Security Bulletin: Security Vulnerability fixed in IBM Security Directory Integrator (CVE-2022-32759)

Summary The IBM Security Directory Integrator product uses insufficient session expiration which affects the IBM Security Directory Server. The issue has been addressed in an update. Vulnerability Details CVEID:CVE-2022-32759 DESCRIPTION: IBM Security Directory Server uses insufficient session...

Security Bulletin: Security Vulnerability fixed in IBM Security Directory Integrator (CVE-2024-28771, CVE-2024-28770, CVE-2024-28766)

Summary Multiple Security Vulnerabilities were fixed in the IBM Security Directory Integrator product. Vulnerability Details CVEID:CVE-2024-28771 DESCRIPTION: IBM Security Directory Integrator does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to g...

Security Bulletin: Security Vulnerability fixed in IBM Security Directory Integrator (CVE-2022-33162)

Summary IBM Security Directory Integrator has addressed an issue where it did not perform authentication. Vulnerability Details CVEID:CVE-2022-33162 DESCRIPTION: IBM Security Directory Server does not perform any authentication for functionality that requires a provable user identity or consumes ...

Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities

Summary There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. The Bouncy Castle Crypto Package For Java could allow a remote authenticated attacker to obtain sensitive information CVE-2024-30171...

Security Bulletin: IBM QRadar Suite software is vulnerable to information exposure

Summary IBM QRadar Suite software is vulnerable to information exposure through a detailed technical error message. This has been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest...

Security Bulletin: Operations Dashboard in IBM Cloud Pak for Integration is vulnerable to Go vulnerabilities CVE-2023-45290, CVE-2024-24783, CVE-2024-24785, CVE-2023-45289, CVE-2024-24784 & CVE-2024-24788

Summary Operations Dashboard in IBM Cloud Pak for Integration is vulnerable to denial of service and remote code execution due to Go vulnerabilities CVE-2023-45290, CVE-2024-24783, CVE-2024-24785, CVE-2023-45289, CVE-2024-24784 & CVE-2024-24788. These have been remediated. Vulnerability Details...

Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the Netty package (CVE-2023-34462).

Summary Netty is used by IBM Event Streams, providing high-performance, asynchronous network communication that ensures scalability, low latency, and secure connections, essential for real-time data processing and reliable event delivery. Vulnerability Details CVEID:CVE-2023-34462 DESCRIPTION:...

Security Bulletin: IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2024-37533)

Summary An information disclosure vulnerability in InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2024-37533 DESCRIPTION: IBM InfoSphere Information Server could disclose sensitive user information to another user with physical access to the machine. CVSS Base score:...

Security Bulletin: Security Vulnerabilities in the IBM Java SE were fixed in the IBM Security Directory Integrator (CVE-2024-21094, CVE-2024-21085, CVE-2024-21011, CVE-2023-38264)

Summary Multiple Security Vulnerabilties in the IBM Java SE package were addresssed and shipped with the IBM Security Directory Integrator. Vulnerability Details CVEID:CVE-2024-21094 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.5 is affected by a arbitrary code execution in OpenSSH server [CVE-2024-6387]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.5 is affected by arbitrary code execution in OpenSSH server, caused by a signal handler race condition CVE-2024-6387. Open SSH is a component of a glibc library that is included in our Speech Service Runtimes, but not...

Security Bulletin: IBM Information Governance Catalog is vulnerable to unrestricted file upload (CVE-2024-40705)

Summary An unrestricted file upload vulnerability in Information Governance Catalog was addressed. Vulnerability Details CVEID:CVE-2024-40705 DESCRIPTION: IBM Information Governance Catalog could allow an authenticated user to consume file space resources due to unrestricted file uploads. CVSS Ba...

Security Bulletin: IBM DataStage Flow Designer is vulnerable to information disclosure (CVE-2024-40704)

Summary An information disclosure vulnerability in DataStage Flow Designer was addressed. Vulnerability Details CVEID:CVE-2024-40704 DESCRIPTION: IBM DataStage Flow Designer could allow a privileged user to obtain sensitive information from authentication request headers. CVSS Base score: 4.9 CVS...

Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the protobuf-java (CVE-2022-3509).

Summary IBM Event Streams is vulnerable to a denial of service attack due to the protobuf-java core and lite. They are most often used for defining communications protocols together with gRPC and for data storage. Vulnerability Details CVEID:CVE-2022-3509 DESCRIPTION: protobuf-java core and lite...

Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the Apache Kafka (CVE-2024-27309).

Summary IBM Event Streams is vulnerable to a denial of service attack due to the Apache Kafka. It is primarily used to build real-time streaming data pipelines and applications that adapt to the data streams. It combines messaging, storage, and stream processing to allow storage and analysis of...

Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the snappy-java (CVE-2023-43642).

Summary IBM Event Streams is vulnerable to a denial of service attack due to the snappy-java component. In IBM Event Streams, Snappy-java boosts performance by compressing event payloads before transmission and decompressing them on the client side, reducing bandwidth usage and improving data...

Security Bulletin: IBM Event Streams is vulnerable to phishing attack due to the follow-redirects component (CVE-2023-26159).

Summary IBM Event Streams is vulnerable to phishing attack due to the follow-redirects component. In event streams, following redirects ensures uninterrupted data flow by automatically directing clients to new endpoints if the original one changes. It also aids in load balancing and failover...

Security Bulletin: IBM Storage Ceph is vulnerable to Prototype Pollution in Grafana (CVE-2023-36665)

Summary Protobuf is used by IBM Storage Ceph in Grafana as part of metrics. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2023-36665. Vulnerability Details CVEID:CVE-2023-36665 DESCRIPTION: protobuf.js could allow a remote attacker to execute arbitrary co...

Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to HTTP response splitting attacks [CVE-2023-38709, CVE-2024-24795].

Summary IBM HTTP Server powered by Apache for IBM i is vulnerable to HTTP response splitting attacks due to improper input validation and flaws in multiple modules as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilities as...

Security Bulletin: Multiple IBM® Db2® security vulnerability fixes

Summary If you use IBM® Db2® as your database in your IBM Datacap deployment, please follow the Db2 security bulletins referred here to remedy the vulnerabilities. IBM® Db2® is affected by a vulnerability in the open source zlib library CVE-2023-45853 and IBM® Db2® is vulnerable to sensitive...

Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jul 2023 Vulnerabilities Affect IBM SPSS

Summary IBM SPSS addressed vulnerabilities reported in IBM SDK, Java Technology Edition Quarterly CPU - Jul 2023 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|--- | SPSS Statistics| 29.0...

Security Bulletin: Security vulnerabilities may affect Go packages that are shipped with IBM CICS TX Standard.

Summary Security vulnerabilities may affect Go packages that are shipped with IBM CICS TX Standard. IBM CICS TX Standard has addressed the issues. Vulnerability Details CVEID:CVE-2024-24786 DESCRIPTION: Protocol Buffers protobuf-go is vulnerable to a denial of service, caused by an infinite loop...

Security Bulletin: Security vulnerabilities may affect Go packages that are shipped with IBM CICS TX Advanced.

Summary Security vulnerabilities may affect Go packages that are shipped with IBM CICS TX Advanced. IBM CICS TX Advanced has addressed the issues. Vulnerability Details CVEID:CVE-2023-45288 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a memory exhaustion flaw due to floo...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a local authenticated attack and denial of service due to Microsoft Azure Identity Libraries and Microsoft Authentication Library and gRPC on Node.js (CVE-2024-35255, CVE-2024-37168)

Summary IBM App Connect Enterprise is vulnerable to a local authenticated attack and denial of service due to Microsoft Azure Identity Libraries and Microsoft Authentication Library and gRPC on Node.js. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details...

Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM has released a new version which addresses the vulnerabilities. Vulnerability Details CVEID:CVE-2024-27088 DESCRIPTION: medikoo es5-ext is vulnerable to a...

Security Bulletin: IBM Sterling Connect:Express for UNIX uses vulnerable version of OpenSSL

Summary IBM Sterling Connect:Express for UNIX uses a version OpenSSL which is vulnerable to denial of service CVE-2024-2511. This issue has been addressed by upgrading the version of OpenSSL. Vulnerability Details CVEID:CVE-2024-2511 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caus...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to remote code execution (CVE-2024-35154)

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is vulnerable to remote code execution. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|--- Jazz fo...

Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the protobuf-java core and lite ( CVE-2022-3171).

Summary Protobuf-java core and lite are used by IBM Event Streams. The protobuf-java core library provides comprehensive functionality for working with Protocol Buffers, including advanced parsing and serialization, while the protobuf-java-lite library offers a performance-optimized version for...

Security Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the json-path component (CVE-2023-51074).

Summary IBM Event Streams is vulnerable to a denial of service attack due to the json-path component. JSON-Path is a query language for JSON, similar to XPath for XML. It allows us to select and extract data from a JSON document. we use a JSON-Path expression to traverse the path to an element in...

Security Bulletin: IBM Storage Ceph is vulnerable to the Exposure of Sensitive Information to an Unauthorized Actor in the RHEL UBI (CVE-2023-45803, CVE-2023-43804)

Summary RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2023-45803, CVE-2023-43804. Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 could allow a remote authenticated...

Security Bulletin: IBM Storage Ceph is vulnerable to a Missing Cryptographic Step in the RHEL UBI (CVE-2023-5363)

Summary RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2023-5363. Vulnerability Details CVEID:CVE-2023-5363 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive...

Security Bulletin: IBM Storage Ceph is vulnerable to the Improper Removal of Sensitive Information Before Storage or Transfer in Grafana (CVE-2021-23566)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2021-23566. Vulnerability Details CVEID:CVE-2021-23566 DESCRIPTION: Nanoid could allow a local attacker to obtain sensitive information, caus...

Security Bulletin: IBM Storage Ceph is vulnerable to Insecure credentials submission in the RHEL UBI (CVE-2023-35789)

Summary RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2023-35789. Vulnerability Details CVEID:CVE-2023-35789 DESCRIPTION: RabbitMQ C AMQP client library aka rabbitmq-c could allow a...

Security Bulletin: IBM Storage Ceph is vulnerable to assorted vulnerabilities in Grafana

Summary Moby is used by IBM Storage Ceph in Grafana as part of Metrics. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2021-21285, CVE-2021-31525, CVE-2021-3121, CVE-2022-34038, CVE-2021-41103, CVE-2021-41089, CVE-2020-29652, CVE-2022-27536, CVE-2021-44716...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler

Summary Golang compiler is used by IBM Cloud Pak for Data to build various binaries. CVE-2022-28131, CVE-2022-30630, CVE-2022-30580, CVE-2022-32189, CVE-2022-30632, CVE-2022-28327, CVE-2022-30629, CVE-2022-30635, CVE-2022-30631, CVE-2022-32148, CVE-2022-1705, CVE-2022-1962, CVE-2022-24675,...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler ( CVE-2022-27664 )

Summary Golang compiler is used by IBM Cloud Pak for Data to build various binaries. CVE-2022-27664 Vulnerability Details CVEID:CVE-2022-27664 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in net/http. By sending a specially-crafted request, a remote attacker could...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to various issues due to go compiler ( CVE-2022-30630, CVE-2022-30635, CVE-2022-32148, CVE-2022-30631, CVE-2022-30632, CVE-2022-32189, CVE-2022-28131, CVE-2022-30633, CV )

Summary Golang compiler is used by IBM Cloud Pak for Data to build various binaries. CVE-2022-30630, CVE-2022-30635, CVE-2022-32148, CVE-2022-30631, CVE-2022-30632, CVE-2022-32189, CVE-2022-28131, CVE-2022-30633, CVE-2022-1705. Vulnerability Details CVEID:CVE-2022-30630 DESCRIPTION: Golang Go is...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler ( CVE-2021-33197 )

Summary Golang compiler is used by IBM Cloud Pak for Data to build various binaries. CVE-2021-33197. Vulnerability Details CVEID:CVE-2021-33197 DESCRIPTION: Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the ReverseProxy in net/http/httputil. By sendi...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to several issues due to go compiler ( CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30634 )

Summary Golang compiler is used by IBM Cloud Pak for Data to build various binaries. CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30634 Vulnerability Details CVEID:CVE-2022-29804 DESCRIPTION: Golang Go could allow a local attacker to bypass security restrictions, caused by a flaw in t...

Security Bulletin: A Stored Cross-Site Scripting (XSS) security vulnerability has been identified in IBM Rational ClearQuest (CVE-2024-28796)

Summary An XSS security vulnerability has been identified in IBM Rational ClearQuest. IBM Rational ClearQuest has addressed the CVE CVE-2024-28796 Vulnerability Details CVEID:CVE-2024-28796 DESCRIPTION: IBM ClearQuest CQ is vulnerable to stored cross-site scripting. This vulnerability allows user...

Security Bulletin: Vulnerability in Linux kernel may affect IBM Spectrum Protect Plus

Summary IBM Spectrum Protect Plus can be affected by vulnerability in Linux Kernel. Vulnerability includes elevation of privileges, as described by the CVE in the "Vulnerability Details" section. Vulnerability Details CVEID:CVE-2023-51043 DESCRIPTION: Linux Kernel could allow a local authenticate...

Security Bulletin: IBM App Connect Enterprise Certified Container Operations Dashboard is vulnerable to denial of service [CVE-2024-36129]

Summary OpenTelemetry is used by IBM App Connect Enterprise Certified Container for the Operations Dashboard. IBM App Connect Enterprise Certified Container Operations Dashboard is vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in...

Security Bulletin: IBM Match 360 vulnerable to denial of service due to jose4j in IBM WebSphere Application Server Liberty (CVE-2023-51775)

Summary IBM Match 360 is vulnerable to jose4j used within IBM WebSphere Application Server Liberty. jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of...

Security Bulletin: IBM Match 360 is vulnerable to IBM WebSphere Application Server Liberty (CVE-2023-50312)

Summary IBM Match 360 is vulnerable to weaker security from IBM WebSphere Application Server Liberty. The vulnerability from IBM WebSphere Application Server Liberty causes weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. Vulnerability...

Security Bulletin: There are multiple vulnerabilities that affect CICS Transaction Gateway Desktop Edition (CVE-2023-50310 and CVE-2023-50311).

Summary There are multiple vulnerabilities that affect CICS Transaction Gateway Desktop Edition. An update to CICS Transaction Gateway Desktop Edition has been released to address these vulnerabilities. Vulnerability Details CVEID:CVE-2023-50311 DESCRIPTION: IBM CICS Transaction Gateway could...

Security Bulletin: IBM Maximo Asset Management - A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2024-22329)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera, and...

Security Bulletin: IBM Maximo Asset Management - A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2024-22354)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera, and...

Security Bulletin: IBM Maximo Asset Management - A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2024-35154)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera, and...

Security Bulletin: IBM Maximo Asset Management - A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2024-37532)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities, Maximo Adapter for Primavera and...

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 277. Vulnerability Details CVEID:CVE-2023-47038 DESCRIPTION: Perl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the user-defined...

Security Bulletin: IBM Observability with Instana (OnPrem) is affected by multiple security vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 277 Vulnerability Details CVEID:CVE-2022-40152 DESCRIPTION: XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote...