Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to asymmetric resource consumption in golang-jwt [CVE-2025-30204]

Summary IBM Watson Speech Services Cartridge is vulnerable to asymmetric resource consumption in golang-jwt, due to a flaw in the , the function parse.ParseUnverified splits CVE-2025-30204. Golang-jwt is included as part of our speech utilities. This vulnerabilitiy has been addressed. Please read...

Security Bulletin: An unspecified vulnerability in Java SE related to the Server: DDL component could allow a remote attacker to cause high confidentiality. (CVE-2025-21587, CVE-2025-30698, CVE-2025-4447) affect IBM PowerVM Novalink.

Summary An unspecified vulnerability in Java SE related to the Server: DDL component could allow a remote attacker to cause high confidentiality and high integrity impact. IBM PowerVM Novalink has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecifie...

Security Bulletin: Vulnerabilities in old Spring Framework versions affect watsonx.data

Summary In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of...

Security Bulletin: The Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression, affects watsonx.data

Summary In scenarios where input size isn't limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead toexcessive memory usage and an Out-Of-Memory OOM crash of the process. This issue is relatively uncomm...

Security Bulletin: Vulnerabilities in old Spring Framework versions, made disallowedFields patterns in DataBinder case insensitive, affect watsonx.data

Summary In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of...

Security Bulletin: An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files affect watsonx.data

Summary An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files.These could affect watsonx.data. Vulnerability Details CVEID:CVE-2025-27363 DESCRIPTION: An out of bounds write exists in...

Security Bulletin: A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed, (CVE-2025-23184) affects IBM PowerVM Novalink.

Summary A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system it applies to servers and clients. IBM...

Security Bulletin: Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118 (CVE-2025-25193) affects IBM PowerVM Novalink.

Summary Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load ...

Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD is affected by multiple vulnerabilities

Summary IBM Security Verify Password Synchronization Plug-in for Windows AD has addressed these vulnerabilities. Vulnerability Details CVEID:CVE-2022-0778 DESCRIPTION: The BNmodsqrt function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime...

Security Bulletin: A vulnerability in Babel affects IBM Robotic Process Automation and could result in inefficient regular expression complexity (CVE-2025-27789).

Summary A vulnerability in Babel affects IBM Robotic Process Automation and could result in inefficient regular expression complexity CVE-2025-27789. Babel is used by IBM Robotic Process Automation as part of it's UI framework. This security bulletin identifies the fixes required to resolve the...

Security Bulletin: A vulnerability in Watson NLP affects IBM Robotic Process Automation (CVE-2024-56171).

Summary A vulnerability in Watson NLP affects IBM Robotic Process Automation CVE-2024-56171. Watson NLP is used by IBM Robotic Process Automation for Natural Language Processing. This bulletin identifies the fixes required to address the vulnerablity. Vulnerability Details CVEID:CVE-2024-56171...

Security Bulletin: A vulnerability in Apache Active MQ NMS affects IBM Robotic Process Automation and could result in arbitrary code exections (CVE-2025-29953).

Summary A vulnerability in Apache Active MQ NMS affects IBM Robotic Process Automation and could result in arbitrary code exections CVE-2025-29953. Apache Active MQ is used by IBM Robotic Process automation for integration with Apache Active MQ. This security bulletin identifies the fixes require...

Security Bulletin: A vulnerability in axios affects IBM Robotic Process Automation and could result in credential leakage (CVE-2025-27152)

Summary A vulnerability in axios affects IBM Robotic Process Automation and could result in credential leakage CVE-2025-27152. Axios is used by IBM Robotic Process Automation as part of the User Inteface. This security bulletin identifies the fixes to resolve the vulnerability. Vulnerability...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to exposure of sensitive data and authorization bypass due to the Apache ZooKeeper package (CVE-2024-23944, CVE-2023-44981)

Summary Apache ZooKeeper is used by DataStage on Cloud Pak for Data as part of configuration synchronization. Vulnerability Details CVEID:CVE-2024-23944 DESCRIPTION: Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monit...

Security Bulletin: A vulnerability in cert-manager affects IBM Robotic Process Automation for Cloud Pak and could result in a denial of service (CVE-2024-12401).

Summary A vulnerability in cert-manager affects IBM Robotic Process Automation for Cloud Pak and could result in a denial of service CVE-2024-12401. Cert-manager is used by IBM Robotic Process Automation for Cloud Pak as part of it's container deployment. This security bulletin identifies the fix...

Security Bulletin: A vulnerability in WebSphere Liberty affects IBM Robotic Process Automation and could lead to a denial of service (CVE-2025-25193).

Summary A vulnerability in WebSphere Liberty affects IBM Robotic Process Automation and could lead to a denial of service CVE-2025-25193. WebSphere Application Liberty is used by IBM Robotic Process Automation as part of Antivirus and Abbyy containers as well as UMS. This bulletin identifies the...

Security Bulletin: IBM Data Product Hub is affected by several vulnerabilities

Summary IBM Data Product Hub has a dependency on IBM WebSphere Application Server Liberty, which is vulnerable. This bulletin contains information regarding the vulnerabilities and their fixture. Vulnerability Details CVEID:CVE-2025-23184 DESCRIPTION: A potential denial of service vulnerability i...

Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility (CVE-2025-21587)

Summary There is a vulnerability in IBM® Runtime Environment Java™ Version 11 used by IBM Installation Manager and IBM Packaging Utility. The IBM Installation Manager and IBM Packaging Utility have addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-21587 DESCRIPTION: An unspecifie...

Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data

Summary IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details...

Security Bulletin: Go net/http package is vulnerable to a denial of service,a remote attacker could exploit this vulnerability to cause a denial of service, affects watsonx.data

Summary Go net/http package is vulnerable to a denial of service, caused by improper 100-continue header handling. By sending "Expect: 100-continue" requests, a remote attacker could exploit this vulnerability to cause a denial of service and this could affect watsonx.data. Vulnerability Details...

Security Bulletin: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors, affects watsonx.data

Summary BZ2decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2019-12900 DESCRIPTION: BZ2decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when...

Security Bulletin: OpenTelemetry Collector Contrib could allow a remote attacker to bypass security restrictions, caused by a flaw when configured to require a key, affects watsonx.data

Summary OpenTelemetry Collector Contrib could allow a remote attacker to bypass security restrictions, caused by a flaw when configured to require a key. By sending a specially crafted request, an attacker could exploit this vulnerability to perform unauthorized write to metrics and this could...

Security Bulletin: A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1, affects watsonx.data

Summary A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of '', a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service DoS and this could affect watsonx.data...

Security Bulletin: Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured tokens, affects watsonx.data

Summary The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured bearer tokens. This impacts anyone using the bearertokenauth server authenticator. Malicious clients with network access to the collector may perform a...

Security Bulletin: Vulnerability in Babel runtime library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2025-27789)

Summary Babel is a compiler used to generate JavaScript code for Tivoli Netcool/OMNIbus WebGUI Event Viewer, Netcool Operations Insight NOI Event Analytics Configuration and Scope Based Grouping client components. Vulnerability Details CVEID:CVE-2025-27789 DESCRIPTION: Babel is a compiler for...

Security Bulletin: IBM SPSS Statistics I/O Module is vulnerable to Denial of Service Attack (CVE-2022-43855)

Summary The IO Module is a separate library that users can code to in order to read and write SPSS .sav data files. A vulnerability was discovered in which attempts to write to an unwritable location can lead to file handle leakage and eventual file handle exhaustion. Vulnerability Details...

Security Bulletin: Erlang/OTP SSH Protocol Flaw Allows Remote Code Execution

Summary Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution RCE. By exploiting a flaw in SSH protocol message handling, a malicious...

Security Bulletin: IBM Cognos Analytics is affected by security vulnerabilities

Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Cognos Analytics. Additionally, IBM Cognos Analytics is vulnerable to Cross Site Scripting XSS, Java Script Source Map and Denial of Service DOS vulnerabilities. This Security Bulletin relates only t...

Security Bulletin: IBM Security QRadar EDR Software contains multiple vulnerabilities

Summary IBM Security QRadar EDR Software includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. These have been addressed in the update. Vulnerability Details CVEID:CVE-2024-53382 DESCRIPTION: Prism aka PrismJS through 1.29.0 allows D...

Security Bulletin: IBM DataPower Gateway affected by timing side-channel in OpenSSL (CVE-2024-13176)

Summary IBM DataPower Gateway uses OpenSSL for most cryptographic operations. Vulnerability Details CVEID:CVE-2024-13176 DESCRIPTION: Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing...

Security Bulletin: IBM DataPower Gateway vulnerable to multiple CVEs in zlib

Summary IBM DataPower Gateway uses ZLib in reading and writing configuration exports and for handling compressed traffic Vulnerability Details CVEID:CVE-2018-25032 DESCRIPTION: zlib before 1.2.12 allows memory corruption when deflating i.e., when compressing if the input has many distant matches...

Security Bulletin: IBM Verify Identity Access is affected by a security vulnerability (CVE-2025-0163)

Summary IBM Verify Identity Access has addressed this vulnerability in an update. Vulnerability Details CVEID:CVE-2025-0163 DESCRIPTION: IBM Security Verify Access Appliance could allow a remote attacker to enumerate usernames due to an observable response discrepancy of disabled accounts...

Security Bulletin: Multiple security vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak

Summary Multiple vulnerabilities in RedHat UBI affect IBM Robotic Process Automation for Cloud Pak. RedHat UBI is used as base imaged for IBM Robotic Process Automation for Cloud Pak images. This bulletin identifies the fixes required to address the vulnerabilites. Vulnerability Details...

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version 10.0.8.2-ifix2 Vulnerability Details CVEID:CVE-2019-12900 DESCRIPTION: BZ2decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. CWE:CWE-787: Out-of-bounds Write CVSS...

Security Bulletin: IBM DataPower Gateway affected by multiple CVEs in OS kernel

Summary The following CVEs in the OS kernel may affect IBM DataPower Gateway Vulnerability Details CVEID:CVE-2023-52458 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: block: add check that partition length needs to be aligned with block size Before calling add...

Security Bulletin: This Power System update is being released to address CVE-2024-13176

Summary This affects the BMC's HTTPS and SSH interfaces. Vulnerability Details CVEID:CVE-2024-13176 DESCRIPTION: Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA...

Security Bulletin: AIX/VIOS is vulnerable to arbitrary command execution due to Perl (CVE-2025-33112)

Summary Vulnerability in AIX's Perl could allow an attacker to execute arbitrary commands CVE-2025-33112. AIX uses Perl in various operating system components. Vulnerability Details CVEID:CVE-2025-33112 DESCRIPTION: IBM AIX's Perl implementation could allow a non-privileged local user to exploit ...

Security Bulletin: AIX/VIOS is vulnerable to an expected behavior violation (CVE-2025-32728) due to OpenSSH

Summary AIX's OpenSSH DisableForwarding directive does not adhere to the documentation CVE-2025-32728. OpenSSH is used by AIX for remote login. Vulnerability Details CVEID:CVE-2025-32728 DESCRIPTION: In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the...

Security Bulletin: AIX is vulnerable to sensitive information disclosure (CVE-2025-0167, CVE-2024-11053) and a denial of service (CVE-2024-9681) due to cURL libcurl

Summary Vulnerabilities in cURL libcurl could allow a remote attacker to obtain sensitive information CVE-2025-0167, CVE-2024-11053 or cause a denial of service CVE-2024-9681. AIX uses cURL libcurl as part of rsyslog, LV/PV encryption integration with HPCS and in Live Update for interacting with...

Security Bulletin: IBM Tivoli Application Dependency Discovery Manager is vulnerable to stored cross-site scripting.

Summary IBM Tivoli Application Dependency Discovery Manager is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...

Security Bulletin: IBM Tivoli Application Dependency Discovery Manager is vulnerable to server-side request forgery attack.

Summary IBM Tivoli Application Dependency Discovery Manager is vulnerable to server-side request forgery. This vulnerability allows authenticated users can send specially crafted request CVE-2023-51441. Vulnerability Details CVEID:CVE-2023-51441 DESCRIPTION: Apache Axis is vulnerable to server-si...

Security Bulletin: Due to Apache CXF used by IBM WebSphere Application Server Liberty, IBM Tivoli Application Dependency Discovery Manager is vulnerable to denial of service.

Summary IBM Tivoli Application Dependency Discovery Manager is affected by a denial of service vulnerability due to the use of Apache CXF in IBM WebSphere Application Server Liberty, when the jaxws-2.2, xmlWS-3.0, or xmlWS-4.0 feature is enabled. CVE-2025-23184 Vulnerability Details...

Security Bulletin: Multiple Vulnerabilities in IBM WebSphere Application Server affect IBM Cloud Pak System

Summary Multiple Vulnerabilities in IBM WebSphere Application Server affect IBM Cloud Pak System. Vulnerability Details CVEID:CVE-2024-45071 DESCRIPTION: IBM WebSphere Application Server is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary...

Security Bulletin: IBM Event Processing is vulnerable to Server-Side Request Forgery (SSRF) and credential leakage due to the axios package (CVE-2025-27152).

Summary IBM Event Processing is vulnerable to Server-Side Request Forgery SSRF and credential leakage due to the usage of axios package. The axios package is used in event processing to send or retrieve data via HTTP calls, enabling integration with external services or REST APIs during event...

Security Bulletin: IBM Event Streams is vulnerable to Server Side Request Forgery (SSRF) due to the axios component (CVE-2025-27152).

Summary IBM Event Streams is vulnerable to Server Side Request Forgery SSRF due to the axios component. In event streams, axios is used to make HTTP requests to the Event Streams REST Admin API, such as creating or listing Kafka topics. Vulnerability Details CVEID:CVE-2025-27152 DESCRIPTION: axio...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale System are now included (CVE-2023-52486 CVE-2023-52881)

Summary The following vulnerabilities that can affect IBM Storage Scale System and could provide weaker than expected security are now fixed CVE-2023-52486 CVE-2023-52881. Vulnerability Details CVEID:CVE-2023-52881 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved:...

Security Bulletin: Multiple security vulnerabilities in Go affects IBM Robotic Process Automation for Cloud Pak

Summary Multiple security vulnerabilities in Go affects IBM Robotic Process Automation for Cloud Pak. Go is used by IBM Robotic Process Automation for Cloud Pak as part of its deployment. This bulletin identifies the fixes required to resolve the vulnerabilities. Vulnerability Details...

Security Bulletin: A vulnerability in WebSphere Liberty affects IBM Robotic Process Automation and could lead to a denial of service (CVE-2024-47535).

Summary A vulnerability in WebSphere Liberty affects IBM Robotic Process Automation and could lead to a denial of service CVE-2024-47535. WebSphere Application Liberty is used by IBM Robotic Process Automation as part of Antivirus and Abbyy containers as well as UMS. This bulletin identifies the...

Security Bulletin: Multiple vulnerabilities in IBM MQ affect IBM Robotic Process Automation for Cloud Pak.

Summary Multiple vulnerabilities in IBM MQ affect IBM Robotic Process Automation for Cloud Pak. IBM MQ is used as a message queue for IBM Robotic Process Automation for Cloud Pak. This bulletin identifies the fixes to resolve these vulnerabilities. Vulnerability Details CVEID:CVE-2024-51471...

Security Bulletin: IBM Guardium Data Protection is affected by multiple vulnerabilities.

Summary IBM Guardium Data Protection has addressed these issues with an update. Vulnerability Details CVEID:CVE-2024-40906 DESCRIPTION: In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Always stop health timer during driver removal Currently, if teardownhca fails to...