( CVE-2024-25026, CVE-2024-27268)

Summary Multiple vulnerabilities in IBM WebSphere Liberty Profile affects IBM Robotic Process Automation and may result in a denial of service. IBM WebSphere Liberty is used by IBM Robotic Process Automation for as part of Abbyy and Antivirus containers and UMS. This bulletin identifies the...

Security Bulletin: IBM QRadar Suite software is vulnerable to invalid session timeout

Summary IBM QRadar Suite software is vulnerable to invalid session timeout. This has been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details...

Security Bulletin: IBM Transformation Extender Advanced v10.0.x is affected by a vulnerability in its dependencies

Summary IBM Transformation Extender Advanced, also known as IBM Standards Processing Engine, is vulnerable to Unix File Parameter Alteration Vulnerability Details CVEID:CVE-2020-3452 DESCRIPTION: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software could allow a remote...

Security Bulletin: IBM Maximo Application Suite uses ansible-operator 7.11.6 which is vulnerable to CVE-2024-0690.

Summary IBM Maximo Application Suite uses ansible-operator 7.11.6 which is vulnerable to CVE-2024-0690. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-0690 DESCRIPTION: Red Hat Ansible could allow a local authenticated attacker...

Security Bulletin: IBM Maximo Application Suite uses IBM WebSphere Application Server Liberty 24.0.0.4 which is vulnerable to CVE-2023-50312 and CVE-2024-25026

Summary IBM Maximo Application Suite uses IBM WebSphere Application Server Liberty 24.0.0.4 which is vulnerable to CVE-2023-50312 and CVE-2024-25026. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-50312 DESCRIPTION: IBM WebSphe...

Security Bulletin: IBM Maximo Application Suite - IoT Component uses bcprov-jdk15on-1.70.jar which is vulnerable to CVE-2024-30172

Summary IBM Maximo Application Suite - IoT Component uses bcprov-jdk15on-1.70.jar which is vulnerable to CVE-2024-30172. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-30172 DESCRIPTION: The Bouncy Castle Crypto Package For Jav...

Security Bulletin: IBM Maximo Application Suite uses Flask_Cors-4.0.0-py2.py3-none-any.whl which is vulnerable to CVE-2024-1681

Summary IBM Maximo Application Suite uses FlaskCors-4.0.0-py2.py3-none-any.whl which is vulnerable to CVE-2024-1681. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-1681 DESCRIPTION: Flask-CORS could allow a remote attacker to...

Security Bulletin: Apache commons-fileupload vulnerability (CVE-2023-24998)

Summary Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Liberty impact IBM License Key Server Administration and Reporting Tool and IBM LKS Administration Agent.

Summary Multiple vulnerabilities in IBM WebSphere Liberty impact IBM License Key Server Administration and Reporting Tool and IBM LKS Administration Agent. Vulnerability Details CVEID:CVE-2024-25026 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Libert...

Security Bulletin: Multiple Security Vulnerabilities in IBM Java Runtime affect IBM License Key Server Administration and Reporting Tool and its Agent

Summary Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition in IBM License Key Server Administration and Reporting Tool ART and Administration Agent. For more information please refer to Oracle's CPU Advisory and the X-Force database entries referenced below. Vulnerability Details...

Security Bulletin: IBM Common Licensing is vulnerable to stored cross-site scripting in IBM LKS Administration Reporting Tool and its Agent.

Summary IBM LKS Administration Reporting Tool and its Agent are vulnerable to stored cross-site scripting. This has been addressed in the remediation section Vulnerability Details CVEID:CVE-2024-41774 DESCRIPTION: IBM Common Licensing is vulnerable to stored cross-site scripting. This vulnerabili...

Security Bulletin: IBM Common Licensing is affected by a Weak Password Policy vulnerability (CVE-2024-40697)

Summary IBM LKS Administration and Reporting Tool and Administration Agent does not require that users should have passwords of defined length by default, which makes it easier for attackers to compromise user accounts. This has been addressed in remediation section. Vulnerability Details...

Security Bulletin: Multiple vulnerabilities in IBM® Db2® affect IBM® Db2® Big SQL.

Summary There are multiple vulnerabilities in IBM® Db2® 11.5 used by IBM® Db2® Big SQL 7 on IBM Cloud Pak for Data 4.7 and earlier. These issues were disclosed in an IBM® Db2® Security Bulletin in July 2023. Vulnerability Details CVEID:CVE-2023-30447 DESCRIPTION: IBM Db2 for Linux, UNIX and Windo...

Security Bulletin: IBM Data Virtualization on Cloud Pak for Data is vulnerable to OpenSSH vulnerability CVE-2024-6387

Summary IBM Data Virtualization on Cloud Pak for Data embeds a variant of the IBM Db2 database server that runs in MPP mode. For MPP functionality such as scale-out, internally the server uses the secure shell SSH protocol for inter-pod communication. SSH protocol is not exposed to external users...

Security Bulletin: IBM Master Data Management vulnerable to remote code execution from vulnerability in IBM WebSphere Application Server (CVE-2024-35154)

Summary IBM Master Data Management version 11.6 and 12.0 is impacted by vulnerability in WebSphere Application Server. IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to execute arbitrary code. Usin...

Security Bulletin: Multiple Vulnerabilities in XCC affect IBM Cloud Pak System

Summary Multiple Vulnerabilities in XClarity Controller XCC affect IBM Cloud Pak System. XCC is used by Cloud Pak System. IBM Cloud Pak System has addressed these vulnerabilities. Vulnerability Details CVEID:CVE-2023-4607 DESCRIPTION: Lenovo XClarity Controller XCC could allow a remote...

Security Bulletin: Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-27268 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses WebSphere Application Server Liberty which is vulnerable to CVE-2024-27268. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-27268 DESCRIPTION: IBM WebSphere Application...

Security Bulletin: Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-22354 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses WebSphere Application Server Liberty which is vulnerable to CVE-2024-22354. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-22354 DESCRIPTION: IBM WebSphere Application...