Security Bulletin: Cross-Site scripting vulnerability in ESAPI may affect IBM Business Automation Workflow - IBM X-Force ID: 273485

Summary IBM Business Automation Workflow is vulnerable to a Cross-Site scripting attack. Vulnerability Details IBM X-Force ID: 273485 DESCRIPTION: Enterprise Security API for Java is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the...

Security Bulletin: Vulnerability in PostCSS affects IBM Business Automation Workflow - CVE-2023-44270

Summary IBM Business Automation Workflow is depends on a vulnerable version of PostCSS. Vulnerability Details CVEID:CVE-2023-44270 DESCRIPTION: PostCSS could allow a remote attacker to bypass security restrictions, caused by improper input validaiton. By using a specially crafted external Cascadi...

Security Bulletin: Multiple vulnerabilities in Java affect IBM Business Automation Workflow - Jan 2024 CPU

Summary IBM Business Automation Workflow containers package IBM® Java SDK 8 V21.0.3 or IBM® Semeru Runtime 17 V23.0.2. Information about security vulnerabilities in these Java runtumes have been published. IBM Business Automation Workflow includes IBM Java 8. Vulnerability Details...

Security Bulletin: Vulnerabilities in Node.js affect IBM Voice Gateway

Summary Security Vulnerabilities in Node.js affect IBM Voice Gateway. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-22017 DESCRIPTION: Node.js could allow a local attacker to gain elevated privileges on the system, caused by the failure of setuid to drop all...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to remote attack due to Apache Derby (CVE-2022-46337)

Summary Apache Derby is shipped with IBM Tivoli Netcool Impact as part of its datastructure. Information about a security vulnerability affecting Apache Derby has been published in a security bulletin. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2023-44487)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to information disclosure due to IBM WebSphere Application Server Liberty (CVE-2023-44483)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Security Bulletin: Vulnerability with OpenJDK, commons-compress and spring-web-5.3.27/spring-web-5.3.32 affect IBM Cloud Object Storage Systems (April 2024v1)

Summary Vulnerability with OpenJDK- CVE-2024-20952, CVE-2024-20918, CVE-2024-20921, CVE-2024-20945, CVE-2024-20932, CVE-2024-20919, CVE-2024-20926, commons-compress CVE-2024-25710, CVE-2024-26308 , spring-web-5.3.27 CVE-2024-22243, spring-web-5.3.32CVE-2024-22259. This vulnerability has been...

Security Bulletin: IBM DataPower Gateway is vulnerable to Denial of Service due to use of Node.js

Summary NodeJS is used by IBM DataPower Gateway as part of the API-GWY management interface CVE-2024-22019 Vulnerability Details CVEID:CVE-2024-22019 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error when reading unprocessed HTTP request with unbounded chunk extension...

Security Bulletin: IBM DataPower affected by vulnerability in Go (CVE-2023-39326)

Summary This CVE may affect DataPower Operator or SNMP Exporter for Prometheus Vulnerability Details CVEID:CVE-2023-39326 DESCRIPTION: Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the net/http package. By sending a specially crafted HTTP request, an...

Security Bulletin: IBM Maximo Application Suite and IBM Truststore Manager uses Jinja2-3.1.2-py3-none-any.whl and Jinja2-3.0.3-py3-none-any.whl which is vulnerable to CVE-2024-22195

Summary IBM Maximo Application Suite and IBM Truststore Manager uses Jinja2-3.1.2-py3-none-any.whl and Jinja2-3.0.3-py3-none-any.whl which is vulnerable to CVE-2024-22195. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-22195...

Security Bulletin: IBM Maximo Application Suite uses postgresql-42.3.8.jar which is vulnerable to CVE-2024-1597

Summary IBM Maximo Application Suite uses postgresql-42.3.8.jar which is vulnerable to CVE-2024-1597. This bulletin contains information regarding the vulnerability. Vulnerability Details CVEID:CVE-2024-1597 DESCRIPTION: PostgreSQL JDBC Driver PgJDBC is vulnerable to SQL injection. A remote...

Security Bulletin: IBM Maximo Application Suite uses firestore-4.15.1.tgz which is vulnerable to CVE-2023-6460

Summary IBM Maximo Application Suite uses firestore-4.15.1.tgz which is vulnerable to CVE-2023-6460. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-6460 DESCRIPTION: Google APIs nodejs-firestore could allow a local authenticate...

Security Bulletin: IBM Maximo Application Suite uses cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl and cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl which is vulnerable to CVE-2024-26130

Summary IBM Maximo Application Suite uses cryptography-41.0.4-cp37-abi3-manylinux228x8664.whl and cryptography-41.0.7-cp37-abi3-manylinux228x8664.whl which is vulnerable to CVE-2024-26130. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite uses cryptography-41.0.2-cp37-abi3-manylinux_2_28_x86_64.whl which is vulnerable to CVE-2023-49083

Summary IBM Maximo Application Suite uses cryptography-41.0.2-cp37-abi3-manylinux228x8664.whl which is vulnerable to CVE-2023-49083.This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-4807 DESCRIPTION: OpenSSL is vulnerable to a...

Security Bulletin: IBM Observability with Instana is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana build 269 Vulnerability Details CVEID:CVE-2020-15522 DESCRIPTION: Bouncy Castle BC Java, BC C .NET, BC-FJA, BC-FNA could allow a remote attacker to obtain sensitive information, caused by a timing issue within the ...

Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to nimbus-jose-jwt.

Summary nimbus-jose-jwt is used by IBM Sterling Connect:Direct for UNIX in file transfer. IBM Sterling Connect:Direct for UNIX is impacted by vulnerability in nimbus-jose-jwt. IBM Sterling Connect:Direct for UNIX has upgraded nimbus-jose-jwtto version 9.37.3 to address the issues. Vulnerability...

Security Bulletin: Vulnerability in Enterprise Security API for Java affects IBM Process Mining WS-2023-0429

Summary There is a vulnerability in Enterprise Security API for Java that could allow an remote attacker to steal cookie-based authentication credentials on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability...

Security Bulletin: Vulnerability in VMware Tanzu Spring Framework affects IBM Process Mining CVE-2023-34053

Summary There is a vulnerability in VMware Tanzu Spring Framework that could allow an remote attacker to cause a denial of service on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

Security Bulletin: Vulnerability in PyCryptodome affects IBM Process Mining CVE-2023-52323

Summary There is a vulnerability in PyCryptodome that could allow a remote attacker to obtain sensitive information on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2023-52323...

Security Bulletin: Vulnerability in The Legion of the Bouncy Castle affects IBM Process Mining CVE-2022-45146

Summary There is a vulnerability in The Legion of the Bouncy Castle that could allow an remote attacker to obtain sensitive information on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

Security Bulletin: Vulnerability in Jinja affects IBM Process Mining CVE-2024-22195

Summary There is a vulnerability in Jinja that could allow an attacker to steal cookie-based authentication credentials on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

Security Bulletin: Vulnerability in cryptography affects IBM Process Mining CVE-2023-50782

Summary There is a vulnerability in cryptography that could allow an attacker to obtain sensitive information on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2023-50782...

Security Bulletin: Vulnerability in follow-redirects affects IBM Process Mining CVE-2023-26159

Summary There is a vulnerability in follow-redirects that could allow an remote attacker to redirect a victim to arbitrary Web sites. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2023-261...

Security Bulletin: Vulnerability in openjdk affects IBM Process Mining CVE-2023-21930

Summary There is a vulnerability in openjdk that could allow an authenticated attacker with network access via TLS to compromise Java on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

Security Bulletin: Vulnerability in cryptography affects IBM Process Mining CVE-2024-26130

Summary There is a vulnerability in cryptography that could allow an remote attacker to cause a denial of service on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2024-26130...

Security Bulletin: Vulnerability in GitPython affects IBM Process Mining CVE-2024-22190

Summary There is a vulnerability in GitPython that could allow an remote attacker to execute arbitrary code on the system,. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2024-22190...

Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining CVE-2024-22201

Summary There is a vulnerability in Eclipse Jetty that could allow an remote attacker to execute a denial of service on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2024-22201...

Security Bulletin: Vulnerability in Dnspython affects IBM Process Mining CVE-2023-29483

Summary There is a vulnerability in Dnspython that could allow an remote attacker to cause a denial of service on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2023-29483...

Security Bulletin: IBM Tivoli Netcool Impact could provide weaker than expected security due to IBM WebSphere Application Server Liberty (CVE-2023-46158)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details...

Security Bulletin: Due to use of Apache Pulsar, IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to security restrictions bypass

Summary Pulsar is used by IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library. CVE-2023-51437 The below vulnerability have been addressed. Vulnerability Details CVEID:CVE-2023-51437 DESCRIPTION: Apache Pulsar could allow a remote attacker to bypass security restrictions, caused...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to information exposure in python-requests [CVE-2023-32681]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to sensitive information exposure in python-requests, caused by the leaking of Proxy-Authorization headers to destination servers during redirects to an HTTPS origin CVE-2023-32681. python-requests is used as a...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to information exposure in urllib3 [CVE-2023-45803]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to information exposure in urllib3, caused by a flaw with not remove the HTTP request body when an HTTP redirect response using status 303 CVE-2023-45803. urllib3 is used as a component of our Speech runtimes...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected by information exposure in urllib3 [CVE-2023-43804]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected by potential sensitive information exposure in urllib3, caused by a flaw with cookie request header not stripped during cross-origin redirects. CVE-2023-43804. urllib3 is used as a component of our Speech runtimes...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in Open Container Initiative runc [CVE-2024-21626]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in Open Container Initiative runc, caused by an internal file descriptor leak CVE-2024-21626. Open Container Initiative runc is part of the gcc utils used by our service runtimes. This...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow in rsyslog [ CVE-2022-24903]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a heap-based buffer overflow in rsyslog, caused by improper bounds checking by the TCP syslog server receiver components CVE-2022-24903. Rsyslog is used as a component of our Speech runtimes. This...

Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches.

Summary Public disclosed OpenSSL vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. The vulnerability has been addressed and can be resolved by applying the NX-OS code level listed below. Vulnerability Details CVEID:CVE-2023-0464 DESCRIPTION: OpenSSL is vulnerable to a...

Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches.

Summary Public disclosed OpenSSL vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. The vulnerability has been addressed and can be resolved by applying the NX-OS code level listed below. Vulnerability Details CVEID:CVE-2023-0466 DESCRIPTION: OpenSSL could allow a remo...

Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates

Summary IBM App Connect Enterprise Certified Container ACEcc is built on the Red Hat Universal Base Images. ACEcc operator versions 5.0.16 LTS and 11.4.0 contain fixes to the listed CVEs found in the base images. This bulletin provides patch information to address the reported vulnerabilities...

Security Bulletin: Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22473. CVE-2021-38951)

Summary Multiple Security Vulnerabilities in the IBM WebSphere Application Server product as shipped with the IBM Directory Server and IBM Directory Suite products have been fixed. Vulnerability Details CVEID:CVE-2022-22473 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 coul...

Security Bulletin: IBM Automation Decision Services - March 2024 - CVE-2024-26308, CVE-2024-25710

Summary IBM Automation Decision Services is vulnerable to denial of service attacks in third party and open source used in the product for various functions. See full list below. This vulnerability has been addressed. Vulnerability Details CVEID:CVE-2024-26308 DESCRIPTION: Apache Commons Compress...

Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime affect z/Transaction Processing Facility

Summary There are multiple vulnerabilities in IBM® Semeru Runtime Certified Edition 11 that is used by the z/TPF system. z/TPF has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-20918 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow...

Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open Source Software (OSS) components

Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Planning Analytics Workspace. IBM Planning Analytics Workspace 2.0 Release 94 has addressed the applicable CVEs by upgrading or removing the vulnerable libraries. Please refer to the table in the...

Security Bulletin: IBM Cognos Analytics Cartridge for IBM Cloud Pak for Data 4.8.4 has addressed a security vulnerability in Clojure (CVE-2017-20189)

Summary IBM Cognos Analytics Cartridge for IBM Cloud Pak for Data 4.8.4 has addressed a security vulnerability in Clojure CVE-2017-20189 by upgrading to a non-vulnerable version. Vulnerability Details CVEID:CVE-2017-20189 DESCRIPTION: Clojure could allow a remote authenticated attacker to execute...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in pypdf2-3.0.1-py3-none-any.whl

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of pypdf2-3.0.1-py3-none-any.whl Vulnerability Details CVEID:CVE-2023-36464 DESCRIPTION: py-pdf pypdfis vulnerable to a denial of service, caused by an infinite loop if parsecontentstream is executed. By...

Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Ansible - CVE-2023-5115

Summary IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of Ansible - CVE-2023-5115 Vulnerability Details CVEID:CVE-2023-5115 DESCRIPTION: Ansible could allow a remote attacker to traverse directories on the system, caused by improper validation of user...

Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in urllib3-1.26.16-py2.py3-none-any.whl

Summary IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of urllib3-1.26.16-py2.py3-none-any.whl Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw wit...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands may be vulnerable to denial of service

Summary The Bouncy Castle Crypto Package For Java is used by the MQ Client in IBM App Connect Enterprise Certified Container IntegrationServers and IntegrationRuntimes. This bulletin provides patch information to address the reported vulnerability in the Bouncy Castle Crypto Package For Java...

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Docker Registry, OpenSSH and go-git

Summary go-git and DockerRegistry are consumed through OSE packages. OSE package is shipped with IBM MQ Operator and IBM supplied MQ Advanced container images. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2017-11468 DESCRIPTION: Docker...

Security Bulletin: There are multiple vulnerabilities that affect CICS Transaction Gateway for Multiplatforms (CVE-2023-50310 and CVE-2023-50311).

Summary There are multiple vulnerabilities that affect CICS Transaction Gateway for Multiplatforms. An update to CICS Transaction Gateway for Multiplatforms has been released to address these vulnerabilities. Vulnerability Details CVEID:CVE-2023-50311 DESCRIPTION: IBM CICS Transaction Gateway cou...