Security Bulletin: Vulnerability in filelock affects IBM Netezza Appliance

Summary The filelock package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-68146 Vulnerability Details CVEID:CVE-2025-68146 DESCRIPTION: filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a...

Security Bulletin: Vulnerability in Netty affects IBM Netezza Appliance

Summary The Netty package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-58057 Vulnerability Details CVEID:CVE-2025-58057 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high...

Security Bulletin: Remediation of Multiple Spring Vulnerabilities in IBM Library Support for Spring

Summary Multiple Spring Vulnerabilities have been addressed in IBM Library Support for Spring Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized...

Security Bulletin: Remediation of Multiple Apache Struts 1.1 Vulnerabilities in IBM Library Support for Struts

Summary Multiple Apache Struts 1.1 Vulnerabilities have been addressed in IBM Library Support for Struts Vulnerability Details CVEID:CVE-2006-1546 DESCRIPTION: Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to bypass validation via a request with a...

Security Bulletin: Vulnerability in Java affects IBM Netezza Appliance

Summary The Java package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-21502 Vulnerability Details CVEID:CVE-2025-21502 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracl...

Security Bulletin: Remediation of Multiple Apache Struts 2.5.33 Vulnerabilities in IBM Library Support for Struts.

Summary EOL Apache Struts 2.5.33 vulnerability has been addressed in IBM Library Support for Struts. Vulnerability Details CVEID:CVE-2024-53677 DESCRIPTION: File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some...

Security Bulletin: Due to the use of go-redis, IBM watsonx.ai on Cloud Pak for Data is vulnerable to out of order response during time-outs

Summary IBM watsonx.ai on Cloud Pak for Data internally uses go-redis CVE-2025-29923 Vulnerability Details CVEID:CVE-2025-29923 DESCRIPTION: go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order...

Security Bulletin: Netty Vulnerability Affects IBM Watson Machine Learning on CP4D (CVE-2021-21295)

Summary Netty is vulnerable to HTTP request smuggling, caused by improper validation of Content-Length header by the Http2MultiplexHandler on IBM Watson Machine Learning on CP4D Vulnerability Details CVEID:CVE-2024-12798 DESCRIPTION: ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-cor...

Security Bulletin:Vulnerability in Perl affects IBM Netezza Appliance

Summary The Perl package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVEs CVE-2020-10543, CVE-2020-10878, CVE-2025-40909, CVE-2020-12723 Vulnerability Details CVEID:CVE-2020-10543 DESCRIPTION: Perl before 5.30.3 on 32-bit platforms allows a heap-based...

Security Bulletin: Vulnerability in Netty affects IBM Netezza Appliance

Summary The Netty package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-55163 Vulnerability Details CVEID:CVE-2025-55163 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and...

Security Bulletin: IBM WebSphere Automation is affected by MongoDB security vulnerability

Summary IBM WebSphere Automation is affected by a MongoDB security vulnerability CVE-2025-14847. Vulnerability Details CVEID:CVE-2025-14847 DESCRIPTION: Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This...

Security Bulletin: Multiple security vulnerabilities in Java may affect IBM Robotic Process Automation

Summary Multiple security vulnerabilities in Java affect IBM Robotic Process Automation. Java is used by IBM Robotic Process Automation as part of metrics and licening, and UMS. This bulletin identifies the fixes required to address these vulnerabilities. Vulnerability Details CVEID:CVE-2025-5005...

Security Bulletin: A vulnerability in axios affects IBM Robotic Process Automation and may result in a denial of service (CVE-2025-58754)

Summary A vulnerability in axios affects IBM Robotic Process Automation and may result in a denial of service. form-data is used by IBM Robotic Process Automation as part of the UI framework. This bulletin identifies the fixes required to address this vulnerability. Vulnerability Details...

Security Bulletin: A vulnerability in ASP.NET Core affects IBM Robotic Process Automation and could result in elevated privileges (CVE-2025-7326).

Summary A vulnerability in ASP.NET Core affects IBM Robotic Process Automation and could result in elevated privileges. ASP.NET Core is used by IBM Robotic Process as part of it's development framework. This security bulletin identifies the fixes required to resolve this fvulnerability...

Security Bulletin: A security vulnerability in WebSphere Liberty affects IBM Robotic Process Automation for Cloud Pak (CVE-2020-36732).

Summary A security vulnerability in WebSphere Liberty affects IBM Robotic Process Automation for Cloud Pak. WebSphere Application Liberty is used by IBM Robotic Process Automation as part of Antivirus and Abbyy containers as well as UMS. This bulletin identifies the fixes required to address this...

Security Bulletin: IBM Sterling Connect:Direct for UNIX Container is affected by vulnerability where hard-coded credentials are embeeded in the product for its internal use.

Summary IBM Sterling Connect:Direct for UNIX Container requires credential for Standard User Mode deployment. This fix removes the hard-coded credentials and uses dynamically generated one during container initialization. Vulnerability Details CVEID:CVE-2025-14115 DESCRIPTION: IBM® Sterling...

Security Bulletin: Bouncy Castle for Java BC-FJA NativeLoader Resource Consumption Issue, affects watsonx.data

Summary Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0 bc-fips API modules allows Excessive Allocation. This vulnerability is associated with program files org.Bouncycastle.Crypto.Fips.NativeLoader. This issue affects Boun...

Security Bulletin: Improper Drive Name Handling in Node.js path.join on Windows, affect watsonx.data

Summary A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root...

Security Bulletin: IBM Controller is vulnerable to exposure of sensitive information

Summary There is a vulnerability in IBM Controller due to the use of hardcoded cryptographic keys for signing session cookies. This Security Bulletin addresses CVE-2025-36326. Vulnerability Details CVEID:CVE-2025-36326 DESCRIPTION: IBM Controller could allow an attacker to obtain sensitive...

Security Bulletin: IBM Tivoli Business Service Manager is vulnerable to Deserialization of Untrusted Data due to Apache Commons Collections (CVE-2015-6420)

Summary Apache Commons Collections is shipped with IBM Tivoli Business Service Manager as part of its backend process to enhance Java operations. Information about a security vulnerability affecting Apache Commons Collections has been published in a security bulletin. Vulnerability Details...

Security Bulletin: AIX/VIOS is vulnerable to an out-of-bounds read (CVE-2025-9230, CVE-2025-9232) due to OpenSSL

Summary Vulnerabilities in OpenSSL could allow an attacker to trigger an out-of-bounds read CVE-2025-9230, CVE-2025-9232. OpenSSL is used by AIX as part of AIX's secure network communications. Vulnerability Details CVEID:CVE-2025-9230 DESCRIPTION: Issue summary: An application trying to decrypt C...

Security Bulletin: Multiple Vulnerabilities in IBM Concert Software

Summary Multiple vulnerabilities were addressed in IBM Concert Software version 2.2.0 Vulnerability Details CVEID:CVE-2025-6493 DESCRIPTION: A weakness has been identified in CodeMirror up to 5.65.20. Affected is an unknown function of the file mode/markdown/markdown.js of the component Markdown...

Security Bulletin:Vulnerability in pam affects IBM Netezza Appliance

Summary The pam package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-8941 Vulnerability Details CVEID:CVE-2025-8941 DESCRIPTION: A flaw was found in linux-pam. The pamnamespace module may improperly handle user-controlled paths, allowing local...

Security Bulletin:Vulnerability in gnuTLS affects IBM Netezza Appliance

Summary The gnuTLS package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVEs CVE-2025-6395, CVE-2025-32990, CVE-2025-32989, CVE-2025-32988 Vulnerability Details CVEID:CVE-2025-6395 DESCRIPTION: A NULL pointer dereference flaw was found in the GnuTLS softwa...

Security Bulletin: IBM i Access Client Solutions is vulnerable to an attacker carrying out an XML External Entity injection via a crafted XFA file inside of a PDF (CVE-2025-66516)

Summary IBM i Access Client Solutions is vulnerable to an attacker carrying out an XML External Entity injection via a crafted XFA file inside of a PDF CVE-2025-66516. Apache Tika is used by the Run SQL Scripts feature of IBM i Access Client Solutions to determine the content type of binary colum...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to command injection due to the Netty package (CVE-2025-59419)

Summary Netty is used by DataStage on Cloud Pak for Data as part of the event processing functionality. Vulnerability Details CVEID:CVE-2025-59419 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec ...

Security Bulletin: IBM B2B Advanced Communications is affected by vulnerability in XStream

Summary IBM B2B Advanced Communications has addressed a vulnerability in XStream library shipped with product CVE-2024-47072. Vulnerability Details CVEID:CVE-2024-47072 DESCRIPTION: XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote...

Security Bulletin: IBM B2B Advanced Communications is affected by multiple vulnerabilities in log4j

Summary IBM B2B Advanced Communications has addressed vulnerabilities in log4j shipped with productCVE-2022-0084 CVE-2020-36518 CVE-2021-37136 CVE-2022-23913 CVE-2022-24785 Vulnerability Details CVEID:CVE-2022-0084 DESCRIPTION: A flaw was found in XNIO, specifically in the notifyReadClosed method...

Security Bulletin: IBM B2B Advanced Communications is affected by vulnerabilities in kjd/idna library

Summary IBM B2B Advanced Communications has addressed vulnerabilities in idna library shipped with product CVE-2024-3651. Vulnerability Details CVEID:CVE-2024-3651 DESCRIPTION: A vulnerability was identified in the kjd/idna library, specifically within the idna.encode function, affecting version...

Security Bulletin: Due to use of Apache Commons Text, IBM Operations Analytics - Log Analysis is affected by Remote Code Execution Attacks

Summary Apache Commons Text in Apache Solr is used by IBM Operations Analytics - Log Analysis as part of the string manipulation and interpolation. CVE-2025-46295. Vulnerability Details CVEID:CVE-2025-46295 DESCRIPTION: Apache Commons Text versions prior to 1.10.0 included interpolation features...

Security Bulletin: Vulnerability in protobuf-c affects IBM Netezza Appliance

Summary The protobuf-c package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2022-48468 Vulnerability Details CVEID:CVE-2022-48468 DESCRIPTION: protobuf-c before 1.4.1 has an unsigned integer overflow in parserequiredmember. CWE:CWE-190: Integer...

Security Bulletin: Due to use of Eclipse Jersey, IBM Sterling External Authentication Server is affected by unauthorized trust in insecure servers.

Summary IBM Sterling External Authentication Server is affected by a vulnerability in Eclipse Jersey and it is addressed in the latest fixpack Vulnerability Details CVEID:CVE-2025-12383 DESCRIPTION: In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL...

Security Bulletin: IBM Terracotta affected by Spring Framework vulnerabilities CVE-2022-22965, CVE-2022-22970, CVE-2025-41242

Summary Spring Framework vulnerabilities CVE-2022-22965, CVE-2022-22970, CVE-2025-41242 are addressed in the IBM Teracotta product Vulnerability Details CVEID:CVE-2022-22965 DESCRIPTION: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE vi...

Security Bulletin: Security vulnerabilities have been found in IBM Application Gateway (CVE-2024-26458, CVE-2025-3576, CVE-2025-36397, CVE-2025-36396)

Summary Security vulnerabilities have been addressed in IBM Application Gateway. Vulnerability Details CVEID:CVE-2024-26458 DESCRIPTION: Kerberos 5 aka krb5 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmaprmt.c. CWE:CWE-401: Missing Release of Memory after Effective Lifetime CVSS Source: I...

Security Bulletin: Security vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access

Summary Security vulnerabilities have been addressed in IBM Verify Identity Access and IBM Security Verify Access Vulnerability Details CVEID:CVE-2023-51767 DESCRIPTION: OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks for authentication bypass because the...

Security Bulletin: Multiple Vulnerabilities in IBM Datacap

Summary Multiple vulnerabilities were addressed in IBM Datacap version 9.1.10 released on December 19, 2025. Vulnerability Details CVEID:CVE-2022-23302 DESCRIPTION: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for December 2025.

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.1-IF006 and 25.0.0-IF003. Vulnerability Details CVEID:CVE-2025-48734 DESCRIPTION: Improper Access Control vulnerability in...

Security Bulletin: Uncontrolled Resource Consumption Vulnerability in Apache Commons IO XmlStreamReader, affects watsonx.data

Summary Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended ...

Security Bulletin: Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Business Automation Workflow Containers 24.0.1-IF006 and 25.0.0-IF003. Vulnerability Details CVEID:CVE-2025-36058 DESCRIPTION: IBM Cloud Pak for Business Automatio...

Security Bulletin: IBM HTTP Server, which is bundled with WebSphere Remote Server, is affected by multiple vulnerabilities due to libexpat and the included Apache HTTP Server

Summary IBM HTTP Server is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM HTTP Server has been published in a security bulletin Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...

Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM® Db2®. (Oct 2025 CPU)

Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 7.1.5.26 and earlier, 8.0.8.50 and earlier, and IBM Semeru Version 21.0.8.0 and earlier used by IBM® Db2®. These issues were disclosed as part of the IBM Java SDK updates in October 2025. Vulnerability Details...

Security Bulletin: IBM Operations Analytics - Log Analysis is affected by Denial-of-Service (DoS) due to use of jose4j library

Summary jose.4.j library in Apache Solr is used by IBM Operations Analytics - Log Analysis as part of the secure token-based authentication and encryption mechanisms. CVE-2024-29371. Vulnerability Details CVEID:CVE-2024-29371 DESCRIPTION: In jose4j before 0.9.5, an attacker can cause a...

Security Bulletin: IBM Operations Analytics - Log Analysis is affected by an improper input validation due to Apache Commons HttpClient

Summary Apache Commons HttpClient is used by IBM Operations Analytics - Log Analysis as part of the standards-based Java library for executing HTTP requests. CVE-2012-6153, CVE-2012-5783. Vulnerability Details CVEID:CVE-2012-6153 DESCRIPTION: http/conn/ssl/AbstractVerifier.java in Apache Commons...

Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Tivoli Network Manager (CVE-2025-53066, CVE-2025-53057).

Summary Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 17, used by IBM Tivoli Network Manager IP Edition v4.2 core components. Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP component could allow a remote...

Security Bulletin: JSSE Vulnerability in Oracle Java SE and GraalVM Products, affects watsonx.data

Summary Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JSSE. Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 a...

Security Bulletin: Data Binding Validation Bypass in Spring Framework, affects watsonx.data

Summary There are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Spring Framework: 6.2.0 - 6.2.6 6.1.0 - 6.1.19 6.0.0 - 6.0.27 5.3.0 - 5.3.42 Older, unsupported versions are also affected Mitigation Users of affected versions should...

Security Bulletin: Potential Leakage of Proxy Credentials During Cross-Origin Redirects affect IBM watsonx.data

Summary Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. These can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-4673 DESCRIPTION: Proxy-Authorization and Proxy-Authenticate headers persisted on...

Security Bulletin: IBM SPSS Analytic Server is affected by weaker than expected security due to crypto.js in IBM WebSphere Application Server Liberty (CVE-2020-36732)

Summary IBM SPSS Analytic Server is affected by weaker than expected security due to crypto.js in IBM WebSphere Application Server Liberty. CVE-2020-36732. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2020-36732 DESCRIPTION: The crypto-js package before 3.2....

Security Bulletin: IBM SPSS Analytic Server is affected by multiple vulnerabilities in zookeeper (CVE-2018-8012, CVE-2019-0201, CVE-2023-44981, CVE-2017-5637)

Summary IBM SPSS Analytic Server is affected by multiple vulnerabilities in zookeeper CVE-2018-8012, CVE-2019-0201, CVE-2023-44981, CVE-2017-5637. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2018-8012 DESCRIPTION: No authentication/authorization is enforced...

Security Bulletin: Security vulnerabilities have been found in IBM Verify Identity Access Digital Credentials (CVE-2025-56200, CVE-2025-64118, CVE-2025-59343)

Summary Security vulnerabilities have been addressed in IBM Verify Identity Access Digital Credentials Vulnerability Details CVEID:CVE-2025-56200 DESCRIPTION: A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL function uses '://' as a delimiter to par...