Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects App Connect Professional

Summary There are multiple vulnerabilities in the IBM SDK Java Technology used by App Connect Professional. These issue were disclosed as part of the IBM Java SDK updates in Apr 2025, App Connect Professional has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTIO...

Security Bulletin: IBM® Db2® federated server is affected by a vulnerability in the netty library (CVE-2025-24970)

Summary Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which...

Security Bulletin: IBM Financial Transaction Manager is impacted by a denial of service (DoS) vulnerability in RedHat Proxy for Kubernetes RBAC authorization

Summary IBM Financial Transaction Manager for RedHat OpenShift has addressed the following vulnerability. Vulnerability Details CVEID:CVE-2025-22868 DESCRIPTION: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CWE:CWE-1286: Improper...

Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities in expat library.

Summary IBM® Db2® is affected by vulnerabilities in expat library. Vulnerability Details CVEID:CVE-2024-45490 DESCRIPTION: An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XMLParseBuffer. CWE:CWE-611: Improper Restriction of XML External Entity...

Security Bulletin: IBM Sterling Connect:Direct Web Services uses commons-lang3 and is vulnerable to CVE-2025-48924

Summary IBM Sterling Connect:Direct Web Services is vulnerable to uncontrolled recursion vulnerability in Apache Commons Lang. This has been addressed in new build available from IBM Repository. Vulnerability Details CVEID:CVE-2025-48924 DESCRIPTION: Uncontrolled Recursion vulnerability in Apache...

Security Bulletin: Technical Support Appliance - possible security flaw in managing memory

Summary A flaw in the KASAN Kernel Address Sanitizer code may allow memory to be accessed that is no longer used, potentially exposing security related information. Vulnerability Details CVEID:CVE-2023-52922 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: can: bcm...

Security Bulletin: IBM Cloud Pak System is vulnerable to an authenticated command-execution due to use of VMWare vCenter [CVE-2025-41225].

Summary IBM Cloud Pak System is vulnerable to an authenticated command-execution due to use of VMware vCenter CVE-2025-41225. Vulnerability Details CVEID:CVE-2025-41225 DESCRIPTION: The vCenter Server contains an authenticated command-execution vulnerability. A malicious actor with privileges to...

Security Bulletin: IBM QRadar SIEM is affected by cross-site scripting ( CVE-2025-33097)

Summary IBM QRadar SIEM is affected by cross-site scripting . IBM has addressed the issue in the latest update. Vulnerability Details CVEID:CVE-2025-33097 DESCRIPTION: IBM QRadar SIEM is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a security bypass vulnerability (CVE-2024-56339)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a security bypass caused by a failure to honor security configuration. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a security bypass vulnerability (CVE-2024-56339)

Summary IBM Webphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a security bypass caused by a failure to honor security configuration. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Product...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a security bypass vulnerability (CVE-2024-56339)

Summary IBM Webphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a security bypass caused by a failure to honor security configuration. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a security bypass vulnerability (CVE-2024-56339)

Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a security bypass caused by a failure to honor security configuration. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Product...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a security bypass vulnerability (CVE-2024-56339)

Summary IBM Webphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a security bypass caused by a failure to honor security configuration. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a security bypass vulnerability (CVE-2024-56339)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a security bypass caused by a failure to honor security configuration. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale and the Management GUI are now included (CVE-2025-48050, CVE-2025-43865 and CVE-2025-43864)

Summary The following vulnerabilities that can affect IBM Storage Scale and the Management GUI and could provide weaker than expected security are now fixed CVE-2025-48050, CVE-2025-43865 and CVE-2025-43864. Vulnerability Details CVEID:CVE-2025-48050 DESCRIPTION: In DOMPurify through 3.2.5 before...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service (CVE-2025-36097)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service with the jsonp-1.0, jsonp-1.1, or jsonp-2.0 features enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service (CVE-2025-36097)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and Versions| Affecting...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service (CVE-2025-36097)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service with the jsonp-1.0, jsonp-1.1, or jsonp-2.0 features enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes secti...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service (CVE-2025-36097)

Summary IBM WebSphere Application Server, which is bundled with IBM Enterprise Application Runtimes, is affected by a denial of service. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and Versions|...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a denial of service (CVE-2025-36097)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a denial of service with the jsonp-1.0, jsonp-1.1, or jsonp-2.0 features enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a denial of service (CVE-2025-36097)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a denial of service. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products and Versions| Affectin...

Security Bulletin: Vulnerability affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-45338 DESCRIPTION: An attacker can cra...

Security Bulletin: Vulnerability in jackson-core affects IBM Cloud Pak System[CVE-2025-52999]

Summary Vulnerability found for potential stackoverflowError in jackson-core affects IBM Cloud Pak System. Vulnerability was addressed by IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2025-52999 DESCRIPTION: jackson-core contains core low-level incremental "streaming" parser and generator...

Security Bulletin: IBM QRadar Investigation Assistant app for IBM QRadar SIEM includes components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM QRadar Investigation Assistant app for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-50181 DESCRIPTION: urllib3 is ...

Security Bulletin: A vulnerability affect Apache Solr, Apache Zookeeper, Logstash shipped with IBM Operations Analytics - Log Analysis (WS-2022-0468)

Summary There is a Jackson-Core vulnerability in Apache Solr, Apache Zookeeper, Logstash shipped with IBM Operations Analytics - Log Analysis Vulnerability Details WSID: WS-2022-0468 DESCRIPTION: The jackson-core package is vulnerable to a Denial of Service DoS attack. The methods in the classes...

Security Bulletin: Informix HQ is vulnerable to HTML injection and does not lock out users after multiple incorrect password attempts.

Summary The Informix HQ "alerting configuration" feature is vulnerable to HTML injection because it accepts HTML scripts in the script Location field and only affects their own session, not any other user sessions. Additionally, the Informix HQ application does not enforce a lockout policy, even...

Security Bulletin: IBM Informix addresses several Java security vulnerabilities by updating the bundled IBM Java version.

Summary In addition to various updates, the security vulnerabilities mentioned in the Remediation/Fixes section have been addressed with IBM Informix. Vulnerability Details CVEID:CVE-2023-22081 DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE component could allow a remote...

Security Bulletin: IBM Cognos Analytics is affected by a security vulnerability in Python JSON Logger (CVE-2025-27607)

Summary There is a vulnerability in Python JSON Logger used by IBM Cognos Analytics CVE-2025-27607. This Security Bulletin relates only to the direct usage of third-party components by IBM Cognos Analytics, and not any nested dependencies within the product. Vulnerability Details...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2025-36097)

Summary IBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixe...

Security Bulletin: The iconv() function in the GNU C Library affects IBM Data Observability by Databand Self-Hosted (CVE-2024-2961)

Summary The vulnerability regarding iconv function in the GNU C Library versions 2.39 and older was addressed in IBM Data Observability by Databand Self-Hosted. Vulnerability Details CVEID:CVE-2024-2961 DESCRIPTION: The iconv function in the GNU C Library versions 2.39 and older may overflow the...

Security Bulletin: Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations. This may cause an authorization bypass, which affects IBM watsonx.data

Summary Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized...

Security Bulletin: Containerd can cause an overflow condition where the container ultimately runs as root, which affects IBM watsonx.data

Summary containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately run...

Security Bulletin: Uncontrolled Resource Consumption vulnerability in Apache Commons IO, which affects IBM watsonx.data

Summary Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended ...

Security Bulletin: An issue was discovered in pip (all versions) because it installs the version with the highest version number, which affects IBM watsonx.data

Summary An issue was discovered in pip all versions because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package do...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2025-36097)

Summary IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager is vulnerable to a denial of service Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2024-56339)

Summary IBM WebSphere Application Server is used by IBM Tivoli System Automation Application Manager and is vulnerable to a security bypass caused by a failure to honor security configuration. Required fixes for affected WebSphere Application Server has been published in the security bulletin lin...

Security Bulletin: IBM i is affected by errors in OpenSSL as part of IBM Portable Utilities for i due to multiple vulnerabilities.

Summary IBM i is affected by errors in OpenSSL as part of IBM Portable Utilities for i as described in the vulnerability details section CVE-2024-9143, CVE-2023-5678, CVE-2024-5535, CVE-2024-0727, CVE-2023-6129, CVE-2023-6237, CVE-2024-2511, CVE-2024-6119, CVE-2024-4603, CVE-2023-5363,...

Security Bulletin: IBM i is vulnerable to a privilege escalation due to an invalid database authority check [CVE-2025-33109].

Summary IBM i contains a privilege escalation vulnerability due to an invalid database authority check as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section. Vulnerability Details...

Security Bulletin: Db2 Query Management Facility is vulnerable to IBM Semeru Runtime Quarterly CPU - Apr 2025 - Includes OpenJDK April 2025 CPU

Summary Db2 Query Management Facility is vulnerable to IBM Semeru Runtime Quarterly CPU - Apr 2025 - Includes OpenJDK April 2025 CPU plus CVE-2025-21587, CVE-2025-30698, CVE-2025-2900, and CVE-2025-4447 Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecified vulnerability in Java S...

Security Bulletin: Improper Authorization in OpenStack Neutron Tagging Allows Unauthorized Network Tag Modification

Summary In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change add and clear tags on network objects that do not belong to th...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a Denial of Service and Uncontrolled Resource Consumption due to Multer and brace-expansion( CVE-2025-48997,CVE-2025-5889 )

Summary IBM App Connect Enterprise runtime and IBM App Connect Enterprise Connector Discovery and OpenAPI Editor are vulnerable to a Denial of Service and Uncontrolled Resource Consumption due to Multer and brace-expansion. Vulnerability Details CVEID:CVE-2025-48997 DESCRIPTION: Multer is a node....

Security Bulletin: Erlang/OTP Vulnerability in KEX Init Handling May Lead to High Memory Usage

Summary Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names 64 characters...

Security Bulletin: Vulnerability in org.apache.mina_mina-core affects IBM Db2 Data Management Console(CVE-2024-52046)

Summary org.apache.minamina-core dependency package is used by IBM Db2 Data Management Console . This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2024-52046 DESCRIPTION: The ObjectSerializationDecoder in Apache MINA uses Java’s native...

Security Bulletin: Vulnerability in com.google.protobuf_protobuf-java affects IBM Db2 Data Management Console (CVE-2024-7254)

Summary com.google.protobufprotobuf-java dependency package is used by IBM Db2 Data Management Console . This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2024-7254 DESCRIPTION: Any project that parses untrusted Protocol Buffers data...

Security Bulletin: Multiple vulnerabilities that affects IBM Db2 Data Management Console (CVE-2021-3121, CVE-2021-38561, CVE-2023-43804)

Summary github.com/gogo/protobuf, golang.org/x/text, urllib3 are dependency packages used by IBM Db2 Data Management Console . This bulletin describes the upgrades necessary to address the vulnerability. Vulnerability Details CVEID:CVE-2023-43804 DESCRIPTION: urllib3 is a user-friendly HTTP clien...

Security Bulletin: Vulnerability within WebSphere Application and IBM HTTP Server, affect IBM Tivoli Monitoring.

Summary Vulnerability within WebSphere Application and IBM HTTP Server which is included as part of IBM Tivoli Monitoring ITM portal server has been remediated. Vulnerability Details CVEID:CVE-2025-36038 DESCRIPTION: IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to...

Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Summary Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images Vulnerability Details CVEID:CVE-2025-30472 DESCRIPTION: Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to command injection due to the lodash package (CVE-2021-23337)

Summary Lodash is used by DataStage on Cloud Pak for Data as part of data manipulation. Vulnerability Details CVEID:CVE-2021-23337 DESCRIPTION: Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. CWE:CWE-94: Improper Control of Generation of Code 'Code...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to prototype pollution due to the gRPC package ( CVE-2020-7768)

Summary gRPC is used by DataStage on Cloud Pak for Data as part of service communication. Vulnerability Details CVEID:CVE-2020-7768 DESCRIPTION: The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition. CWE:CWE-1321:...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to a null pointer dereference due to the libarchive package (CVE-2024-48615)

Summary libarchive is used by DataStage on Cloud Pak for Data as part of data formatting. Vulnerability Details CVEID:CVE-2024-48615 DESCRIPTION: Null Pointer Dereference vulnerability in libarchive 3.7.6 and earlier when running program bsdtar in function headerpaxextension at...