Security Bulletin: IBM i is vulnerable to a local privilege escalation due to an unqualified library call in IBM Performance Tools for i [CVE-2024-27264].

Summary IBM i is vulnerable to a user gaining elevated privilege due to a program being called without library qualification in IBM Performance Tools for i as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in th...

Security Bulletin: IBM WebSphere Application Server could provide weaker than expected security (CVE-2023-50313)

Summary IBM WebSphere Application Server could provide weaker than expected security for outbound TLS connections. Vulnerability Details CVEID:CVE-2023-50313 DESCRIPTION: IBM WebSphere Application Server could provide weaker than expected security for outbound TLS connections caused by a failure ...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager (CVE-2024-21094, CVE-2024-21085, CVE-2024-21011, CVE-2023-38264)

Summary IBM® SDK, Java™ Technology Edition is shipped as a component of IBM Tivoli Business Service Manager. Information about security vulnerabilities affecting IBM® SDK, Java™ Technology Edition has been published in a security bulletin. Vulnerability Details Refer to the security bulletins...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2023-22081, CVE-2023-22067, CVE-2023-5676)

Summary IBM® SDK Java™ Technology Edition is shipped as a component of IBM Tivoli Netcool Impact. IBM Tivoli Netcool Impact has addressed the applicable issues, CVE-2023-22081, CVE-2023-22067, and CVE-2023-5676 Vulnerability Details CVEID:CVE-2023-22081 DESCRIPTION: An unspecified vulnerability i...

Security Bulletin: IBM Storage Fusion is vulnerable to authorization bypass due to go-restful.

Summary emicklei/go-restful is used by IBM Storage Fusion's isf-prereq-operator to create pre-requisite resources and deploy dependent operators. CVE-2022-1996. Vulnerability Details CVEID:CVE-2022-1996 DESCRIPTION: go-restful could allow a remote attacker to bypass security restrictions, caused ...

Security Bulletin: IBM Storage Fusion HCI is vulnerable to arbitrary code execution due to Node.js IP package.

Summary IP from Node.js is used by IBM Storage Fusion HCI as part of the Backup and Restore service and is vulnerable to the CVE listed below. CVE-2023-42282. Vulnerability Details CVEID:CVE-2023-42282 DESCRIPTION: Node.js IP package could allow a remote attacker to execute arbitrary code on the...

Security Bulletin: IBM Storage Fusion is vulnerable to arbitrary code execution due to Node.js IP package.

Summary IP from Node.js is used by IBM Storage Fusion as part of the Backup and Restore service and is vulnerable to the CVE listed below. CVE-2023-42282. Vulnerability Details CVEID:CVE-2023-42282 DESCRIPTION: Node.js IP package could allow a remote attacker to execute arbitrary code on the...

Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354)

Summary IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity XXE injection vulnerability. Vulnerability Details CVEID:CVE-2024-22354 DESCRIPTION: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Service Registry and Repository due to April 2024 CPU

Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition, used by WebSphere Service Registry and Repository. These issues were disclosed as part of the IBM Java SDK updates in April 2024. These issues are addressed by WebSphere Application Server shipped with WebSphere Servic...

Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST

Summary IBM has released the below fix for IBM Db2® REST in response to multiple vulnerabilities found in multiple components. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2021-35942 DESCRIPTION: GNU C Library aka glibc could allow a local attacker to obtain sensitive...

Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST

Summary IBM has released the below fix for IBM Db2® REST in response to multiple vulnerabilities found in multiple components. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2023-45283 DESCRIPTION: Golang Go could allow a remote attacker to traverse directories on the...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is affected by a Denial of Service Vulnerability in Netty (CVE-2024-29025)

Summary Netty is vulnerable to a denial of service, caused by a flaw when using the HttpPostRequestDecoder to decode a form. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. Vulnerability Details CVEID:CVE-2024-2902...

Security Bulletin:  IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is affected by a Denial of Service Vulnerability in Nimbus-JOSE-JWT (CVE-2023-52428)

Summary Connect2id Nimbus-JOSE-JWT is used by IBM DevOps Deploy / IBM UrbanCode Deploy UCD as part of the openid authentication options. Connect2id Nimbus-JOSE-JWT is vulnerable to a denial of service, caused by improper validation of user requests by the PasswordBasedDecrypter PBKDF2 component. ...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to Apache Commons Compress (CVE-2024-25710, CVE-2024-26308)

Summary The Transformation Advisor tool in IBM App Connect Enterprise is vulnerable to a denial of service due to Apache Commons Compress. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-25710 DESCRIPTION: Apache Commons Compress is...

Security Bulletin: IBM Observability with Instana using third-party Kubernetes Operators is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana using third-party Kubernetes Operators build 271. Vulnerability Details CVEID:CVE-2024-1023 DESCRIPTION: Eclipse Vert.x is vulnerable to a denial of service, caused by a memory leak due to the use of Netty...

Security Bulletin: IBM Aspera Faspex 5.0.7 has addressed a cross-site scripting vulnerability (CVE-2022-40744)

Summary IBM Aspera Faspex 5 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. Vulnerability Details...

Security Bulletin: IBM Integration Designer is vulnerable to a denial of service (CVE-2023-38264)

Summary Vulnerability in IBM® Runtime Environment Java™ Version 8 used by IBM Integration Designer. IBM Integration Designer has addressed the following CVE. Vulnerability Details CVEID:CVE-2023-38264 DESCRIPTION: The IBM SDK, Java Technology Edition's Object Request Broker ORB 7.1.0.0 through...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager (CVE-2023-22081, CVE-2023-22067, CVE-2023-5676)

Summary IBM® SDK, Java™ Technology Edition is shipped as a component of IBM Tivoli Business Service Manager. Information about security vulnerabilities affecting IBM® SDK, Java™ Technology Edition has been published in a security bulletin. Vulnerability Details CVEID:CVE-2023-22081 DESCRIPTION: A...

Security Bulletin: IBM Java and IBM WebSphere Application Server used by ISVG - Identity Manager have multiple vulnerabilities

Summary IBM Security Verify Governance - Identity Manager ships with IBM Java SDK and IBM WebSphere Application Server traditional. Information about security vulnerabilities affecting these dependencies has been published in security bulletins. Vulnerability Details Refer to the security bulleti...

Security Bulletin: Vulnerabilities in Node.js and packages affect IBM Voice Gateway

Summary Security Vulnerabilities in Node.js and packages affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-31206 DESCRIPTION: Node.js dectalk-tts module could allow a remote attacker to obtain sensitive information, caused by the use of...

Security Bulletin: Security Vulnerabilities in Liberty affect IBM Voice Gateway

Summary Security Vulnerabilities in Liberty affect IBM Voice Gateway Vulnerability Details CVEID:CVE-2024-22354 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to an XML External Entity Injection XXE atta...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (April 2024)

Summary IBM Db2 is shipped as a component of IBM Security Key Lifecycle Manager SKLM/GKLM. Information about multiple security vulnerabilities affecting IBM Db2 has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: Multiple vulnerabilities in Apache Tomcat affects App Connect Professional

Summary App Connect Professional has addressed the following vulnerabilities reported in Apache Tomcat. Vulnerability Details CVEID:CVE-2024-24549 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by improper input validation by the HTTP/2 header. By sending specially crafte...

Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities

Summary There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information CVE-2024-28849,...

Security Bulletin: IBM Security Guardium is affected by a Kernel vulnerability (CVE-2023-3609)

Summary IBM Security Guardium has addressed this vulnerability in an update. Vulnerability Details CVEID:CVE-2023-3609 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free flaw in the net/sched: clsu32 component...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service and HTTP request smuggling due to Node.js(CVE-2024-27983 & CVE-2024-27982)

Summary IBM App Connect Enterprise is vulnerable to a denial of service and HTTP request smuggling due to Node.js. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-27983 DESCRIPTION: Node.js is vulnerable to a denial of service, caused ...

Security Bulletin: AIX is vulnerable to arbitrary command execution due to invscout (CVE-2024-27260)

Summary A vulnerability in the AIX invscout command could allow a non-privileged local user to execute arbitrary commands CVE-2024-27260. Vulnerability Details CVEID:CVE-2024-27260 DESCRIPTION: IBM AIX could allow a non-privileged local user to exploit a vulnerability in the invscout command to...

Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches.

Summary Public disclosed OpenSSL vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. The vulnerability has been addressed and can be resolved by applying the NX-OS code level listed below. CVE-2023-2650. Vulnerability Details CVEID:CVE-2023-2650 DESCRIPTION: OpenSSL is...

Security Bulletin: IBM QRadar SIEM is not vulnerable to CVE-2023-51767

Summary An authentication bypass vulnerability was found in OpenSSH, however IBM QRadar SIEM is not vulnerable to it. Vulnerability Details CVEID:CVE-2023-51767 DESCRIPTION: OpenSSH could allow a local authenticated attacker to bypass security restrictions, caused by improper authentication. By...

Security Bulletin: IBM Security Guardium is vulnerable to sensitive information disclosure (CVE-2023-5868)

Summary IBM Security Guardium has addressed this vulnerability with updates. Vulnerability Details CVEID:CVE-2023-5868 DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when perform certain aggregate function calls. By sending a...

Security Bulletin: IBM Security Guardium is affected by multiple Linux Kernel vulnerabilities

Summary IBM Security Guardium has addressed these vulnerabilities with an update. Vulnerability Details CVEID:CVE-2023-6679 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the dpllpinparentpinset function in drivers/dpll/dpllnetlink.c i...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to unspecified vulnerability in Java SE ( CVE-2024-20945)

Summary Potential unspecified vulnerability in Java SE related to the VM component CVE-2024-20945 has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Apache ZooKeeper security bypass vulnerabilitiy. (CVE-2023-44981)

Summary Potential Apache ZooKeeper security bypass vulnerabilitiy CVE-2023-44981 has been identified that affects IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2023-44981...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Storage Scale packaged in Elastic Storage Server.

Summary There is a vulnerability in IBM WebSphere Application Server Liberty, used by IBM Elastic Storage Server, which could allow a remote attacker to cause a denial of service. CVE-2023-46158, CVE-2023-44487. Vulnerability Details CVEID:CVE-2023-46158 DESCRIPTION: IBM WebSphere Application...

Security Bulletin: IBM Asset Data Dictionary Component uses urllib3 which is vulnerable to CVE-2023-43804

Summary IBM Asset Data Dictionary Component uses urllib3 which is vulnerable to CVE-2023-43804. This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain...

Security Bulletin: An IBM QRadar SIEM ArielRESTAPI protocol is vulnerable to Improper Validation (177835)

Summary The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal and is vulnerable to improper validation of input. Vulnerability Details IBM X-Force ID: 177835 DESCRIPTION: Apache Commons Codec could allow a remote attacker to obtai...

Security Bulletin: An IBM QRadar SIEM JDBC protocol is vulnerable to SQL injection (CVE-2024-1597)

Summary PostgreSQL JDBC Driver PgJDBC is vulnerable to SQL injection which could allow a remote attacker to send specially crafted SQL statements enabling the attacker to view, add, modify or delete information. Vulnerability Details CVEID:CVE-2024-1597 DESCRIPTION: PostgreSQL JDBC Driver PgJDBC ...

Security Bulletin: IBM QRadar SIEM protocols are vulnerable to information exposure and denial of service (CVE-2023-31582, CVE-2023-51775)

Summary The Jose4j library is vulnerable to a denial of service, caused by improper input validation. It could also allow a remote attacker to obtain sensitive information using cryptographic attacks. Vulnerability Details CVEID:CVE-2023-31582 DESCRIPTION: Jose4J could allow a remote attacker to...

Security Bulletin: An IBM QRadar SIEM SNMP protocol is vulnerable to a denial of service, SQL injection and could allow a remote attacker to execute arbitrary code on the system.

Summary Apache Log4j could allow a remote attacker to execute arbitrary code on the system. It is also vulnerable to SQL injection and could lead to a denial of service caused by a flaw when using the Chainsaw or SocketAppender components. Vulnerability Details CVEID:CVE-2022-23307 DESCRIPTION:...

Security Bulletin: Multiple security vulnerabilities in Eclipse Jetty affect IBM Security Directory Integrator

Summary The IBM Security Directory Integrator was vulnerable to multiple security vulnerabilities in the Eclipse Jetty component. This was addressed in version 10 of the IBM Security Directory Integrator. Vulnerability Details CVEID:CVE-2017-9735 DESCRIPTION: Jetty could allow a remote attacker t...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 1.14.4 IF001

Summary The following security vulnerabilities are addressed with IBM Process Mining 1.14.4 IF001 Vulnerability Details CVEID:CVE-2024-22259 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in...

Security Bulletin: IBM DataPower Gateway vulnerable to DOS in OpenSSL (CVE-2024-0727)

Summary IBM has addressed the CVE. Vulnerability Details CVEID:CVE-2024-0727 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially crafted PKCS12 file, a remote attacker could exploit this vulnerability to cause...

Security Bulletin: IBM DataPower Gateway vulnerable to "Terrapin" attack in OpenSSH (CVE-2023-48795)

Summary By manipulating sequence numbers during SSH connection setup, a MITM attacker can delete negotiation messages without causing a MAC failure. To mitigate this vulnerability, IBM has removed the chacha20-poly1305 cipher and all etm HMACs from the default set of algorithms offered,...

Security Bulletin: IBM DataPower Gateway Virtual Edition affected by bypass vulnerability in Open VM Tools

Summary Exploitation of this flaw requires root access to the ESXi host. IBM has addressed the vulnerability. Vulnerability Details CVEID:CVE-2023-20867 DESCRIPTION: VMware Tools could allow a local authenticated attacker to bypass security restrictions, caused by the failure to authenticate...

Security Bulletin: IBM Rational® Application Developer for WebSphere® Software is vulnerable to a denial of service

Summary Node.js is used by IBM Rational® Application Developer for WebSphere® Software as the SDK and runtime for Apache Cordova projects. CVE-2023-6129,CVE-2024-24806, CVE-2023-5678,CVE-2024-22019,CVE-2023-46809, CVE-2024-0727, CVE-2023-6237,CVE-2024-21892 Vulnerability Details...

Security Bulletin: IBM Storage Fusion is vulnerable to denial of server, and security bypass due to Golang vulnerabilities.

Summary Golang Go and Golang packages are used by IBM Storage Fusion and thus IBM Storage Fusion may be vulnerable to the vulnerabilities listed below. CVE-2022-29526, CVE-2022-21698, CVE-2021-41190, CVE-2018-20699, CVE-2024-24786, CVE-2023-39325, CVE-2023-48795. Vulnerability Details...

Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to a denial of service attack using HTTP/2 protocol. [CVE-2023-44487]

Summary IBM HTTP Server powered by Apache used by IBM i is vulnerable to a denial of service attack due to mishandling of multiplexed streams in HTTP/2 protocol as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described ...

Security Bulletin: A vulnerability exists in IBM® SDK, Java™ Technology Edition affect IBM Tivoli Network Configuration Manager.

Summary Java on z/OS properties files not read correctly under certain locales / codepages vulnerability exists in IBM® SDK Java™ Technology Edition, Version 8, which is used by IBM Tivoli Network Configuration Manager IP Edition v6.4.2 Vulnerability Details IBM X-Force ID: PSIRT-ADV0103951...

Security Bulletin: IBM Observability with Instana for Synthetic PoP is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana for Synthetic PoP build 272 Vulnerability Details CVEID:CVE-2024-29041 DESCRIPTION: Express.js Express could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker...

Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to April 2024 CPU

Summary There are multiple vulnerabilities in the IBM® SDK, Java™ Technology Edition that is shipped with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty. The CVEs listed in this document might affect some configurations of IBM WebSphere Application Server traditiona...