Security Bulletin: IBM OpenPages is affected by multiple security vulnerabilities of DB2 Database Server (April 2024)

Summary IBM® Db2® Database Server is shipped as a supporting program of IBM OpenPages. Information about security vulnerabilities affecting IBM Db2 Database Server has been published in multiple security bulletins. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: Multiple security vulnerabilities Affect IBM WebSphere Application Server Liberty shipped with IBM OpenPages

Summary IBM WebSphere Application Server Liberty is shipped as a supporting program of IBM OpenPages. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in multiple security bulletins. These products have addressed the applicable CVEs...

Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities

Summary IBM QRadar SIEM includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. These have been addressed in the update. Vulnerability Details CVEID:CVE-2024-22259 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacke...

Security Bulletin: Storage Virtualize Ansible Collection is affected by a vulnerability in the paramiko package

Summary Storage Virtualize Ansible Collection uses the third-party library paramiko to implement SSH for authentication to target systems. Version 3.3.1 of paramiko is vulnerable to CVE-2023-48795. Vulnerability Details CVEID:CVE-2023-48795 DESCRIPTION: OpenSSH is vulnerable to a...

Security Bulletin: IBM Maximo Application Suite uses express-4.18.2.tgz which is vulnerable to CVE-2024-29041.

Summary IBM Maximo Application Suite uses express-4.18.2.tgz which is vulnerable to CVE-2024-29041. This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2024-29041 DESCRIPTION: Express.js Express could allow a remote attacker to condu...

Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer ( CVE-2024-22329, CVE-2023-50312)

Summary IBM WebSphere Application Server and IBM WebSphere Application Server Liberty is used by IBM Watson Explorer. IBM Watson Explorer has addressed the applicable CVE CVE-2024-22329, CVE-2023-50312. Vulnerability Details CVEID:CVE-2024-22329 DESCRIPTION: IBM WebSphere Application Server 8.5,...

Security Bulletin: DS8900F DSCLI LDAP Client allows unauthenticated-bind LDAP with valid user name and empty password ( CVE-2024-22326 )

Summary The updates indicated below have been released to address CVE-2024-22326 Deny unauthenticated-bind LDAP connection request. Vulnerability Details CVEID:CVE-2024-22326 DESCRIPTION: IBM System Storage DS8000 could allow a remote user to create an LDAP connection with a valid username and...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Go Vulnerability Details CVEID:CVE-2023-45285 DESCRIPTION: Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw when using go get to fetch a module with the ".git" suffix...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in IBM WebSphere

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of IBM WebSphere. Vulnerability Details CVEID:CVE-2023-50312 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.2 could provide weaker than expected security for outbound TLS connectio...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in spring-web-5.3.15.jar

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of spring-web-5.3.15.jar Vulnerability Details CVEID:CVE-2024-22243 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Apache Commons Vulnerability Details CVEID:CVE-2024-26308 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a speciall...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Apache Commons Vulnerability Details CVEID:CVE-2024-29131 DESCRIPTION: Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Go Vulnerability Details CVEID:CVE-2024-1394 DESCRIPTION: Golang golang-fips/openssl is vulnerable to a denial of service, caused by memory leaks in code encrypting and decrypting rsa payloads. By using...

Security Bulletin: A vulnerability in Microsoft .NET Core affects IBM Robotic Process Automation and may result in a bypass of security restrictions (CVE-2024-0056)

Summary A vulnerability in Microsoft .NET Core affects IBM Robotic Process Automation resulting in a bypass of security restrictions. Microsoft .NET Core is used by IBM Robotic Process Automation as part of it's development platform. This bulletin identifies the security fixes to apply to address...

Security Bulletin: A vulnerability in Microsoft Azure Identity affects IBM Robotic Process Automation and may result in a denial of service (CVE-2024-21319)

Summary A vulnerability in Microsoft Azure Identity affects IBM Robotic Process Automation which may result in a denial of service. Microsoft Azure Identity is used by IBM Robotic Process Automation as part of identity management. This bulletin identifies the security fixes to apply to address th...

Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to weak TLS security, cross-site scripting, denial of service, and a server-side request forgery due to multiple vulnerabilities.

Summary IBM WebSphere Application Server Liberty for IBM i is vulnerable weaker than expected TLS security CVE-2023-50312, cross-site scripting with JavaScript code CVE-2024-27270, and sending specially crated requests to cause denial of service CVE-2024-25026, CVE-2024-27268, CVE-2024-22353 and ...

Security Bulletin: AIX is vulnerable to denial of service due to ISC BIND

Summary UPDATED: Corrected the affected fileset levels to reflect that bind.rte 7.1.916.2604 and 7.3.916.2601 are vulnerable Multiple vulnerabilities in ISC BIND could allow a remote attacker to cause a denial of service. AIX uses ISC BIND as part of its DNS functions. Vulnerability Details...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands are vulnerable to denial of service [CVE-2024-31904]

Summary Calls to the Admin API in IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability. CVE-2024-31904 Vulnerability Details...

Security Bulletin: IBM App Connect Enterprise Certified Container operator, IntegrationServer and IntegrationRuntime operands are vulnerable to denial of service [CVE-2024-24783]

Summary Golang Go is used by the operator, and the IntegrationServer and IntegrationRuntime operands in IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operator, and IntegrationServer and IntegrationRuntime operands are vulnerable to denial of servic...

Security Bulletin: IBM App Connect Enterprise Certified Container operator, IntegrationServer and IntegrationRuntime operands are vulnerable to denial of service [CVE-2023-45290]

Summary Golang Go is used by the operator and by a parent process in the IntegrationServer and IntegrationRuntime operands of IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operator and IntegrationServer and IntegrationRuntime operands are vulnerabl...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands are vulnerable to denial of service due to [CVE-2024-24788]

Summary Golang Go is used by a parent process in the IntegrationServer and IntegrationRuntime operands of IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands are vulnerable to denial of service. This...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to XSS attacks due to [CVE-2024-1135]

Summary Gunicorn is used by IBM App Connect Enterprise Certified Container by the mapping assistance component. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to XSS attacks. This bulletin provides patch information to address...

Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to denial of service [CVE-2024-22025]

Summary Node.js is used by IBM App Connect Enterprise Certified Container as a runtime engine for processing data. IBM App Connect Enterprise Certified Container is vulnerable to denial of service when making HTTP calls using Node.js. This bulletin provides patch information to address the report...

Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to an authenticated user accessing sensitive information [CVE-2024-31893 CVE-2024-31894 CVE-2024-31895]

Summary IBM App Connect Enterprise Certified Container Designer flows that use the calendly, square or docusign connector are vulnerable to loss of confidentiality when an access token expires and is refreshed. This bulletin provides patch information to address the reported vulnerability in the...

Security Bulletin: IBM Engineering Requirements Management DOORS Next is vulnerable to XML External Entity Injection (XEE) (CVE-2023-45192)

Summary IBM Engineering Requirements Management DOORS Next is vulnerable to CVE-2023-45192 potential XML External Entity Injection XEE attacks. Vulnerability Details CVEID:CVE-2023-45192 DESCRIPTION: IBM Engineering Requirements Management DOORS Next is vulnerable to an XML External Entity...

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to information disclosure (CVE-2022-35718)

Summary IBM Sterling Partner Engagement Manager is vulnerable to information disclosure. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2022-35718 DESCRIPTION: IBM Sterling Partner Engagement Manager stores sensitive information in URL...

Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Apache Commons Beanutils

Summary Multiple vulnerabilities have been identified in Apache Commons Beanutils, which is used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2019-10086 DESCRIPTION: Apache...

Security Bulletin: The IBM® Engineering Lifecycle Management is impacted by vulnerabilties in Google Guava

Summary A vulnerability has been identified in Google Guava, which is used in IBM Engineering Lifecycle Management - IBM Jazz. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2023-2976 DESCRIPTION: Google Guava could allow a...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in IBM WebSphere

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of IBM WebSphere Vulnerability Details CVEID:CVE-2024-25026 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 are vulnerable to a denia...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Node.js Vulnerability Details CVEID:CVE-2024-27982 DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by the use of content length obfuscation in the http server. By sending specially crafte...

Security Bulletin: IBM i is vulnerable to a denial of service of network ports due to deserialization of untrusted data in Management Central [CVE-2024-31879].

Summary IBM i is vulnerable to a denial of service of network ports due to deserialization of untrusted data in Management Central as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK (April 2024) affect IBM InfoSphere Information Server

Summary There are multiple vulnerabilities in the IBM® SDK Java™ Technology Edition, Version 8 that is used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in April 2024. Vulnerability Details CVEID:CVE-2024-21085 DESCRIPTION: An unspecified...

Security Bulletin: IBM QRadar SIEM is vulnerable to AJP Smuggling (CVE-2022-26377)

Summary IBM QRadar SIEM is vulnerable to AJP Smuggling to Response Queue Poisoning. This vulnerability has been addressed in the update. Vulnerability Details CVEID:CVE-2022-26377 DESCRIPTION: Apache HTTP Server is vulnerable to HTTP request smuggling, caused by an inconsistent Interpretation of...

Security Bulletin: IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands are vulnerable to arbitrary code execution due to [CVE-2024-29651]

Summary Node.js module @apidevtools/json-schema-ref-parser is used by IBM App Connect Enterprise Certified Container for processing JSON schemas defining the App Connect Enterprise administration API. IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands are...

Security Bulletin: IBM OpenPages is affected by multiple security vulnerabilities in IBM Java SDK used by DB2 Database Server

Summary IBM® Db2® Database Server is shipped as a supporting program of IBM OpenPages. Information about multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Db2 Database Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins...

Security Bulletin: Due to use of IBM® SDK Java™ Technology Edition, IBM Tivoli Monitoring (ITM) components is vulnerable to a local authenticated attacker to bypass security restrictions.

Summary A vulnerabilitiy in IBM® SDK Java™ Technology Edition that is shipped as part of multiple IBM Tivoli Monitoring ITM components. CVE-2024-3933 Vulnerability Details CVEID:CVE-2024-3933 DESCRIPTION: Eclipse Openj9 could allow a local authenticated attacker to bypass security restrictions,...

Security Bulletin: IBM Security Guardium is affected by vulnerabilities in Oracle MySQL

Summary IBM Security Guardium has addressed these vulnerabilities with updates. Vulnerability Details CVEID:CVE-2023-22112 DESCRIPTION: An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow a remote authenticated attacker to cause high...

Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow - CVE-2023-51775

Summary IBM Business Automation Workflow is vulnerable to a Denial of Service attack. Vulnerability Details CVEID:CVE-2023-51775 DESCRIPTION: jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit...

Security Bulletin: Content Manager Enterprise Edition for March 2024 - CVE-2023-3894

Summary Content Manager Enterprise Edition is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2023-389...

Security Bulletin: Multiple Vulnerabilities in IBM Datacap

Summary Multiple vulnerabilities were addressed in IBM Datacap version 9.1.9 Interim Fix 004 Vulnerability Details CVEID:CVE-2023-26965 DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by a heap-based buffer overflow in the loadImage function in /libtiff/tools/tiffcrop.c. By...

Security Bulletin: AIX is vulnerable to information disclosure due to openCryptoki (CVE-2024-0914)

Summary Vulnerability in openCryptoki could allow a remote attacker to obtain sensitive information CVE-2024-0914. Vulnerability Details CVEID:CVE-2024-0914 DESCRIPTION: openCryptoki could allow a remote attacker to obtain sensitive information, caused by a flaw when processing RSA PKCS1 v1.5...

Security Bulletin: IBM MaaS360 Cloud Extender Mobile Enterprise Gateway (MEG) and VPN Module affected by multiple vulnerabilities (CVE-2024-29025, CVE-2024-22262, CVE-2023-6129, CVE-2024-0727, CVE-2024-22201, CVE-2023-6237)

Summary Vulnerabilities contained within OpenSSL a 3rd party component were addressed in the IBM MaaS360 VPN Module. Vulnerabilities contained within Netty, Spring Framework and Eclipse Jetty 3rd party components were addressed in the IBM MaaS360 Mobile Enterprise Gateway MEG Module. Vulnerabilit...

Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow - CVE-2024-25710, CVE-2024-26308

Summary IBM Business Automation Workflow is vulnerable to a Denial of Service attack. Vulnerability Details CVEID:CVE-2024-25710 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2024-33883]

Summary Node.js module ejs is used by IBM App Connect Enterprise Certified Container for generating user interfaces in the DesignerAuthoring operand. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service. This bulletin provides patch...

Security Bulletin: Multiple vulnerabilities in eclipse jetty affect IBM Business Automation Workflow

Summary IBM Business Automation Workflow packages a vulnerable version of the eclipse jetty library. Vulnerability Details CVEID:CVE-2020-27216 DESCRIPTION: Eclipse Jetty could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the creati...

Security Bulletin: Denial of Service vulnerability in WebSphere Liberty affects IBM Business Automation Workflow - CVE-2024-27270

Summary IBM WebSphere Application Server Liberty profile is shipped with IBM Business Automation Workflow components User Management Service and Process Federation Service. Liberty is also used in containerized versions of IBM Business Automation Workflow. Liberty is vulnerable to a cross-site...

Security Bulletin: Multiple vulnerabilities in angular.js affect IBM Business Automation Workflow.

Summary IBM Business Automation Workflow packages a vulnerable copy of angular.js. Vulnerability Details CVEID:CVE-2023-26117 DESCRIPTION: AngularJS is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw in the $resource service. By providing...

Security Bulletin: Gunicorn-20.1.0-py3-none-any.whl is vulnerable to CVE-2024-1135 used in IBM Maximo Application Suite - Edge Data Collector

Summary IBM Maximo Application Suite - Edge Data Collector uses Gunicorn-20.1.0-py3-none-any.whl which is vulnerable to CVE-2024-1135 Vulnerability Details CVEID:CVE-2024-1135 DESCRIPTION: Gunicorn is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding...

Security Bulletin: mio-0.8.10.crate, and mio-0.8.8.crate is vulnerable to CVE-2024-27308 used in IBM Maximo Application Suite - Edge Data Collector

Summary IBM Maximo Application Suite - Edge Data Collector uses mio-0.8.10.crate and mio-0.8.8.crate which is vulnerable to CVE-2024-27308 Vulnerability Details CVEID:CVE-2024-27308 DESCRIPTION: Tokio Mio s vulnerable to a denial of service, caused by a use-after-free flaw due to tokens for named...

Security Bulletin: openssl-src-300.2.1+3.2.0.crate is vulnerable to CVE-2024-0727, CVE-2023-6129, and CVE-2023-6237 used in IBM Maximo Application Suite - Edge Data Collector

Summary IBM Maximo Application Suite - Edge Data Collector uses openssl-src-300.2.1+3.2.0.crate which is vulnerable to CVE-2024-0727, CVE-2023-6129, and CVE-2023-6237 Vulnerability Details CVEID:CVE-2024-0727 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by improper input...