Security Bulletin: Vulnerabilities in Java effects affects IBM Cloud Application Business Insights - Quarterly Java Update, CVE-2023-22081, CVE-2023-22067, CVE-2023-5676

Summary Vulnerabilities in Java effects affects IBM Cloud Application Business Insights - Quarterly Java Update, CVE-2023-22081, CVE-2023-22067, CVE-2023-5676 Vulnerability Details CVEID:CVE-2023-22081 DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE component could allow ...

Security Bulletin: There are multiple vulnerabilities in the IBM SDK, Java Technology Edition that is shipped with IBM CICS TX Advanced (CVE-2023-22081, CVE-2023-22067, CVE-2023-5676, CVE-2023-22045 and CVE-2023-22049).

Summary There are multiple vulnerabilities in the IBM SDK, Java Technology Edition that is shipped with IBM CICS TX Advanced CVE-2023-22081, CVE-2023-22067, CVE-2023-5676, CVE-2023-22045 and CVE-2023-22049. An update to IBM CICS TX Advanced has been released to address these vulnerabilities...

Security Bulletin: There are multiple vulnerabilities in the IBM SDK, Java Technology Edition that is shipped with IBM CICS TX Standard (CVE-2023-22081, CVE-2023-22067, CVE-2023-5676, CVE-2023-22045 and CVE-2023-22049).

Summary There are multiple vulnerabilities in the IBM SDK, Java Technology Edition that is shipped with IBM CICS TX Standard CVE-2023-22081, CVE-2023-22067, CVE-2023-5676, CVE-2023-22045 and CVE-2023-22049. An update to IBM CICS TX Standard has been released to address these vulnerabilities...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Framework [CVE-2023-20861, CVE-2023-20860]

Summary Multiple vulnerabilities in VMware Tanzu Spring Framework used by InfoSphere Information Server were addressed. CVE-2023-20861, CVE-2023-20860 Vulnerability Details CVEID:CVE-2023-20861 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service. By sending a specially...

Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to a denial of service [CVE-2023-34462]

Summary Netty is used by the IBM Datapower Operations Dashboard in its network protocol infrastructure. Vulnerability Details CVEID:CVE-2023-34462 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of heap for each channel during the TLS handshake...

Security Bulletin: IBM Facsimile Support for i is vulnerable to a local user gaining elevated privileges due to an unqualified library call (CVE-2023-43064)

Summary IBM Facsimile Support for i is vulnerable to a local user gaining elevated privileges due to an unqualified library call as described in the vulnerability details section. IBM Facsimile Support for i has addressed the vulnerability with a fix as described in the remediation/fixes section...

Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to a denial of service caused by a bug in the parser [CVE-2023-5072]

Summary JSON-java is used by the IBM Datapower Operations Dashboard in its parsing infrastructure. Vulnerability Details CVEID:CVE-2023-5072 DESCRIPTION: JSON-java is vulnerable to a denial of service, caused by a bug in the parser. By sending a specially crafted request, a remote attacker could...

Security Bulletin: Multiple Security Vulnerabilities were identified in IBM Security Verify Access

Summary There were multiple Security Vulnerabilities that were reported against IBM Security Verify Access. These have been addressed in IBM Security Verify Access updates. Vulnerability Details CVEID:CVE-2023-31003 DESCRIPTION: IBM Security Access Manager Container IBM Security Verify Access...

Security Bulletin: Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition

Summary This bulletin covers all applicable Java SE CVEs published by Oracle as part of their January 2024 Critical Patch Update, plus CVE-2023-33850. For more information please refer to Oracle's January 2024 CPU Advisory and the X-Force database entries referenced below. Vulnerability Details...

Security Bulletin: Multiple vulnerabilities affect IBM® Semeru Runtime

Summary This bulletin covers all applicable Java SE CVEs published by OpenJDK as part of their January 2024 Vulnerability Advisory, plus CVE-2024-22361. For more information please refer to OpenJDK's January 2024 Vulnerability Advisory and the X-Force database entries referenced below...

Security Bulletin: IBM Rational Developer for i is vulnerable to a phishing attack due to a flaw in follow-redirects (CVE-2023-26159).

Summary IBM Rational Developer for i contains Code Coverage functionality which has a browser interface. The browser interface utilizes follow-redirects which could allow a remote attacker to conduct phishing attacksCVE-2023-26159. This bulletin identifies the steps to take to address the...

Security Bulletin: Vulnerabilities in Axios, Node.js, VMWare tools, and Linux Kernel might affect IBM Storage Defender – Data Protect.

Summary IBM Storage Defender – Data Protect is vulnerable and that can result in denial of service attacks, cross-site scripting, execution of arbitrary code, gaining elevated privileges, low integrity and confidentiality impacts, and the ability to obtain sensitive information. The vulnerabiliti...

Security Bulletin: Kubernetes secrets in IBM Storage Defender Connection Manager on-prem environment are not encrypted by default (CVE-2023-50957, CVE-2024-22312, CVE-2024-22313)

Summary Kubernetes secrets in the IBM Storage Defender Connection Manager on-premises environment OVA are obfuscated using base64 encoding instead of being encrypted. An attacker who has gained root access to the environment can read the secrets from the Kubernetes configuration. The...

Security Bulletin: Vulnerability in jetty-http affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2023-40167].

Summary The jetty-http package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE CVE-2023-40167. Vulnerability Details CVEID:CVE-2023-40167 DESCRIPTION: Jetty is vulnerable to HTTP request smuggling, caused by improper parsing of the...

Security Bulletin: IBM Sterling Transformation Extender is vulnerable to multiple issues in IBM Java Runtime Environment

Summary IBM Sterling Transformation Extender is vulnerable to multiple issues in IBM Java Runtime Environment Vulnerability Details CVEID:CVE-2023-22081 DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality...

Security Bulletin: Mutiple Vulnerabilties affects IBM Watson Machine Learning Accelerator 3.5.0 for Cloud Pak for Data 4.6.5

Summary IBM Watson Machine Learning Accelerator 3.5.0 for Cloud Pak for Data 4.6.5 is affected by multiple vulnerabilities. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2022-3697 DESCRIPTION: Ansible Collections Amazon AWS Collection...

Security Bulletin: IBM Cloud Pak System is vulnerable to brute force account credentials attack [CVE-2023-38273]

Summary IBM Cloud Pak System uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials CVE-2023-38273 Vulnerability Details CVEID:CVE-2023-38273 DESCRIPTION: IBM Cloud Pak System uses an inadequate account lockout setting that could allow a...

Security Bulletin: IBM i Access Client Solutions is vulnerable to remote credential theft when NTLM is enabled on Windows workstations

Summary IBM i Access Client Solutions ACS is vulnerable to remote credential theft when NT LAN Manager NTLM is enabled on Windows workstations CVE-2024-22318. Since IBM i Access Client solutions allows Universal Naming Convention UNC paths in its configuration files, if a path is modified to poin...

Security Bulletin: IBM® Db2® is vulnerable to denial of service with a specially crafted query (CVE-2023-47158)

Summary If you use IBM® Db2® as your database in your IBM Datacap deployment, please follow the Db2 security bulletin referred in the Title to remedy the vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...

Security Bulletin: Struts Vulnerability - Order Management does contain the Struts code and it is vulnerable with lower risk [CVE-2023-50164]

Summary Order Management does contain the Struts code and it is vulnerable CVE-2023-50164, however the specific code related to the vulnerability is not in use, therefore the risk is lower. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 1.14.3 IF001

Summary The following security vulnerabilities are addressed with IBM Process Mining 1.14.3 IF001 Vulnerability Details CVEID:CVE-2023-46589 DESCRIPTION: Apache Tomcat is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP trailer headers. By sending a specially crafted...

Security Bulletin: IBM Datapower Operations Dashboard to a denial of service caused by an unsafe deserialization flaw

Summary Apache Johnzon is used by the IBM Datapower Operations Dashboard in its JSON processing. Vulnerability Details CVEID:CVE-2023-33008 DESCRIPTION: Apache Johnzon is vulnerable to a denial of service, caused by an unsafe deserialization flaw in BigDecimal. By sending a specially crafted JSON...

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security. (CVE-2023-46158)

Summary IBM PowerVM Novalink is vulnerable because BM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775. Vulnerability Details CVEID:CVE-2023-46158 DESCRIPTION: IBM...

Security Bulletin: IBM PowerVM Novalink is vulnerable because Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. (CVE-2023-44487)

Summary IBM PowerVM Novalink is vulnerable because Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RSTSTREAM frames over multiple streams, a remote attacker could exploit this...

Security Bulletin: IBM PowerVM Novalink is vulnerable because Apache Santuario could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of a private key in the log files.(CVE-2023-44483)

Summary IBM PowerVM Novalink is vulnerable because Apache Santuario could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of a private key in the log files when using the JSR 105 API. By gaining access to the log files, an attacker could exploit this...

Security Bulletin: Datapower Operations Dashboard Multiple Vulnerabilities in Apache Tomcat

Summary IBM has addressed the CVEs Vulnerability Details CVEID:CVE-2023-45648 DESCRIPTION: Apache Tomcat is vulnerable to HTTP request smuggling, caused by improper parsing of HTTP trailer headers. By sending a specially crafted invalid trailer header, an attacker could exploit this vulnerability...

Security Bulletin: IBM DataPower Gateway vulnerable to unauthorized access in Redis

Summary Redis is used in gateway peering, B2B and rate-limiting. IBM has updated Redis to address the vulnerability. Vulnerability Details CVEID:CVE-2023-45145 DESCRIPTION: Redis could allow a local authenticated attacker to bypass security restrictions, caused by a race condition when a permissi...

Security Bulletin: IBM Sterling Control Center vulnerable to denial of service due to Spring Boot and remote code execution due to Spring Framework

Summary IBM Sterling Control Center containerized image uses VMWare Tanzu Spring Boot and Pivotal Spring Framework. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-20883 DESCRIPTION: VMware Tanzu Spring Boot is vulnerable to a denial...

Security Bulletin: The IBM Integration Bus for z/OS AdminAPI is vulnerable to a denial of service vulnerability (CVE-2024-22332).

Summary The IBM Integration Bus for z/OS AdminAPI is vulnerable to a denial of service vulnerability CVE-2024-22332. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-22332 DESCRIPTION: The IBM Integration Bus for z/OS AdminAPI is...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing Does not support Container authentication from 7.0.3

Summary IBM Engineering Lifecycle Optimization - Publishing Does not support Container authentication from 7.0.3 Vulnerability Details CVEID:CVE-2023-45187 DESCRIPTION: IBM Engineering Lifecycle Optimization - Publishing does not invalidate session after logout which could allow an authenticated...

Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to a denial of service and integrity impact due to multiple vulnerabilities.

Summary IBM® SDK Java™ Technology Edition and IBM® Runtime Environment Java™ used by IBM i are vulnerable to a remote attacker causing a denial of service CVE-2023-22081 and CVE-2023-5676 and an integrity impact CVE-2023-22067 as described in the vulnerability details section. This bulletin...

Security Bulletin: IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway and VPN Module affected by multiple vulnerabilities

Summary Vulnerabilities contained within Open VPN a 3rd party component and Open SSL were addressed in the IBM MaaS360 Cloud Extender Agent and VPN Modules. Vulnerabilities contained within Eclipse Jetty and Netty a 3rd party component were addressed in the IBM MaaS360 Mobile Enterprise Gateway...

Security Bulletin: Vulnerability in Apache Derby affects IBM Cloud Pak System [CVE-2022-46337]

Summary Vulnerability in Apache Derby affects IBM Cloud Pak System CVE-2022-46337 This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2022-46337 DESCRIPTION: Apache Derby could allow a remote attacker to bypass security restrictions, caused by ...

Security Bulletin: There are multiple vulnerabilities in IBM Db2 bundled with IBM Operations Analytics Predictive Insights

Summary IBM Operations Analytics Predictive Insights is vulnerable to denial of service, remote code execution, information disclosures and other vulnerabilities due to bundled product IBM ® Db2. This bulletin identifies the steps to address the vulnerabilities. Vulnerability Details Refer to the...

Security Bulletin: IBM MQ is affected by a vulnerability in the IBM Runtime Environment, Java Technology Edition.

Summary An issue was identified with IBM Runtime Environment, Java Technology Edition, Version 8 which is shipped with IBM MQ for Solaris. Vulnerability Details CVEID:CVE-2023-22045 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to...

Security Bulletin: IBM Spectrum Conductor with Netty is vulnerable to a denial of service

Summary IBM Spectrum Conductor with Netty is vulnerable to a denial of service Vulnerability Details CVEID:CVE-2023-34462 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of heap for each channel during the TLS handshake the SniHandler class. By...

Security Bulletin: Vulnerabilities in Pallets Werkzeug, urlib3 and Cryptography [CVE-2023-46136, CVE-2023-45803, CVE-2023-49083]

Summary IBM Storage Protect Plus Microsoft File Systems Backup and Restore can be affected by vulnerabilities in Pallets Werkzeug, urlib3 and Cryptography which include denial of service and obtain sensitive information, as described by the CVEs in the "Vulnerability Details" section. These...

Security Bulletin: IBM Asset Data Dictionary Component uses json-path-2.6.0.jar which is vulnerable to CVE-2023-51074.

Summary IBM Asset Data Dictionary Component uses json-path-2.6.0.jar which is vulnerable to CVE-2023-51074. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-51074 DESCRIPTION: json-path is vulnerable to a denial of service, cause...

Security Bulletin:IBM Asset Data Dictionary Component uses logback-classic-1.3.0-alpha16.jar which is vulnerable to CVE-2023-6378

Summary IBM Asset Data Dictionary Component uses logback-classic-1.3.0-alpha16.jar which is vulnerable to CVE-2023-6378. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-6378 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a...

Security Bulletin: IBM Maximo Application Suite uses tinymce-5.10.8.tgz which is vulnerable to CVE-2023-48219

Summary IBM Maximo Application Suite uses tinymce-5.10.8.tgz which is vulnerable to CVE-2023-48219. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-48219 DESCRIPTION: TinyMCE is vulnerable to cross-site scripting, caused by...

Security Bulletin: IBM Maximo Application Suite uses urllib3-1.26.14-py2.py3-none-any.whl which is vulnerable to CVE-2023-43804.

Summary IBM Maximo Application Suite uses urllib3-1.26.14-py2.py3-none-any.whl which is vulnerable to CVE-2023-43804. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 could allow a remote authenticated...

Security Bulletin: This Power System update is being released to address CVE-2023-46183

Summary A vulnerability was identifed where sensitive partition data controlled by PowerVM may be accessible to a system administrator. Vulnerability Details CVEID:CVE-2023-46183 DESCRIPTION: IBM PowerVM Hypervisor could allow a system administrator to obtain sensitive partition information. CVSS...

Security Bulletin: IBM Spectrum Conductor with Google Guava versions 1.0 to 31.1 is vulnerable to access Java temporary directory

Summary IBM Spectrum Conductor with with Google Guava versions 1.0 to 31.1 is vulnerable to access Java temporary directory Vulnerability Details CVEID:CVE-2023-2976 DESCRIPTION: Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using...

Security Bulletin: IBM Spectrum Symphony with Google Guava versions 1.0 to 31.1 is vulnerable to access Java temporary directory

Summary IBM Spectrum Symphony with with Google Guava versions 1.0 to 31.1 is vulnerable to access Java temporary directory Vulnerability Details CVEID:CVE-2023-2976 DESCRIPTION: Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to PyArrow arbitrary code execution vulnerability ( CVE-2023-47248)

Summary Potential PyArrow arbitrary code execution vulnerability has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2023-47248 DESCRIPTION: PyArrow...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Apache UIMA Java SDK arbitrary code execution vulnerability ( CVE-2023-39913)

Summary Potential Apache UIMA Java SDK arbitrary code execution vulnerability has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2023-39913...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to urllib3 sensitive information disclosure vulnerability (CVE-2023-43804)

Summary Potential urllib3 sensitive information disclosure vulnerabilitity have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2023-43804...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Axios icross-site request forgery, vulnerability ( CVE-2023-45857)

Summary Potential Axios icross-site request forgery vulnerability has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2023-45857 DESCRIPTION: Axios ...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable multiple Elasticsearch vulnerabilities.

Summary Potential Elasticsearch vulnerabilities have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2023-31419 DESCRIPTION: Elasticsearch is...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Elasticsearch denial of service vulnerabilities.

Summary Potential Elasticsearch denial of service vulnerabilitity have been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2023-31418 DESCRIPTION: Elast...