Security Bulletin: IBM Operations Analytics - Log Analysis is affected by denial of service, cross-site scripting, and security bypass vulnerabilities

Summary Apache Commons FileUpload, Servlet feature, adminCenter feature, and JMS messaging are used by IBM Operations Analytics - Log Analysis as part of handling file uploads, web applications CVE-2025-48976, CVE-2025-36047, administrative centre CVE-2025-36000, asynchronous communication using...

Security Bulletin: The IBM® Engineering Lifecycle Management products using WebSphere Application Server could provide weaker than expected security due to crypto.js (CVE-2020-36732)

Summary A vulnerability in crypto.js library affects IBM WebSphere Application Server Liberty with the openidConnectServer-1.0 feature enabled. Following IBM® Engineering Lifecycle Management products are vulnerable to this attack, and addressed in this bulletin: Global Configuration Management,...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale and the Management GUI are now included (CVE-2025-48976)

Summary The following vulnerabilities, which can affect IBM Storage Scale and the Management GUI and could provide weaker-than-expected security, are now fixed in Storage Scale 5.1.9.12 and 5.2.3.3 or higher CVE-2025-48976. Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of...

Security Bulletin: Multiple vulnerabilities reported in YAJSW service shipped in IBM WebSphere eXtreme Scale Liberty Deployment

Summary YAJSWYet Another Java Service Wrapper uses Apache Commons and Netty to manage services, launch and monitor application etc. WebSphere eXtreme Scale Liberty deployments, uses YAJSW to register services with the operating system. CVE-2025-27553, CVE-2025-30474 and CVE-2025-25193...

Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to multiple vulnerabilities in Netty (CVE-2025-58056, CVE-2025-58057)

Summary Netty is used by IBM DevOps Deploy / IBM UrbanCode Deploy UCD as part of the agent-server-relay communication system and is affected by CVE-2025-58056, CVE-2025-58057. Vulnerability Details CVEID:CVE-2025-58056 DESCRIPTION: Netty is an asynchronous event-driven network application framewo...

Security Bulletin: Technical Support Appliance - possible denial of service

Summary A flaw in TCP/IP may allow a denial of service Vulnerability Details CVEID:CVE-2024-50154 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timerpending in reqskqueueunlink. Martin KaFai Lau reported use-after-free 0 in reqsktimerhandler...

Security Bulletin: IBM CICS TX Standard is affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability & a use-after-free (UAF) vulnerability found in Linux kernel packages.

Summary IBM CICS TX Standard is affected by a Time-of-check Time-of-use TOCTOU Race Condition vulnerability & a use-after-free UAF vulnerability found in Linux kernel packages. The versions of the packages that are delivered with IBM CICS TX Standard have been updated in order to address these...

Security Bulletin: IBM Guardium Data Protection is affected by multiple vulnerabilities

Summary IBM Guardium Data Protection has addressed these vulnerabilities in an update. Vulnerability Details CVEID:CVE-2025-31650 DESCRIPTION: Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up ...

Security Bulletin: AIX/VIOS is vulnerable to a denial of service (CVE-2025-49175, CVE-2025-49178) and an integer overflow (CVE-2025-49176, CVE-2025-49179)

Summary Vulnerabilities in Xorg X Server could cause a denial of service CVE-2025-49175, CVE-2025-49178 or an integer overflow CVE-2025-49176, CVE-2025-49179. Vulnerability Details CVEID:CVE-2025-49175 DESCRIPTION: A flaw was found in the X Rendering extension's handling of animated cursors. If a...

Security Bulletin: IBM CICS TX Advanced is affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability & a use-after-free (UAF) vulnerability found in Linux kernel packages.

Summary IBM CICS TX Advanced is affected by a Time-of-check Time-of-use TOCTOU Race Condition vulnerability & a use-after-free UAF vulnerability found in Linux kernel packages. The versions of the packages that are delivered with IBM CICS TX Advanced have been updated in order to address these...

Security Bulletin: Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Standard.

Summary Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Standard. An update to IBM CICS TX Standard has been released to address these. Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for multipart headers with insufficien...

Security Bulletin: Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced.

Summary Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with IBM CICS TX Advanced. An update to IBM CICS TX Advanced has been released to address these. Vulnerability Details CVEID:CVE-2025-36124 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through...

Security Bulletin: Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with TXSeries for Multiplatforms.

Summary Security vulnerabilities may affect IBM WebSphere Liberty that is shipped with TXSeries for Multiplatforms. An update to TXSeries for Multiplatforms has been released to address these. Vulnerability Details CVEID:CVE-2025-36000 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0....

Security Bulletin: IBM System Storage Support for Microsoft Volume Shadow Copy Service and Virtual Disk Service is vulnerable to multiple vulnerabilities due to Apache Axis. CVE-2018-8032, CVE-2014-3596, CVE-2019-0227, CVE-2012-5784

Summary IBM System Storage Support for Microsoft Volume Shadow Copy Service and Virtual Disk Service is vulnerable to multiple vulnerabilities due to Apache Axis. CVE-2018-8032, CVE-2014-3596, CVE-2019-0227, CVE-2012-5784. Vulnerability Details CVEID:CVE-2018-8032 DESCRIPTION: Apache Axis 1.x up ...

Security Bulletin: Security vulnerability has been found in IBM Verify Identity Access/IBM Security Verify Access (CVE-2025-36087)

Summary Security vulnerability has been addressed in IBM Verify Identity Access/IBM Security Verify Access Vulnerability Details CVEID:CVE-2025-36087 DESCRIPTION: IBM Security Verify Access, under certain configurations, contains hard-coded credentials, such as a password or cryptographic key,...

Security Bulletin: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, (CVE-2025-50106) affects IBM PowerVM Novalink.

Summary A high-severity vulnerability CVSS 8.1 in the 2D component of Oracle Java SE and GraalVM multiple versions allows remote, unauthenticated attackers to fully compromise affected systems via crafted input to graphics APIs.PowerVM Novalink has addressed the applicable CVEs. Vulnerability...

Security Bulletin: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload, (CVE-2025-48976) affects IBM PowerVM Novalink.

Summary A DoS vulnerability in Apache Commons FileUpload before 1.6 and 2.0.0-M4 allows resource exhaustion via multipart headers. Fixed in versions 1.6 and 2.0.0-M4. PowerVM NovaLink has addressed CVE-2025-48976. Vulnerability Details CVEID:CVE-2025-48976 DESCRIPTION: Allocation of resources for...

Security Bulletin: Vulnerability in IBM WebSphere Application (CVE-2025-36097) affects IBM PowerVM Novalink.

Summary IBM WebSphere Libery Profile is used by IBM PowerVM Novalink. IBM PowerVM Novalink has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-36097 DESCRIPTION: IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 are vulnerab...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a denial of service (CVE-2025-36099)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a denial of service vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service (CVE-2025-36099)

Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service (CVE-2025-36099)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service vulnerability. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and...

Security Bulletin: Multiple Vulnerabilities in IBM Edge Application Manager

Summary Multiple vulnerabilities were addressed in IBM Edge Application Manager 5.0.1 Vulnerability Details CVEID:CVE-2023-0286 DESCRIPTION: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1STRING but t...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing - Apache Commons HttpClient before 4.2.3 allows man-in-the-middle attack

Summary Apache Commons HttpClient before 4.2.3 allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Following IBM® Engineering Lifecycle Management product is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Lifecycle...

Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager is vulnerable to multiple vulnerabilities.

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition used by IBM Tivoli Application Dependency Discovery Manager TADDM. Vulnerability Details CVEID:CVE-2025-50106 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition...

Security Bulletin: IBM Storage Ceph is vulnerable to Allocation of Resources Without Limits or Throttling in Grafana (CVE-2023-45290)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. CVE-2023-45290 This bulletin identifies the steps to take to address the vulnerability in Grafana. Vulnerability Details CVEID:CVE-2023-45290 DESCRIPTION: When parsing a multipart form either explicitly with...

Security Bulletin: IBM Storage Ceph is vulnerable to an Infinite Loop in Grafana (CVE-2024-24786)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. CVE-2024-24786 This bulletin identifies the steps to take to address the vulnerability in Grafana. Vulnerability Details CVEID:CVE-2024-24786 DESCRIPTION: The protojson.Unmarshal function can enter an infinite loop when...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing - Improper Access Control vulnerability in Apache Commons

Summary Apache Commons BeanUtils: PropertyUtilsBean Does Not Suppresses An Enum's DeclaredClass Property By Default. Following IBM® Engineering Lifecycle Management product is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Lifecycle Optimization - Publishing...

Security Bulletin: IBM Rational® Application Developer for WebSphere® Software is vulnerable to a remote attack to take over Java SE

Summary IBM® SDK, Java™ Technology Edition, is used by IBM Rational® Application Developer for WebSphere® Software as the runtime and development kit. CVE-2025-50106 Vulnerability Details CVEID:CVE-2025-50106 DESCRIPTION: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses xmldom-0.8.10.tgz which is vulnerable to this CVE-2021-32796

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses xmldom-0.8.10.tgz which is vulnerable to this CVE-2021-32796 Vulnerability Details CVEID:CVE-2021-32796 DESCRIPTION: xmldom is an open source pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParse...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/net-v0.21.0, golang.org/x/net-v0.33.0, golang.org/x/net-v0.34.0 which is vulnerable to this CVE-2025-22870

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/net-v0.21.0, golang.org/x/net-v0.33.0, golang.org/x/net-v0.34.0 which is vulnerable to this CVE-2025-22870 Vulnerability Details CVEID:CVE-2025-22870 DESCRIPTION: Matching of hosts against prox...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses flask-3.1.0-py3-none-any.whl which is vulnerable to this CVE-2025-47278

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses flask-3.1.0-py3-none-any.whl which is vulnerable to this CVE-2025-47278 Vulnerability Details CVEID:CVE-2025-47278 DESCRIPTION: Flask is a web server gateway interface WSGI web application framework. In Fla...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/net-v0.21.0 which is vulnerable to CVE-2024-45338, CVE-2023-45288, CVE-2025-22870

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/net-v0.21.0 which is vulnerable to CVE-2024-45338, CVE-2023-45288, CVE-2025-22870 Vulnerability Details CVEID:CVE-2024-45338 DESCRIPTION: An attacker can craft an input to the Parse functions...

Security Bulletin: IBM Integration Bus for z/OS is vulnerable to Improper Resource Shutdown or Release due to Apache Tomcat ( CVE-2025-48989 )

Summary IBM Integration Bus for z/OS is vulnerable to Improper Resource Shutdown or Release due to Apache Tomcat. Vulnerability Details CVEID:CVE-2025-48989 DESCRIPTION: Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses brace-expansion-2.0.1.tgz which is vulnerable to this CVE-2025-5889

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses brace-expansion-2.0.1.tgz which is vulnerable to this CVE-2025-5889 Vulnerability Details CVEID:CVE-2025-5889 DESCRIPTION: A vulnerability was found in juliangruber brace-expansion up to...

Security Bulletin: IBM TXSeries for Multiplatforms is affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability & a use-after-free (UAF) vulnerability found in Linux kernel packages.

Summary IBM TXSeries for Multiplatforms is affected by a Time-of-check Time-of-use TOCTOU Race Condition vulnerability & a use-after-free UAF vulnerability found in Linux kernel packages. The versions of the packages that are delivered with IBM TXSeries for Multiplatforms have been updated in ord...

Security Bulletin: IBM Instana Observability has addressed Multiple Vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 1.0.306 Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to Django-4.2.20-py3-none-any.whl CVE-2025-32873

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to Django-4.2.20-py3-none-any.whl CVE-2025-32873. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-32873 DESCRIPTION: An issue was discovered in Django 4.2 before...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to Django-4.2.20-py3-none-any.whl CVE-2025-48432

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to Django-4.2.20-py3-none-any.whl CVE-2025-48432. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-48432 DESCRIPTION: An issue was discovered in Django 5.2 before...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses commons-lang3-3.17.0.jar which is vulnerable to this CVE-2025-48924

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses commons-lang3-3.17.0.jar which is vulnerable to this CVE-2025-48924 Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects...

Security Bulletin: Due to use of Apache Commons, IBM Operations Analytics - Log Analysis is affected by Improper Handling of Untrusted Input During Deserialization

Summary Apache Commons is used by IBM Operations Analytics - Log Analysis as part of the configuration parsing in Apache Solr CVE-2017-15708, CVE-2019-13116 and Java Deserialization CVE-2015-4852, CVE-2015-6420, CVE-2015-7501 Vulnerability Details CVEID:CVE-2015-4852 DESCRIPTION: The WLS Security...

Security Bulletin: WebSphere Application Server Liberty could allow a remote attacker to bypass security restrictions (CVE-2024-56339)

Summary WebSphere Application Server Liberty could allow a remote attacker to bypass security restrictions Vulnerability Details CVEID:CVE-2024-56339 DESCRIPTION: IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker ...

Security Bulletin: AIX/VIOS is vulnerable to arbitrary file write due to Kerberos (CVE-2025-36244)

Summary Vulnerability in AIX's Kerberos could allow a non-privileged local user to write to arbitrary files CVE-2025-36244 Vulnerability Details CVEID:CVE-2025-36244 DESCRIPTION: IBM AIX, when configured to use Kerberos network authentication, could allow a local user to write to files on the...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Faspex

Summary Multiple vulnerabilities were addressed in IBM Aspera Faspex version 5.0.14. Vulnerability Details CVEID:CVE-2025-55193 DESCRIPTION: Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may ...

Security Bulletin: Multiple vulnerabilities in Spring may affect IBM Business Automation Workflow - CVE-2024-38820, CVE-2025-22233

Summary IBM Business Automation Workflow packages vulnerable copies of Spring framework. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptio...

Security Bulletin: IBM Guardium Data Protection is affected by multiple vulnerabilities.

Summary IBM Guardium Data Protection has addressed these vulnerabilities in an update. Vulnerability Details CVEID:CVE-2024-45010 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only mark 'subflow' endp as available Adding the following warning...

Security Bulletin: IBM Guardium Data Protection is affected by kernel vulnerabilities.

Summary IBM Guardium Data Protection has addressed these vulnerabilities in an update. Vulnerability Details CVEID:CVE-2023-52478 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect hidppconnectevent has...

Security Bulletin: Multiple vulnerabilities that affects IBM Db2 Data Management Console( CVE-2022-1471,CVE-2024-22259,CVE-2020-8565, CVE-2019-11250,CVE-2023-44487,CVE-2022-46175, CVE-2024-22243)

Summary SnakeYaml Constructor Deserialization Remote Code Execution. Spring-web-6.0.11, k8s.io-client-go, k8s.io-Apimachinery-v0.25.1, json5-1.0.1, spring-web-6.0.11 open source libraries are used by IBM Db2 Data Management Console . This bulletin describes the upgrades necessary to address the...

Security Bulletin: Multiple vulnerabilities that affect IBM Db2 Intelligence Center (CVE-2025-7783, CVE-2025-22868, CVE-2025-57810, CVE-2025-27789, CVE-2025-22870, CVE-2025-58754)

Summary form-data-3.0.0.tgz, golang.org/x/oauth2-v0.0.0-20211104180415-d3ed0bb246c8, jspdf-3.0.1.tgz, runtime-7.26.0.tgz, golang.org/x/net-v0.33.0 and axios-1.9.0.tgz the following dependency packages are being used by IBM Db2 Intelligence Center. This bulletin describes the upgrades necessary to...

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing - Uncontrolled Recursion vulnerability in Apache Commons Lang

Summary Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass... Can Throw A StackOverflowError On Very Long Inputs. Following IBM® Engineering Lifecycle Management product is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Lifecycle Optimization -...

Security Bulletin: Due to the use of Apache Tomcat, IBM ApplinX is vulnerable to an Improper Resource Shutdown or Release vulnerability (CVE-2025-48989).

Summary Due to the use of Apache Tomcat, IBM ApplinX is vulnerable to an Improper Resource Shutdown or Release vulnerability CVE-2025-48989. Apache Tomcat has been updated within IBM ApplinX in order to address the vulnerability. Vulnerability Details CVEID:CVE-2025-48989 DESCRIPTION: Improper...