Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to denial of service due to OpenTelemetry go module ( CVE-2023-45142, CVE-2023-47108 )

Summary OpenTelemetry go module is used by IBM Cloud Pak for Data Scheduling as part of the scheduler binaries. CVE-2023-45142, CVE-2023-47108. Vulnerability Details CVEID:CVE-2023-45142 DESCRIPTION: OpenTelemetry OpenTelemetry-Go Contrib is vulnerable to a denial of service, caused by an unbound...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to remote authentication attack due to Kubernetes Scheduler code ( CVE-2023-5528 )

Summary Kubernetes Scheduler code is used by IBM Cloud Pak for Data Scheduling as part of the scheduling binaries. CVE-2023-5528. Vulnerability Details CVEID:CVE-2023-5528 DESCRIPTION: Kubernetes kubelet could allow a remote authenticated attacker to gain elevated privileges on the system, caused...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to denial of service due to golang compiler ( CVE-2023-39325 )

Summary Golang compiler is used by IBM Cloud Pak for Data Scheduling as part of the build process for the scheduler binaries . CVE-2023-39325. Vulnerability Details CVEID:CVE-2023-39325 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption fla...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to installation denial of service due to grpc ( CVE-2023-44487 )

Summary Grpc is used by IBM Cloud Pak for Data Scheduling as part of the image catalog used for installation. CVE-2023-44487. Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the...

Security Bulletin: IBM Maximo Application Suite uses urllib3-2.0.3-py3-none-any.whl which is vulnerable to CVE-2023-45803

Summary BM Maximo Application Suite uses urllib3-2.0.3-py3-none-any.whl which is vulnerable to CVE-2023-45803. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-45803 DESCRIPTION: urllib3 could allow a remote authenticated attacke...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Tivoli System Automation for Multiplatforms.

Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition used by IBM Tivoli System Automation for Multiplatforms. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to...

Security Bulletin: The IBM® Engineering Lifecycle Engineering products using IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-44487)

Summary IBM WebSphere Application Server Liberty is vulnerable to a denial of service with the servlet-3.1, servlet-4.0, servlet-5.0, or servlet-6.0 feature with the HTTP/2 protocol enabled. Following IBM® Engineering Lifecycle Engineering product is vulnerable to this attack, it has been address...

Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM SDK, Java Technology Edition Quarterly CPU - Jan 2024 - Includes Oracle January 2024 CPU is vulnerable to CVE-2023-33850

Summary This bulletin covers all applicable Java SE CVEs published by Oracle as part of their January 2024 Critical Patch Update, plus CVE-2023-33850. Following IBM® Engineering Lifecycle Engineering products are vulnerable to this attack: IBM Engineering Test Management, ELM Installer...

Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2023-50312)

Summary IBM WebSphere Application Server Liberty could provide weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. This may result in SSL cipher suites being ignored. Following IBM® Engineering Lifecycle Engineering products are vulnerable t...

Security Bulletin: IBM InfoSphere Information Server is affected by a denial of service vulnerability in Spring Framework (CVE-2023-34053)

Summary A denial of service vulnerability in Spring Framework used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2023-34053 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw when the application uses Spring MVC ...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Bouncy Castle Crypto Package for Java

Summary Multiple vulnerabilities in Bouncy Castle Crypto Package for Java used by IBM InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2023-33201 DESCRIPTION: The Bouncy Castle Crypto Package For Java bc-java could allow a remote attacker to obtain sensitive...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Pallets Werkzeug (CVE-2023-46136)

Summary A vulnerability in Pallets Werkzeug used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2023-46136 DESCRIPTION: Pallets Werkzeug is vulnerable to a denial of service, caused by a flaw when parsing multipart/form-data containing a large part with CR/LF...

Security Bulletin: A denial of service vulnerability in WebSphere Application Server Liberty affects IBM InfoSphere Information Server (CVE-2023-44487)

Summary A denial of service vulnerability in WebSphere Application Server Liberty that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplex...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Kubernetes ingress-nginx

Summary Multiple vulnerabilities in Kubernetes ingress-nginx used by IBM InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2022-4886 DESCRIPTION: Kubernetes could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with path...

Security Bulletin: IBM InfoSphere Information Server is affected by OpenSSL Vulnerability (CVE-2023-2650)

Summary A vulnerability in OpenSSL used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2023-2650 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJobj2txt directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CM...

Security Bulletin: IBM InfoSphere Information Server is affected by OpenSSL Vulnerability (CVE-2023-0464)

Summary A vulnerability in OpenSSL used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2023-0464 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error related to the verification of X.509 certificate chains that include policy constraints...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in OpenSSL

Summary Multiple vulnerabilities in OpenSSL used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2023-0466 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the X509VERIFYPARAMadd0policy function. By using...

Security Bulletin: Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.15 and earlier

Summary This fix upgrades to Node.js 18.19.1. Node.js is used by all IBM Answer Retrieval for Watson Discovery user interfaces. There are two categories of vulnerabilities addressed. The first allows remote attackers to gain access to the system, bypassing security restrictions. The second makes...

Security Bulletin: Multiple Vulnerabilities have been identified in IBM MQ shipped with IBM WebSphere Remote Server

Summary IBM MQ is shipped with IBM WebSphere Remote Server. Information about addressing security vulnerabilities affecting IBM MQ have been published in a security bulletins for CVE-2023-47745, CVE-2023-4218, CVE-2023-44487, CVE-2023-39976, CVE-2024-25016, linked herein. Vulnerability Details...

Security Bulletin: IBM Security Verify Information Queue has multiple third-party library vulnerabilities (CVE-2024-1597, CVE-2023-26159)

Summary IBM Security Verify Information Queue ISIQ v10.0.8 has addressed vulnerabilities in the third-party libraries with an update. Vulnerability Details CVEID:CVE-2024-1597 DESCRIPTION: PostgreSQL JDBC Driver PgJDBC is vulnerable to SQL injection. A remote attacker could send specially crafted...

Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Summary IBM Cloud Transformation Advisor has addressed multiple security vulnerabilities listed herein. Vulnerability Details CVEID:CVE-2024-21891 DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by improper path traversal sequence sanitization. By using ...

Security Bulletin: A security vulnerability has been identified in Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2023-36478)

Summary There is a potential denial of service in Eclipse Jetty that is used by Apache Solr shipped with IBM Operations Analytics - Log Analysis. Vulnerability Details CVEID:CVE-2023-36478 DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by an integer overflow and buffer...

Security Bulletin: A Bouncy Castle vulnerability has been identified in Apache Solr and Logstash shipped with IBM Operations Analytics - Log Analysis (CVE-2023-33201)

Summary There is a potential injection vulnerability in Bouncy Castle that is used by Apache Solr and Logstash. This has been addressed Vulnerability Details CVEID:CVE-2023-33201 DESCRIPTION: The Bouncy Castle Crypto Package For Java bc-java could allow a remote attacker to obtain sensitive...

Security Bulletin: Multiple vulnerabilities affect Apache Solr, Apache Zookeeper and Logstash shipped with IBM Operations Analytics - Log Analysis

Summary The following security issues have been identified in Netty component included as part of Apache Solr, Apache Zookeeper and Logstash product Vulnerability Details CVEID:CVE-2023-34462 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of...

Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2024-26144).

Summary There is a vulnerability in the Ruby On Rails opens source component used by IBM License Metric Tool. The vulnerability could allow a remote attacker to obtain some sensitive information. Vulnerability Details CVEID:CVE-2024-26144 DESCRIPTION: Rails could allow a remote attacker to obtain...

Security Bulletin: Security vulnerabilities in Apache Commons Compress affects IBM License Metric Tool v9.

Summary There are vulnerabilities in Apache Commons Compress library that is used by IBM License Metric Tool. Vulnerability Details CVEID:CVE-2024-25710 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9.

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 used by IBM License Metric Tool. These issues were disclosed as part of the IBM Java SDK updates in Jan 2024. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Java SE...

Security Bulletin: Multiple vulnerabilities in Apache Solr, Apache Zookeeper and Logstash shipped with IBM Operations Analytics - Log Analysis (CVE-2023-43642, CVE-2023-34454, CVE-2023-34453, CVE-2023-34455)

Summary snappy-java in Apache Solr, Apache Zookeeper and Logstash is vulnerable to a denial of service. This has been addressed Vulnerability Details CVEID:CVE-2023-34454 DESCRIPTION: snappy-java is vulnerable to a denial of service, caused by an integer overflow in the compress function. By...

Security Bulletin: There are vulnerabilities in Golang related packages that are shipped with IBM CICS TX Advanced (CVE-2023-45285 and CVE-2023-39326).

Summary There are vulnerabilities in Golang related packages that are shipped with IBM CICS TX Advanced. An update to IBM CICS TX Advanced has been released to address these vulnerabilities. Vulnerability Details CVEID:CVE-2023-39326 DESCRIPTION: Golang Go could allow a remote attacker to obtain...

Security Bulletin: IBM Security Verify Governance - Identity Manager, Software component has multiple vulnerabilities

Summary Multiple security vulnerabilities have been addressed in IBM Security Verify Governance - Identity Manager, Software component. Vulnerability Details CVEID:CVE-2020-11023 DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the...

Security Bulletin: IBM Db2 and IBM Java SDK used by IBM Security Verify Governance - Identity Manager have multiple vulnerabilities

Summary Information about security vulnerabilities affecting IBM DB2 and IBM Java has been published in security bulletins. IBM Security Verify Governance - Identity Manager ships with IBM DB2 and IBM Java SDK. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a remote attacker due to node.js package IP [CVE-2023-42282]

Summary IBM App Connect Enterprise is vulnerable to a remote attacker due to node.js package IP. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-42282 DESCRIPTION: Node.js IP package could allow a remote attacker to execute arbitrary...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2024-20952, CVE-2024-20918, CVE-2024-20921, CVE-2024-20919, CVE-2024-20926, CVE-2024-20945, CVE-2023-33850)

Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition used by IBM Tivoli System Automation Application Manager. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker t...

Security Bulletin: IBM Cloud Pak for Data Scheduling contains a vulnerable yq package. [CVE-2023-39320, CVE-2023-39321 and CVE-2023-39322]

Summary Yq is used by IBM Cloud Pak for Data Scheduling as part of the Ansible operator used for installation of the Scheduler. This bulletin identifies the steps to take to address the below vulnerabilities. Vulnerability Details CVEID:CVE-2023-39320 DESCRIPTION: Golang Go could allow a remote...

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to multiple ansible-operator and opm vulnerabilities

Summary Ansible-operator and opm are used by IBM Cloud Pak for Data Scheduling as part of the ibm-cpd-scheduling-operator and ibm-cpd-scheduler-operator-catalog image used for installation of the Scheduler. This bulletin identifies the steps to take to address the below vulnerabilities...

Security Bulletin: Multiple vulnerabilities in Open JDK affecting Rational Functional Tester / DevOps Test UI

Summary There are multiple vulnerabilities in Open JDK Version 8, OpenJ9 used by Rational Functional Tester RFT / DevOps Test UI. RFT has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security componen...

Security Bulletin: Log Analysis is susceptible to a vulnerability in Apache Solr

Summary There is jose4j vulnerability in Apache Solr. This has been addressed Vulnerability Details IBM X-Force ID: 254437 DESCRIPTION: Jose4J could allow a remote attacker to obtain sensitive information, caused by a chosen ciphertext attack in RSA15. By using cryptographic attack techniques, an...

Security Bulletin: Potential Vulnerability in Apache Solr affects IBM Operations Analytics - Log Analysis

Summary There is a potential XXE vulnerability in Apache Solr. This has been addressed. Vulnerability Details IBM X-Force ID: 261776 DESCRIPTION: Eclipse Jetty is vulnerable to server-side request forgery, caused by improper handling of XML external entity XXE declarations by the XmlParser. By...

Security Bulletin: Potential vulnerability in Eclipse Jetty used by Apache Solr affects IBM Operations Analytics - Log Analysis (CVE-2023-36479)

Summary Eclipse Jetty in Apache Solr could provide weaker than expected security. This has been addressed. Vulnerability Details CVEID:CVE-2023-36479 DESCRIPTION: Eclipse Jetty could provide weaker than expected security, caused by an errant command quoting flaw in the...

Security Bulletin: Vulnerability in Apache Solr, Apache Zookeeper and Logstash affect IBM Operations Analytics - Log Analysis (CVE-2023-34462)

Summary There is Netty vulnerability in Apache Solr, Apache Zookeeper and Logstash that effect IBM Operations Analytics - Log Analysis. These have been addressed Vulnerability Details CVEID:CVE-2023-34462 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw with allocating up...

Security Bulletin: Eclipse Jetty vulnerability in Apache Solr and Apache ZooKeeper bundled with IBM Operations Analytics - Log Analysis (CVE-2023-26049)

Summary Information disclosure vulnerability in Eclipse Jetty that is used by Apache Solr and Apache ZooKeeper. Log Analysis has addressed the vulnerability Vulnerability Details CVEID:CVE-2023-26049 DESCRIPTION: Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive...

Security Bulletin: A vulnerability has been identified in Apache Solr and Apache Zookeeper shipped with IBM Operations Analytics - Log Analysis (CVE-2023-26048)

Summary There is a potential vulnerability in Eclipse Jetty that is used by Apache Solr and Apache ZooKeeper. This has been addressed Vulnerability Details CVEID:CVE-2023-26048 DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by an out of memory flaw in the...

Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics - Log Analysis (CVE-2023-40167)

Summary There is a potential HTTP request smuggling vulnerability in Apache Solr. This has been addressed. Vulnerability Details CVEID:CVE-2023-40167 DESCRIPTION: Jetty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP/1 request header. By sending a specially crafted...

Security Bulletin: IBM Transformation Extender Advanced is vulnerable to multiple issues due to IBM WebSphere Application Server Liberty.

Summary IBM Transformation Extender Advanced, previously known as IBM Standards Processing Engine, uses IBM WebSphere Application Server Liberty. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-24998 DESCRIPTION: Apache Commons...

Security Bulletin: Google Guava vulnerability in Apache Solr and Logstash bundled with IBM Operations Analytics - Log Analysis (CVE-2023-2976)

Summary There is an information disclosure vulnerability in Google Guava that is used by Apache Solr and Logstash. This has been addressed Vulnerability Details CVEID:CVE-2023-2976 DESCRIPTION: Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a fl...

Security Bulletin: Vulnerability in Apache Solr affect IBM Operations Analytics - Log Analysis (CVE-2023-50290)

Summary Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr Vulnerability Details CVEID:CVE-2023-50290 DESCRIPTION: Apache Solr could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation. By sending ...

Security Bulletin: IBM Instana Observability for Synthetic PoP is affected by vulnerabilities in vm2

Summary Vulnerabilities in vm2 were addressed in IBM Observability with Instana for Synthetic PoP build 256 CVE-2023-37903, CVE-2023-37466 Vulnerability Details CVEID:CVE-2023-37903 DESCRIPTION: Node.js vm2 module could allow a remote attacker to execute arbitrary code on the system, caused by a...

Security Bulletin: IBM Observability with Instana using third-party Kubernetes Operators is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana using third-party Kubernetes Operators build 267 Vulnerability Details CVEID:CVE-2024-20919 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause hi...

Security Bulletin: IBM Instana Observability is affected by Vulnerabilities in Puma and Amazon Ion.

Summary Vulnerabilities in Puma and Amazon Ion were remediated in IBM Observability with Instana build 266. Vulnerability Details CVEID:CVE-2024-21647 DESCRIPTION: Puma is vulnerable to a denial of service, caused by incorrect behavior when parsing chunked transfer encoding bodies. By sending a...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to json-path [CVE-2023-51074]

Summary The Transformation Advisor Tool in IBM App Connect Enterprise is vulnerable to a denial of service due to json-path. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-51074 DESCRIPTION: json-path is vulnerable to a denial of...