Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect BM Spectrum Control

Summary IBM WebSphere Application Server Liberty is vulnerable to allow a remote authenticated attacker, denial of service, server-side request forgery SSRF, cross-site scripting, improper resource expiration handling, weaker than expected security for outbound TLS connections. These...

Security Bulletin: Node.js vulnerabilities affect IBM Spectrum Control

Summary Node.js is vulnerable to remote attacker to obtain sensitive information, denial of service, HTTP request smuggling and allow a local authenticated attacker to gain elevated privileges on the system. These vulnerabilities affect IBM Spectrum Control. CVE-2024-27983, CVE-2024-22019,...

Security Bulletin: Apache Derby affects IBM Spectrum Control [CVE-2022-46337]

Summary Apache Derby might allow a remote attacker to bypass security restrictions caused by an LDAP injection vulnerability in the authenticator. This vulnerability affects IBM Spectrum Control. This bulletin identifies the steps to take to mitigate the vulnerability. Vulnerability Details...

Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

Summary QRadar Suite Software includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details...

Security Bulletin: A cross-site scripting vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2024-35153)

Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Refer to the security bulletins...

Security Bulletin: Multiple Vulnerabilities in IBM Event Endpoint Management

Summary Multiple vulnerabilities were addressed in IBM Event Endpoint Management version 11.2.1 Vulnerability Details CVEID:CVE-2024-26308 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafte...

Security Bulletin: IBM Datapower Operations Dashboard could allow unintended headers to MIME messages CVE-2024-21742

Summary Apache James Mime4J is used by the IBM Datapower Operations Dashboard stream parsing implementation. Vulnerability Details CVEID:CVE-2024-21742 DESCRIPTION: Apache James Mime4J could allow a remote attacker to bypass security restrictions, caused by improper input validation. By sending a...

Security Bulletin: Vulnerabilities in IBM Sterling B2B Integrator and IBM Sterling File Gateway

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by multiple security vulnerabilities. These vulnerabilities include: - SQL Injection - Path Traversal - Unrestricted File Upload - Cross-Site Scripting XSS - Insufficient Session-ID Length - Information Disclosure...

Security Bulletin: Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.17 and earlier

Summary This fix upgrades to Websphere Liberty 24.0.0.6, socket.io 3.0.2, and grpc-js 1.8.22. Websphere Liberty is used by the IBM Answer Retrieval for Watson Discovery swagger microservice. Socket.io and grpc-js are used by the IBM Answer Retrieval for Watson Discovery user interfaces for...

Security Bulletin: Denial of Service vulnerabilities in Apache Commons Compress affect IBM Business Automation Workflow - CVE-2024-25710, CVE-26308

Summary IBM Business Automation Workflow is vulnerable to denial of service attacks. Vulnerability Details CVEID:CVE-2024-25710 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file,...

Security Bulletin: Vulnerability affect IBM Business Automation Workflow - CVE-2024-37528

Summary IBM Business Automation Workflow Center is vulnerable to a Cross.Site Scripting attack. Vulnerability Details CVEID:CVE-2024-37528 DESCRIPTION: IBM CP4BA - Business Automation Studio Component is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed...

Security Bulletin: Multiple vulnerabilities in Java affect IBM Business Automation Workflow - Apr 2024 CPU

Summary IBM Business Automation Workflow containers package IBM® Java SDK 8 V21.0.3 or IBM® Semeru Runtime 17 V23.0.2. Information about security vulnerabilities in these Java runtumes have been published. IBM Business Automation Workflow includes IBM Java 8. Vulnerability Details...

Security Bulletin: Weaker than expected security vulnerability affect IBM Business Automation Workflow - CVE-2024-22354

Summary IBM WebSphere Application Server Liberty profile is shipped with Process Federation Server and User Management Services in IBM Business Automation Workflow traditional. IBM Business Automation Workflow containers build upon IBM WebSphere Liberty profile. Information about a security...

Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a cri-o security vulnerability (CVE-2024-3154)

Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability found in the cri-o component which could allow a remote authenticated attacker to execute arbitrary commands on the system CVE-2024-3154. Vulnerability Details CVEID: CVE-2024-3154 Description: CRI-O could allow a remo...

Security Bulletin: IBM Instana Observability is vulnerable to Improper Input Validation due to Apache Avro Java SDK

Summary Vulnerability in Apache Avro Java SDK was remediated in IBM Observability with Instana Build 275. CVE-2023-39410 Vulnerability Details CVEID:CVE-2023-39410 DESCRIPTION: Apache Avro Java SDK could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2024-37532)

Summary WebSphere Application Server is shipped as a component of IBM Security Guardium Key Lifecycle Manager SKLM/GKLM. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulleti...

Security Bulletin: Denial of service and security restrictions bypass might affect IBM Storage Defender – Resiliency Service

Summary IBM Storage Defender – Resiliency Service is vulnerable and can result in data confidentiality and service availabilty issues. The vulnerabilities have been addressed. CVE-2024-27351, CVE-2024-34064, CVE-2024-32879, CVE-2024-24786. Vulnerability Details CVEID:CVE-2024-24786 DESCRIPTION:...

Security Bulletin: IBM Datapower Operations Dashboard could allow a a denial of service CVEID 256137

Summary FasterXML Jackson Core is used by the IBM Datapower Operations Dashboard streaming and parsing implementation. Vulnerability Details IBM X-Force ID: 256137 DESCRIPTION: FasterXML Jackson Core is vulnerable to a denial of service, caused by improper input validation by the...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2024-35153)

Summary WebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM DevOps Code ClearCase (CVE-2024-37532)

Summary IBM WebSphere Application Server WAS is shipped as a component of IBM DevOps Code ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: Due to use of IBM WebSphere Application Server Liberty, IBM Tivoli Application Dependency Discovery Manager is vulnerable to denial of service and disclosure of sensitive information.

Summary IBM WebSphere Application Server Liberty is used by IBM Tivoli Application Dependency Discovery Manager CVE-2024-22354,CVE-2024-25026,CVE-2024-27268 and CVE-2023-51775 Vulnerability Details CVEID:CVE-2024-22354 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere...

Security Bulletin: IBM Datapower Operations Dashboard could allow a denial of service condition CVE-2024-29025

Summary Netty is used by the IBM Datapower Operations Dashboard server implementation. Vulnerability Details CVEID:CVE-2024-29025 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw when using the HttpPostRequestDecoder to decode a form. By sending a specially crafted reques...

Security Bulletin: IBM PowerVM Novalink is vulnerable because jose4j is vulnerable to a denial of service, caused by improper input validation.

Summary IBM PowerVM Novalink is vulnerable because jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition. Vulnerability Details...

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack.(CVE-2024-2235)

Summary IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection XXE attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume...

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site scripting. (CVE-2024-27270)

Summary IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in a specially crafted URI. Vulnerability Details CVEID:CVE-2024-27270...

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request.

Summary IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory...

Security Bulletin: Disabled USB port vulnerability affects IBM FlashSystem 5300

Summary IBM FlashSystem 5300 USB ports may be usable even if the port has been disabled by the administrator. A user with physical access to the system could use the USB port to cause loss of access to data. Vulnerability Details CVEID:CVE-2024-39723 DESCRIPTION: IBM FlashSystem 5300 USB ports ma...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2024-35153)

Summary WebSphere Application Server is shipped as a component of IBM Security Guardium Key Lifecycle Manager SKLM/GKLM. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulleti...

Security Bulletin: Security vulnerabilities may affect IBM WebSphere Application Server Liberty shipped with with IBM CICS TX Advanced.

Summary Security vulnerabilities may affect IBM WebSphere Application Server Liberty shipped with IBM CICS TX Advanced. IBM CICS TX Advanced has addressed the issues. Vulnerability Details CVEID:CVE-2024-25026 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to stored cross-site scripting (CVE-2024-28794)

Summary A stored cross-site scripting vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2024-28794 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript co...

Security Bulletin: Denial of service and password enumeration might affect IBM Storage Defender – Resiliency Service

Summary IBM Storage Defender – Resiliency Service is vulnerable and can result in data confidentiality and service availabilty issues. The vulnerabilities have been addressed. CVE-2023-45288, CVE-2024-25031, CVE-2024-38322, CVE-2024-33883. Vulnerability Details CVEID:CVE-2023-45288 DESCRIPTION:...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 used by IBM Tivoli Netcool Impact. IBM Tivoli Netcool Impact has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-21094 DESCRIPTION: An unspecified vulnerability in Java SE related to the...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2024-25026)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service [CVE-2024-38355]

Summary Socket.IO is used by IBM App Connect Enterprise Certified Container for real-time UI updates. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting (CVE-2024-35153)

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is vulnerable to cross-site scripting in the administrative console. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected...

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 are vulnerable to a denial of service.(CVE-2024-25026)

Summary IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 are vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory...

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 18.0.0.2 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request. (CVE-2024-27268)

Summary IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 18.0.0.2 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to XML External Entity Injection attack due to IBM WebSphere Application Server Liberty (CVE-2024-22354)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to cross-site scripting due to IBM WebSphere Application Server Liberty (CVE-2024-27270)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2024-22353)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to server-side request forgery due to IBM WebSphere Application Server Liberty (CVE-2024-22329)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2024-27268)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2023-51775)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to server-side request forgery. (CVE-2024-22329)

Summary IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to server-side request forgery SSRF. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct the SSRF attack. X-Force ID:...

Security Bulletin: Multiple Vulnerabilities have been identified in IBM MQ shipped with IBM WebSphere Remote Server

Summary IBM MQ is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM MQ have been published in a security bulletin CVE-2024-25026, CVE-2024-22354, CVE-2024-27268, CVE-2024-22353, CVE-2023-51775, CVE-2024-22329, CVE-2024-31919, CVE-2024-21085,...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 9.1.0

Summary In addition to updates of open source dependencies, the following security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 9.1.0 Vulnerability Details IBM X-Force ID: 177835 DESCRIPTION: Apache Commons Codec could allow a remote attacker to obtain sensitiv...

Security Bulletin: Multiple security vulnerabilities in IBM SDK, Java Technology Edition affects IBM OpenPages

Summary IBM® SDK, Java™ Technology Edition is shipped as a supporting program of IBM OpenPages. Information about a security vulnerability affecting IBM SDK, Java Technology Edition has been published in multiple security bulletins. These products have addressed the applicable CVEs. For a complet...

Security Bulletin: Vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2024-35153)

Summary WebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about a cross-site scripting vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulleti...

Security Bulletin: IBM Automation Decision Services for May 2024 - Multiple CVEs addressed

Summary "IBM Automation Decision Services is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed." Vulnerability Details CVEID:CVE-2024-288...

Security Bulletin: User configuration failures in IBM WebSphere Application Server Liberty may affect IBM Storage Protect Operations Center (CVE-2023-50312)

Summary IBM Storage Protect Operations Center may be affected by user configuration failures in IBM WebSphere Application Server Liberty. Vulnerability Details CVEID:CVE-2023-50312 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.2 could provide weaker than expected...