Security Bulletin: Multiple security vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak

Summary Multiple vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak. RedHat UBI is used as base imaged for IBM Robotic Process Automation for Cloud Pak images. This bulletin identifies the fixes required to address the vulnerabilites. Vulnerability Details...

Security Bulletin: Multiple security vulnerabilities in Java may affect IBM Robotic Process Automation

Summary Multiple security vulnerabilities in Java affect IBM Robotic Process Automation. Java is used by IBM Robotic Process Automation as part of metrics and licening, and UMS. This bulletin identifies the fixes required to address these vulnerabilities. Vulnerability Details CVEID:CVE-2025-3076...

Security Bulletin: Multiple security vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak

Summary Multiple vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak. RedHat UBI is used as base imaged for IBM Robotic Process Automation for Cloud Pak images. This bulletin identifies the fixes required to address the vulnerabilites. Vulnerability Details...

Security Bulletin: A vulnerability in Go affects IBM Robotic Process Automation for Cloud Pak and may result in request smuggling (CVE-2025-22871).

Summary A vulnerability in Go affects IBM Robotic Process Automation for Cloud Pak and may result in request smuggling.. Go is used by IBM Robotic Process Automation for Cloud Pak as part of its deployment. This bulletin identifies the fixes required to resolve the vulnerability. Vulnerability...

Security Bulletin: IBM CloudPak for Data Scheduling Service is vulernable to CSRF Attack (CVE-2025-47909)

Summary gorilla/csrf is used by Scheduling Service. A vulnerability in gorilla/csrf is addressed. Vulnerability Details CVEID:CVE-2025-47909 DESCRIPTION: Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks...

Security Bulletin: IBM Cognos Analytics Certified Containers is affected by security vulnerabilities

Summary IBM Cognos Analytics Certified Containers is affected by vulnerabilities in the PostgreSQL JDBC Driver. Additionally , IBM Cognos Certified Containers is affected by an Information Disclosure vulnerability. Vulnerability Details CVEID:CVE-2022-31197 DESCRIPTION: PostgreSQL JDBC Driver...

Security Bulletin: HTML Injection Vulnerability in a Specific URL Endpoint of the IBM OpenPages Application

Summary A specific URL endpoint in IBM OpenPages was found to be vulnerable to unsanitized HTML injection. The application reflects user-supplied input directly into the HTML response without proper encoding or validation, which allows an attacker to inject arbitrary HTML content or tags...

Security Bulletin: Multiple vulnerabilities in IBM Business Automation Workflow Machine Learning Server are addressed with 24.0.0-IF007

Summary In addition to updates to operating system level packages, IBM Business Automation Workflow Machine Learning Server 24.0.0-IF007 addresses the following vulnerabilities. Vulnerability Details CVEID:CVE-2025-54121 DESCRIPTION: Starlette is a lightweight ASGI Asynchronous Server Gateway...

Security Bulletin: IBM Integration Designer is vulnerable to denial of service (CVE-2025-53057)

Summary Vulnerability in the IBM® Runtime Environment Java™ Version 8 used by IBM Integration Designer. IBM Integration Designer has addressed CVE-2025-53057. Vulnerability Details CVEID:CVE-2025-53057 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Path Traversal Vulnerability in Spring Framework [CVE-2025-41242]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Path Traversal Vulnerability in Spring Framework when deployed on a non-compliant Servlet container CVE-2025-41242. Spring Framework is used as part of our java microservices. This vulnerabilitiy has been addressed. Please read the...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to multiple Operator package issues

Summary IBM Watson Speech Services Cartridge is vulnerable to multiple Operator package issues. We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for remediation below. Vulnerability...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability Details CVEID:CVE-2022-29458...

Security Bulletin: IBM Sterling B2B Integrator and IBM Sterling File Gateway are Vulnerable to Information Disclosure (217222)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the information disclosure vulnerability 217222 Vulnerability Details IBM X-Force ID: 217222 DESCRIPTION: Apache commons-dbcp could allow a remote authenticated attacker from within the local network to obtain...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Connect2id Nimbus JOSE + JWT (CVE-2025-53864)

Summary A vulnerability in Connect2id Nimbus JOSE + JWT that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-53864 DESCRIPTION: Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of...

Security Bulletin: IBM® Db2® is vulnerable to a denial of service due to improper neutralization of special elements in data query logic (CVE-2025-36185)

Summary IBM® Db2® is vulnerable to a denial of service due to improper neutralization of special elements in data query logic. Vulnerability Details CVEID:CVE-2025-36185 DESCRIPTION: IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server could allow a local user to cause a denial of...

Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2025-7962)

Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Refer to the security bulletins...

Security Bulletin: Consul’s KV endpoint is vulnerable to denial of service

Summary Consul and Consul Enterprise’s “Consul” key/value endpoint is vulnerable to denial of service DoS due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12...

Security Bulletin:Consul’s event endpoint is vulnerable to denial of service

Summary Consul and Consul Enterprise’s “Consul” event endpoint is vulnerable to denial of service DoS due to lack of maximum value on the Content Length header. Vulnerability Details CVEID: CVE-2025-11375 DESCRIPTION: Consul and Consul Enterprise’s “Consul” event endpoint is vulnerable to denial ...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is affected by SMTP injection due to Jakarta Mail

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is affected by SMTP injection due to Jakarta Mail CVE-2025-7962 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products|...

Security Bulletin: IBM Maximo Application Suite uses eventlet-0.40.1-py3-none-any.whl, commons-lang3-3.17.0.jar, net/http/internal 1.23.4 which is vulnerable to CVE-2025-58068, CVE-2025-48924, CVE-2025-22871

Summary IBM Maximo Application Suite uses eventlet-0.40.1-py3-none-any.whl, commons-lang3-3.17.0.jar, net/http/internal 1.23.4 which is vulnerable to CVE-2025-58068, CVE-2025-48924, CVE-2025-22871. This bulletin contains information regarding the vulnerability and how it is addressed. Vulnerabili...

Security Bulletin: HTTP request smuggling vulnerability in Go net/http due to improper LF handling in chunked encoding, affects watsonx.data

Summary The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. This could affect watsonx.data...

Security Bulletin: IBM Engineering Test Management bundles IBM WebSphere Application Server which could provide weaker than expected security.

Summary IBM WebSphere Application Server shipped with IBM Engineering Test Management could provide weaker than expected security for TLS connections CVE-2025-33142. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affect...

Security Bulletin: IBM Copy Services Manager may be affected by a vulnerabilities due to default security configuration allowing cross site scripting

Summary A vulnerability has been found that allows cross site scripting once a user has been authenticated or unauthenticated into the server. Although likelihood of this issue being exploited is very low, IBM Copy Services Manager frequently updates configuration files in the product dependency...

Security Bulletin: IBM OpenPages Vulnerable to HTML Injection (CVE-2025-33110)

Summary Application API's vulnerable to HTML injection in IBM OpenPages has been addressed in the latest IBM OpenPages fix pack for 9.0 and 9.1 versions. Vulnerability Details CVEID:CVE-2025-33110 DESCRIPTION: IBM OpenPages with Watson is vulnerable to HTML injection. A remote attacker could inje...

Security Bulletin: IBM i is affected by BIND accepting records with untrusted data, predictable port and query ID, and resource exhaustions in Domain Name System due to multiple vulnerabilities.

Summary Domain Name System for IBM i is vulnerable to BIND accepting records with forged data CVE-2025-40778, prediction of port and ID due to weakness in pseudo random number generator CVE-2025-40780, various resource exhaustions when being flooded with valid or invalid HTTP/2 traffic...

Security Bulletin: Due to the use of helm, IBM Kubecost Self Hosted is affected by stack overflow and memory exhaustion

Summary helm is used by IBM Kubecost Self Hosted as part of the cluster-controller component CVE-2025-32387, CVE-2025-32386 Vulnerability Details CVEID:CVE-2025-32387 DESCRIPTION: Helm is a package manager for Charts for Kubernetes. A JSON Schema file within a chart can be crafted with a deeply...

Security Bulletin: IBM Financial Transaction Manager is impacted by a DNS cache poisoning vulnerability in RedHat Proxy for Kubernetes RBAC authorization

Summary IBM Financial Transaction Manager for RedHat OpenShift has addressed the following vulnerability. Vulnerability Details CVEID:CVE-2025-40778 DESCRIPTION: Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into t...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale and the HDFS layer are now fixed in 5.2.3.3 or higher (CVE-2021-23445)

Summary The following vulnerabilities, which can affect IBM Storage Scale and the HDFS layer and could provide weaker-than-expected security, are now fixed in Storage Scale 5.2.3.3 or higher CVE-2021-23445. Vulnerability Details CVEID:CVE-2021-23445 DESCRIPTION: This affects the package...

Security Bulletin: Due to the use of IBM Db2, IBM Cloud Pak System is affected by multiple vulnerabilities

Summary Vulnerabilities found in IBM Db2 LUW that affect Foundation and IBM Tivoli Monitoring ITM pattern Types pTypes shipped with IBM Cloud Pak System. Vulnerabilities were addressed in IBM Cloud Pak System. IBM Cloud Pak System v2.3.6.0 has updated Foundation and ITM pTypes to Foundation versi...

Security Bulletin: Due to use of Apache Commons Lang, IBM Engineering Systems Design Rhapsody is affected by an Uncontrolled Recursion vulnerability

Summary Apache Commons Lang is used internally by IBM Engineering Systems Design Rhapsody CVE-2025-48924 Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with...

Security Bulletin: Security vulnerabilities in Apache kafka-client may affect IBM Business Automation Workflow - CVE-2025-27817, CVE-2025-27818

Summary IBM Business Automation Workflow packages a copy of Apache kafka-client with known vulnerabilities. Vulnerability Details CVEID:CVE-2025-27818 DESCRIPTION: A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource,...

Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow - CVE-2025-36172

Summary IBM Business Automation Workflow is vulnerable to a cross-site-scripting attack. Vulnerability Details CVEID:CVE-2025-36172 DESCRIPTION: IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 00...

Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow Process Federation Server - CVE-2025-36054

Summary IBM Business Automation Workflow Process Fedeeration Server is vulnerable to a Cross-site scripting attack. Vulnerability Details CVEID:CVE-2025-36054 DESCRIPTION: IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker...

Security Bulletin: Path traversal vulnerability affect IBM Business Automation Workflow - CVE-2025-41242

Summary IBM Business Automation Workflow packages a vulnerable version of spring. Vulnerability Details CVEID:CVE-2025-41242 DESCRIPTION: Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can ...

Security Bulletin: Multiple vulnerabilities are addressed with IBM Business Automation Workflow containers 24.0.0-IF007, 24.0.1-IF005, and 25.0.0-IF002

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002. Vulnerability Details CVEID:CVE-2025-50106 DESCRIPTION: Vulnerability in the Oracle...

Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM Business Automation Workflow due to the October 2025 CPU

Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Refer to the security bulletins...

Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Liberty shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2025-53066, CVE-2025-53057)

Summary IBM WebSphere Application Server and IBM WebSphere Liberty is shipped as a component of IBM Security Guardium Key Lifecycle Manager SKLM/GKLM. Information about multiple security vulnerabilities affecting IBM WebSphere Application Server and IBM WebSphere Liberty has been published in a...

Security Bulletin: IBM OpenPages fixes multer package vulnerability (CVE-2025-7338)

Summary Vulnerability in the multer-2.0.1.tgz package with IBM OpenPages has been addressed in the latest IBM OpenPages fix pack version for 9.0 and 9.1 Vulnerability Details CVEID:CVE-2025-7338 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is...

Security Bulletin: Due to use of IBM WebSphere Application Server, IBM Tivoli Network Manager (ITNM) IP Edition is affected by a denial of service vulnerability.

Summary WebSphere Application Server, used by IBM Tivoli Network Manager ITNM IP Edition, is affected by a denial of service vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions...

Security Bulletin: Due to use of IBM WebSphere Application Server, IBM Tivoli Network Configuration Manager (ITNCM) is affected by a denial of service vulnerability.

Summary WebSphere Application Server, used by IBM Tivoli Network Configuration Manager ITNCM, is affected by a denial of service vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions...

Security Bulletin: Due to use of QOS.CH logback, IBM Cloud Pak System is affected by server-side request forgery and arbitrary code execution

Summary Due to use of QOS.CH logback IBM Cloud Pak System is affected by server-side request forgery and arbitrary code execution CVE-2024-12801, CVE-2024-12798. Vulnerability Details CVEID:CVE-2024-12801 DESCRIPTION: Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version...

Security Bulletin: Due to the use of derby IBM webMethods BPM is vulnerable to unauthorized LDAP authentication

Summary IBM webMethods BPM is using derby which is affected by a known vulnerability CVE-2022-46337. This security bulletin provides guidance on addressing the vulnerability. Vulnerability Details CVEID:CVE-2022-46337 DESCRIPTION: A cleverly devised username might bypass LDAP authentication check...

Security Bulletin: Due to use of jackrabbit-spi-commons IBM webMethods BPM is vulnerable to loading privileges using unsecured document build

Summary IBM webMethods BPM is using jackrabbit-spi-commons which is affected by a known vulnerability CVE-2025-53689. This security bulletin provides guidance on addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-53689 DESCRIPTION: Blind XXE Vulnerabilities in jackrabbit-spi-commo...

Security Bulletin: Due to use of Axios, IBM watsonx Code Assistant IDE Extensions is affected by unbounded memory and denial of service

Summary Axios is used internally by IBM watsonx Code Assistant IDE Extensions CVE-2025-58754 Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL...

Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFixes for October 2025.

Summary Security vulnerabilities are addressed with IBM Business Automation Insights 24.0.0-IF005 and 25.0.0-IF002. These vulnerabilities have been also addressed in 24.0.1-IF005. Vulnerability Details CVEID:CVE-2025-36091 DESCRIPTION: IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and...

Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and WebSphere Application Server Liberty due to the October 2025 CPU

Summary There are multiple vulnerabilities in the IBM® SDK, Java™ Technology Edition that is shipped with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty. The CVEs listed in this document might affect some configurations of IBM WebSphere Application Server traditiona...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002. Vulnerability Details CVEID:CVE-2025-58057 DESCRIPTION: Netty is an asynchronous...

Security Bulletin: IBM Watson Studio for IBM Cloud Pak for Data is affected by vulnerability in path-to-regexp

Summary IBM Watson Studio for IBM Cloud Pak for Data contains a vulnerable version of path-to-regexp Vulnerability Details CVEID:CVE-2024-52798 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Netty codec (CVE-2025-58057)

Summary A vulnerability in Netty codec that is used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-58057 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol serve...

Security Bulletin: IBM Edge Data Collector uses requests-2.32.2-py3-none-any.whl which is vulnerable to CVE-2024-47081.

Summary IBM Edge Data Collector uses requests-2.32.2-py3-none-any.whl which is vulnerable to CVE-2024-47081. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-47081 DESCRIPTION: Requests is a HTTP library. Due to a URL parsing...