Security Bulletin: IBM Db2 and IBM WebSphere Application Server traditional used by ISVG - Identity Manager have multiple vulnerabilities

Summary IBM Security Verify Governance - Identity Manager ships with IBM Db2 and IBM WebSphere Application Server traditional. Information about security vulnerabilities affecting these dependencies has been published in security bulletins. Vulnerability Details Refer to the security bulletins...

Security Bulletin: IBM Observability with Instana using third-party Kubernetes Operators is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana using third-party Kubernetes Operators build 269. Vulnerability Details CVEID:CVE-2024-20918 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause...

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 270. Vulnerability Details CVEID:CVE-2024-29133 DESCRIPTION: Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by ...

Security Bulletin: IBM Security Verify Privilege could allow an unauthenticated actor to obtain sensitive information (CVE-2024-31887)

Summary IBM Security Verify Privilege could allow an unauthenticated actor to obtain sensitive information. The issue has been addressed in an update. Vulnerability Details CVEID:CVE-2024-31887 DESCRIPTION: IBM Security Verify Privilege could allow an unauthenticated actor to obtain sensitive...

Security Bulletin: IBM Cognos Command Center has addressed vulnerabilities IBM® Semeru Java™ Version 11 and Apache Commons

Summary There are vulnerabilities in IBM® Semeru Java™ Version 11, Apache Commons Compress and Apache Commons Configuration used by IBM Cognos Command Center. IBM Cognos Command Center 10.2.5 IF2 has addressed the applicable CVEs by upgrading to non-vulnerable versions of these libraries. Please...

Security Bulletin: Vulnerabilities in libxml2 library (CVE-2023-28484, CVE-2023-29469) affect Power HMC.

Summary The libxml2 library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2023-28484 DESCRIPTION: GNOME libxml2 is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the xmlSchemaFixupComplexTy...

Security Bulletin: Vulnerabilities in libssh library (CVE-2023-1667, CVE-2023-2283 ) affect Power HMC

Summary The libssh library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2023-1667 DESCRIPTION: libssh is vulnerable to a denial of service, caused by a NULL pointer dereference during rekeying with algorithm guessing. A...

Security Bulletin: Vulnerability in Apache Tomcat Server (CVE-2024-24549) affects Power HMC

Summary Apache Tomcat Server is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-24549 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by improper input validation by the HTTP/2 header. By sending...

Security Bulletin: Vulnerability in Apache Tomcat Server (CVE-2024-23672) affects Power HMC

Summary Apache Tomcat Server is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2024-23672 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an incomplete cleanup flaw. By sending specially crafted...

Security Bulletin: Vulnerability in nghttp2 library (CVE-2023-44487) affects Power HMC

Summary The nghttp2 library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service and remote attack due to node.js jose module and jsonata-js JSONata (CVE-2024-28176, CVE-2024-27307)

Summary The Discovery Connector nodes in IBM App Connect Enterprise are vulnerable to a denial of service due to node.js jose module and jsonata-js JSONata. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-28176 DESCRIPTION: Node.js jos...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2023-51775)

Summary Websphere Application Server WAS is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2023-50313)

Summary Websphere Application Server WAS is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: IBM® Db2® may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. (CVE-2021-20373)

Summary Db2 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. Vulnerability Details CVEID:CVE-2021-20373 DESCRIPTION: IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an...

Security Bulletin: IBM Call Center is subject to vulnerability regarding an XML service, a remote attacker could exploit this vulnerability to consume available CPU resources.

Summary IBM Call Center removed parts of a legacy code that carried vulnerabilites. The code did contain CVE-2009-2625, CVE-2013-4002, CVE-2020-14338, CVE-2022-23437, CVE-2012-0881, however the specific code related to the vulnerability is not in use, therefore the risk is lower. This bulletin...

Security Bulletin: Order Management could be subject to an Apache Struts vulnerability that could allow a remote attacker to execute arbitrary code on the system.

Summary Order Management removed parts of legacy code that carried vulnerabilites. The code did contain CVE-2013-2115, CVE-2013-4316, CVE-2014-0112, CVE-2014-0113, CVE-2015-5209, CVE-2016-3082, CVE-2016-4436, CVE-2017-12611, CVE-2019-0230, CVE-2019-0233, CVE-2020-17530, CVE-2021-31805,...

Security Bulletin: Order Management could be subject to Log4j 1.x vulnerability that could be exploited to remotely execute arbitrary code .

Summary Order Management removed parts of legacy code that carried vulnerabilites. The code did contain CVE-2019-17571, CVE-2020-9493, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307, CVE-2020-9488 however the specific code related to the vulnerability is not in use, therefore the...

Security Bulletin: Order Management is subject to an Apache Batik vulnerability and could allow a remote attacker to obtain sensitive information.

Summary Order Management removed parts of legacy code that carried vulnerabilites. The code did contain CVE-2015-0250, however the specific code related to the vulnerability is not in use, therefore the risk is lower. This bulletin identifies the steps to take to address the vulnerability...

Security Bulletin: Order Management could be subject to multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x.

Summary Order Management removed parts of legacy code that carried vulnerabilites. The code did contain CVE-2012-0838, CVE-2011-1772, CVE-2008-6504, CVE-2010-1870, CVE-2012-0394, however the specific code related to the vulnerability is not in use, therefore the risk is lower. This bulletin...

Security Bulletin: Order Management is subject to vulnerabilities regarding XML service where a remote attacker could exploit this vulnerability.

Summary Order Management removed parts of legacy code that carried vulnerabilites. The code did contain CVE-2009-2625, CVE-2013-4002, CVE-2012-0881, however the specific code related to the vulnerability is not in use, therefore the risk is lower. This bulletin identifies the steps to take to...

Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM includes components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that might be identified and exploited with automated tools. IBM has addressed the vulnerabilities. Vulnerability Details CVEID:CVE-2023-44270 DESCRIPTION: PostCSS could allow a remote attacker to bypass security...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability Details...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a denial of service due to jose4j (CVE-2023-51775)

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is vulnerable to a denial of service due to jose4j. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability...

Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Commons BCEL (CVE-2022-42920)

Summary IBM Sterling B2B Integrator uses Apache Commons BCEL. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2022-42920 DESCRIPTION: Apache Commons BCEL could allow a remote attacker to bypass security restrictions, caused by an...

Security Bulletin: AIX is affected by multiple vulnerabilities due to Python (CVE-2023-52425, CVE-2023-52426, CVE-2023-6597)

Summary Vulnerabilities in Python could allow a remote or local attacker to cause a denial of service CVE-2023-52425, CVE-2023-52426 or launch further attacks on the system CVE-2023-6597. Python is used by AIX as part of Ansible node management automation. Vulnerability Details CVEID:CVE-2023-524...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to directory traversal due to golang compiler ( CVE-2023-45283,CVE-2023-45284, CVE-2023-45285 )

Summary Golang compiler is used by IBM Cloud Pak for Data Scheduling to create the scheduler binaries. Vulnerability Details CVEID:CVE-2023-45283 DESCRIPTION: Golang Go could allow a remote attacker to traverse directories on the system, caused by the failure to recognize paths with a ??\ prefix...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to machine-in-the-middle due to golang.org/x/crypto ( CVE-2023-48795 )

Summary Golang.org/x/crypto is used by IBM Cloud Pak for Data Scheduling as part of the scheduler binaries . CVE-2023-48795. Vulnerability Details CVEID:CVE-2023-48795 DESCRIPTION: OpenSSH is vulnerable to a machine-in-the-middle attack, caused by a flaw in the extension negotiation process in th...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to remote attack due to golang compiler ( CVE-2023-39326 )

Summary Golang compiler is used by IBM Cloud Pak for Data Scheduling to create the scheduler binaries. CVE-2023-39326 Vulnerability Details CVEID:CVE-2023-39326 DESCRIPTION: Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the net/http package. By sendi...

Security Bulletin: IBM Disconnected Log Collector includes components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. This update addresses these CVEs. Vulnerability Details CVEID:CVE-2023-39410 DESCRIPTION: Apache Avro Java SDK could allow a remote authenticated attacker to...

Security Bulletin: IBM DevOps Deploy / IBM Urbancode Deploy (UCD) is vulnerable to denial of service due to Apache Commons Compress ( CVE-2024-25710, CVE-2024-26308 )

Summary Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. Vulnerability Details CVEID:CVE-2024-25710 DESCRIPTION: Apache Commons Compress is vulnerable to a...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is vulnerable to to a sensitive information disclosure vulnerability (CVE-2024-22339)

Summary IBM DevOps Deploy / IBM UrbanCode Deploy UCD is vulnerable to sensitive information disclosure vulnerability due to insufficient obfuscation of sensitive values. Vulnerability Details CVEID:CVE-2024-22339 DESCRIPTION: IBM UrbanCode Deploy UCD is vulnerable to a sensitive information due t...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a incomplete revocation of permissions vulnerability (CVE-2024-22334)

Summary BM DevOps Deploy / IBM UrbanCode Deploy UCD could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) may be susceptible to a cross-site scripting vulnerability (CVE-2024-22359)

Summary IBM DevOps Deploy / IBM UrbanCode Deploy UCD may be vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) may be susceptible to an Insufficient Session Expiration vulnerability (CVE-2024-22358)

Summary IBM DevOps Deploy / IBM UrbanCode Deploy UCD may not fully invalidate the session after logout which could allow an authenticated user to impersonate another user on the system. Vulnerability Details CVEID:CVE-2024-22358 DESCRIPTION: IBM UrbanCode Deploy UCD does not invalidate session...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a machine-in-the-middle vulnerability (CVE-2023-48795)

Summary OpenSSH is vulnerable to a machine-in-the-middle attack, caused by a flaw in the extension negotiation process in the SSH transport protocol when used with certain OpenSSH extensions. A remote attacker could exploit this vulnerability to launch a machine-in-the-middle attack and strip an...

Security Bulletin: IBM QRadar SIEM is vulnerable to command injection and cross-site scripting (CVE-2023-50961, CVE-2023-50960)

Summary IBM QRadar SIEM is vulnerable to stored cross-site scripting and could also allow a remote authenticated attacker to execute arbitrary commands on the system. These vulnerabilities have been addressed in the update. Vulnerability Details CVEID:CVE-2023-50961 DESCRIPTION: IBM QRadar could...

Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (CVE-2024-28784)

Summary IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability has been addressed in the update. Vulnerability Details CVEID:CVE-2024-28784 DESCRIPTION: IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in...

Security Bulletin: IBM Sterling B2B Integrator vulnerable to denial of service due to snappy-java (CVE-2023-43642)

Summary IBM Sterling B2B Integrator uses snappy-java. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-43642 DESCRIPTION: snappy-java is vulnerable to a denial of service, caused by missing upper bound check on chunk length. By sendin...

Security Bulletin: IBM Sterling B2B Integrator vulnerable to denial of service due to Apache Xerces2 Java (CVE-2012-0881, CVE-2022-23437 )

Summary IBM Sterling B2B Integrator uses Apache Xerces2 Java libraries. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2012-0881 DESCRIPTION: Apache Xerces2 Java is vulnerable to a denial of service, caused by a flaw in the XML service. ...

Security Bulletin: IBM Sterling B2B Integrator Document Service container vulnerable to multiple issues due to Apache Tomcat

Summary IBM Sterling B2B Integrator's Document Service container users Apache Tomcat. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-46589 DESCRIPTION: Apache Tomcat is vulnerable to HTTP request smuggling, caused by improper parsin...

Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache CXF

Summary IBM Sterling B2B Integrator uses Apache CXF. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2022-46363 DESCRIPTION: Apache CXF could allow a remote attacker to obtain sensitive information, caused by a flaw when the CXFServlet is...

Security Bulletin: IBM Sterling B2B Integrator vulnerable to remote code execution due to Apache Xalan Java XSLT (CVE-2022-34169)

Summary IBM Sterling B2B Integrator uses Apache Xalan Java XSLT. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2022-34169 DESCRIPTION: The Apache Xalan Java XSLT library could allow a remote attacker to execute arbitrary code on the...

Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple issues due to IBM MQ

Summary IBM Sterling B2B Integrator uses IBM MQ. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-28950 DESCRIPTION: IBM MQ 8.0, 9.0, 9.1, 9.2, and 9.3 could disclose sensitive user information from a trace file if that functionality...

Security Bulletin: Improper integrity checking might affect IBM Storage Defender – Resiliency Service (CVE-2024-27261)

Summary IBM Storage Defender – Resiliency Service is vulnerable and that can result in data integrity issues. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-27261 DESCRIPTION: IBM Storage Defender - Resiliency Service could allow a privileged user to install a...

Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Santuario XML Security for Java (CVE-2021-40690)

Summary IBM Sterling B2B Integrator uses Apache Santuario XML Security for Java. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2021-40690 DESCRIPTION: Apache Santuario XML Security for Java could allow a remote attacker to bypass securi...

Security Bulletin: IBM Sterling File Gateway is vulnerable to cross-site scripting (CVE-2023-47714)

Summary This bulletin identifies the steps to take to address a cross-site scripting vulnerability in IBM Sterling File Gateway. Vulnerability Details CVEID:CVE-2023-47714 DESCRIPTION: IBM Sterling File Gateway is vulnerable to cross-site scripting. This vulnerability allows users to embed...

Security Bulletin: IBM Sterling B2B Integrator vulnerable to cross-site scriptiing (CVE-2023-50307, CVE-2023-45186)

Summary This bulletin identifies the steps to take to address the cross-site scripting vulnerabilities in IBM Sterling B2B Integrator. Vulnerability Details CVEID:CVE-2023-50307 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability...

Security Bulletin: IBM Sterling B2B Integrator B2B API is affected by improper resource expiration handling due to IBM WebSphere Application Server Liberty (CVE-2023-46158)

Summary IBM Sterling B2B Integrator uses IBM WebSphere Application Server Liberty. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-46158 DESCRIPTION: IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide...

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2024-22357)

Summary This bulletin identifies the steps to take to address a cross-site scripting vulnerability within IBM Sterling B2B Integrator. Vulnerability Details CVEID:CVE-2024-22357 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability...

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to denial of service due to Netty (CVE-2023-34462)

Summary IBM Sterling B2B Integrator uses Netty. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-34462 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of heap for each channel durin...