Security Bulletin: Stored XSS executing on RPE report widget when run from within ETM

Summary Stored XSS issue on the RPE report widget has been addressed in RPE and no more seen in IBM Engineering Test Management Vulnerability Details CVEID:CVE-2023-43054 DESCRIPTION: IBM Engineering Test Management is vulnerable to stored cross-site scripting. This vulnerability allows users to...

Security Bulletin: There is a vulnerability in Asset Data Dictionary used by IBM Maximo Asset Management application (CVE-2023-44487, CVE-2022-41881, CVE-2022-41915, CVE-2021-42550, CVE-2023-34462, CVE-2023-6481 and CVE-2023-6378)

Summary There is a vulnerability in Asset Data Dictionary used by IBM Maximo Asset Management application CVE-2023-44487, CVE-2022-41881, CVE-2022-41915, CVE-2021-42550, CVE-2023-34462, CVE-2023-6481 and CVE-2023-6378 Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are...

Security Bulletin: vulnerability in jackson-core might affect IBM Business Automation Workflow - PRISMA-2023-0067

Summary IBM Business Automation Workflow might be affected by a vulnerability in jackson-core. Vulnerability Details IBM X-Force ID: 256137 DESCRIPTION: FasterXML Jackson Core is vulnerable to a denial of service, caused by improper input validation by the StreamReadConstraints value field. By...

Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in QOS.ch Sarl Logback

Summary IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of QOS.ch Sarl Logback Vulnerability Details CVEID:CVE-2023-6481 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a denial of service, caused by a serialization flaw in the logback receiver component...

Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in follow-redirects

Summary IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of follow-redirects. Vulnerability Details CVEID:CVE-2023-26159 DESCRIPTION: follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An...

Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Libtiff

Summary IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of Libtiff. Vulnerability Details CVEID:CVE-2023-30774 DESCRIPTION: LibTIFF is vulnerable to a denial of service, caused by a heap-based buffer overflow related to TIFFTAGINKNAMES and TIFFTAGNUMBEROFIN...

Security Bulletin: Multiple Vulnerabilities in IBM Cloud Pak for Multicloud Management

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for Multicloud Management version 2.3 Fix Pack 8 Vulnerability Details CVEID:CVE-2023-25577 DESCRIPTION: Pallets Werkzeug is vulnerable to a denial of service, caused by a flaw when parsing multipart form data with many fields. By...

Security Bulletin: IBM Cognos Command Center has addressed vulnerabilities IBM® Semeru Java™ Version 11, Apache ActiveMQ and Microsoft .Net MVC Framework for ASP.Net

Summary There are vulnerabilities in IBM® Semeru Java™ Version 11, Apache ActiveMQ and Microsoft .Net MVC Framework for ASP.Net used by IBM Cognos Command Center. IBM Cognos Command Center 10.2.5 IF1 has addressed the applicable CVEs by upgrading to non-vulnerable versions of these libraries...

Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data 4.8.3 has addressed security vulnerabilities

Summary IBM Cognos Dashboards on Cloud Pak for Data 4.8.3 resolves vulnerabilities reported in Node.js Babel CVE-2023-45133, Eclipse Jetty CVE-2023-36478, CVE-2023-44487, Node.js browserify-sign CVE-2023-46234 and OpenSSL CVE-2022-4304, CVE-2023-0215, CVE-2023-0286, CVE-2023-0466, CVE-2023-2650,...

Security Bulletin: IBM Planning Analytics Cartridge for IBM Cloud Pak for Data 4.8.3 has addressed security vulnerabilities

Summary IBM Planning Analytics Cartridge for IBM Cloud Pak for Data is affected, but not classified as vulnerable based on current information, by a vulnerability in go-jose XFID: 273242. This vulnerability has been addressed by upgrading to a non-vulnerable version of go-jose. Additionally, IBM...

Security Bulletin: requests-2.28.2-py3-none-any.whl (Publicly disclosed vulnerability found by Mend)

Summary Security Bulletin: requests-2.28.2-py3-none-any.whl Publicly disclosed vulnerability found by Mend - This has been fixed in MAS 8.11 in APM-PM-LIB Vulnerability Details CVEID:CVE-2023-32681 DESCRIPTION: python-requests could allow a remote attacker to obtain sensitive information, caused ...

Security Bulletin: Red Hat Universal Base Image Minimal UBI Publicly disclosed vulnerability

Summary Red Hat Universal Base Image Minimal UBI Publicly disclosed vulnerability, the ubi8 containers that the MAS Core team maintains will all be rebuilt using the latest ubi8 version that is available. Vulnerability Details CVEID:CVE-2023-3899 DESCRIPTION: Red Hat Enterprise Linux could allow ...

Security Bulletin: Multiple Vulnerabilities in CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.4.1 Vulnerability Details CVEID:CVE-2023-4641 DESCRIPTION: shadow-maint shadow-utils could allow a local authenticated attacker to obtain sensitive information, caused by failing to clean the buffer used to store...

Security Bulletin: Multiple Vulnerabilities in CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.4.1 Vulnerability Details CVEID:CVE-2023-50447 DESCRIPTION: Pillow could allow a remote attacker to execute arbitrary code on the system, caused by improper neutralization of user supplied-input by the...

Security Bulletin: IBM Spectrum Symphony with urllib3 could allow a remote authenticated attacker to obtain sensitive information

Summary IBM Spectrum Symphony with urllib3 could allow a remote authenticated attacker to obtain sensitive information Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with cookie request...

Security Bulletin: IBM Spectrum Symphony with urllib3 could allow a remote authenticated attacker to obtain sensitive information

Summary IBM Spectrum Symphony with urllib3 could allow a remote authenticated attacker to obtain sensitive information Vulnerability Details CVEID:CVE-2023-45803 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with not remove the...

Security Bulletin: IBM Spectrum Symphony with Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow

Summary IBM Spectrum Symphony with Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow Vulnerability Details CVEID:CVE-2023-35116 DESCRIPTION: Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow. By...

Security Bulletin: IBM Spectrum Conductor with urllib3 could allow a remote authenticated attacker to obtain sensitive information

Summary IBM Spectrum Conductor with urllib3 could allow a remote authenticated attacker to obtain sensitive information Vulnerability Details CVEID:CVE-2023-45803 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with not remove the...

Security Bulletin: IBM Spectrum Symphony with urllib3 could allow a remote attacker to obtain sensitive information

Summary IBM Spectrum Symphony with urllib3 could allow a remote attacker to obtain sensitive information Vulnerability Details CVEID:CVE-2018-25091 DESCRIPTION: urllib3 could allow a remote attacker to obtain sensitive information, caused by not removing the authorization HTTP header when followi...

Security Bulletin: IBM Common Licensing using IBM® SDK, Java™ Technology Edition vulnerable to CVEs

Summary Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition in IBM License Key Server Administration and Reporting Tool ART and Administration Agent. For more information please refer to Oracle's CPU Advisory and the X-Force database entries referenced below. Vulnerability Details...

Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty impact IBM Common Licensing

Summary Multiple vulnerabilities in IBM WebSphere Liberty impact IBM License Key Server Administration and Reporting Tool and IBM LKS Administration Agent. Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application...

Security Bulletin: IBM Maximo Application Predict Component uses WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache Santuario which is vulnerable to CVE-2023-44483

Summary IBM Maximo Application Predict Component uses WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache Santuario which is vulnerable to CVE-2023-44483 This bulletin contains information regarding the vulnerability and it's fixture Vulnerability Details...

Security Bulletin: IBM Maximo Application Predict Component uses OSS Scan - WebSphere Liberty is vulnerable to weaker than expected security which is vulnerable to CVE-2023-46158.

Summary Security Bulletin: IBM Maximo Application Predict Component uses OSS Scan - WebSphere Liberty is vulnerable to weaker than expected security which is vulnerable to CVE-2023-46158. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. (Jan 2024 CPU)

Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 7.1.5.20 and earlier, 8.0.8.15 and earlier used by IBM® Db2®. These issues were disclosed as part of the IBM Java SDK updates in January 2024. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecifie...

Security Bulletin: Follow-redirects is vulnerable to CVE-2023-26159 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses follow-redirects which is vulnerable to CVE-2023-26159. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-26159 DESCRIPTION: follow-redirects could allow a remote attacker to...

Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2024 - Includes Oracle January 2024 CPU plus CVE-2023-33850

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 that are used by Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities a...

Security Bulletin: urllib3 is vulnerable to CVE-2023-45803 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses urllib3 which is vulnerable to CVE-2023-45803. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-45803 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obta...

Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to CVE-2023-46158 and CVE-2023-44483 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses IBM WebSphere Application Server Liberty which is vulnerable to CVE-2023-46158 and CVE-2023-44483. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-46158 DESCRIPTION: IBM...

Security Bulletin: Logback is vulnerable to CVE-2023-6481 and CVE-2023-6378 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses logback which is vulnerable to CVE-2023-6481 and CVE-2023-6378. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-6481 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a deni...

Security Bulletin: Json-path is vulnerable to CVE-2023-51074 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses json-path which is vulnerable to CVE-2023-51074. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-51074 DESCRIPTION: json-path is vulnerable to a denial of service, caused by...

Security Bulletin: Netty-codec-http2 is vulnerable to CVE-2023-44487 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses netty-codec-http2 which is vulnerable to CVE-2023-44487. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are vulnerable to a denial of...

Security Bulletin: PyArrow is vulnerable to CVE-2023-47248 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses PyArrow which is vulnerable to CVE-2023-47248. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-47248 DESCRIPTION: PyArrow could allow a remote authenticated attacker to...

Security Bulletin: Axios is vulnerable to CVE-2023-45857 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses Axios which is vulnerable to CVE-2023-45857. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-45857 DESCRIPTION: Axios is vulnerable to cross-site request forgery, caused by...

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to a denial of service due to MiniZip (CVE-2023-45853)

Summary MiniZip, in IBM App Connect Enterprise and IBM Integration Bus for z/OS is vulnerable to a denial of service. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2023-45853 DESCRIPTION: MiniZip is vulnerable to a denial of service, caus...

Security Bulletin: IBM Operational Decision Manager for February 2024 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2023-46158...

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Summary IBM Cognos Analytics is affected and considered vulnerable, based on current information, to vulnerabilities in Open-Source Software OSS components consumed by IBM Cognos Analytics. IBM Cognos Analytics has addressed the applicable CVEs by upgrading or removing the vulnerable libraries...

Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Monitoring.

Summary Vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped as part of multiple IBM Tivoli Monitoring ITM components. CVEs: CVE-2023-22067, CVE-2023-22081, CVE-2023-33850, CVE-2023-5676, CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926, CVE-2024-20945 and...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in jQuery UI (CVE-2022-31160)

Summary A cross-site scripting vulnerability in jQuery UI used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2022-31160 DESCRIPTION: jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the check-box-radio...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-50303)

Summary A cross-site scripting vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2023-50303 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in t...

Security Bulletin: IBM OpenPages is affected by multiple security vulnerabilities of DB2 Database Server

Summary IBM® Db2® Database Server is shipped as a supporting program of IBM OpenPages. Information about security vulnerabilities affecting IBM Db2 Database Server has been published in multiple security bulletins. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities (CVE-2023-22081, CVE-2023-22067, CVE-2023-5676)

Summary IBM Security SOAR uses an older version of Java that may be identified and exploited. An update has been released which addresses these issues. It is recommended that customers upgrade to Version 51.0.0.2 or later of IBM Security SOAR. AppHost users should upgrade to version 1.15.1.1...

Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities

Summary IBM Security SOAR uses an older version of Java that may be identified and exploited. An update has been released which addresses these issues. It is recommended upgrading to Version 50.2 or later of IBM Security SOAR. AppHost users should upgrade to version 1.15.1.1 of AppHost...

Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to an unspecified vulnerability and denial of service due to IBM Runtime Environment Java Technology Edition

Summary IBM Java is used by IBM Sterling Connect:Direct for UNIX on AIX, Linux, and Solaris platforms in product configuration, management, and data transmission. IBM Sterling Connect:Direct for UNIX on AIX, Linux, and Solaris platforms is impacted by an unspecified vulnerability and denial of...

Security Bulletin: IBM Cognos Transformer is affected by security vulnerabilities

Summary There are vulnerabilities in Apache Xalan, Apache Commons Codec, IBM® Java™ Version 8, and OpenSSL that are consumed by IBM Cognos Transformer. These have been addressed by upgrading or removing the vulnerable libraries. Please refer to the table in the Related Information section for...

Security Bulletin: IBM Aspera Console 3.4.2 PL7 has addressed multiple vulnerabilities (CVE-2022-37436, CVE-2021-34798)

Summary This Security Bulletin addresses security vulnerabilities that have been remediated CVE-2022-37436, CVE-2021-34798 in IBM Aspera Console 3.4.2 PL7. Vulnerability Details CVEID:CVE-2022-37436 DESCRIPTION: Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by the us...

Security Bulletin: OpenSSH for IBM i is vulnerable to an attacker executing arbitrary commands due to improper validation. [CVE-2023-51385]

Summary OpenSSH used by IBM i is vulnerable to an attacker executing arbitrary commands due to improper validation as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section below...

Security Bulletin: AIX is vulnerable to arbitrary command execution due to Perl (CVE-2024-25021, CVE-2023-47038, CVE-2023-47100)

Summary Vulnerabilities in AIX's Perl could allow an attacker to execute arbitrary commands CVE-2024-25021, CVE-2023-47038, CVE-2023-47100 AIX uses Perl in various operating system components. Vulnerability Details CVEID:CVE-2024-25021 DESCRIPTION: IBM AIX's Perl implementation could allow a...

Security Bulletin: IBM Sterling Connect:Direct Browser User Interface has multiple vulnerabilities due to IBM Java

Summary Sterling Connect:Direct Browser User Interface uses IBM® Runtime Environment Java™ Versions. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-22081 DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE...

Security Bulletin: IBM Sterling Connect:Direct Browser User Interface has multiple vulnerabilities due to IBM Java

Summary Sterling Connect:Direct Browser User Interface uses IBM® Runtime Environment Java™ Versions. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-22045 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM compone...

Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open Source Software (OSS) components

Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Planning Analytics Workspace. IBM Planning Analytics Workspace 2.0 Release 93 has addressed the applicable CVEs by upgrading or removing the vulnerable libraries. Please refer to the table in the...