IBM Security Bulletins
Overview
IBM uses various methods to communicate security vulnerability information to customers. A Security Bulletin is used when publicly disclosing security vulnerabilities discovered in IBM products. Alternative tools and processes are used, where appropriate (i.e. for z Systems, managed and cloud-based services, etc.), when targeted or discrete communication with entitled customers is required. To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations.
Security Bulletins notify customers about one or more vulnerabilities. Customers are responsible for assessing the impact of any actual or potential security vulnerability in the context of their environment.
Structure and Content
IBM Security Bulletins follow a standard format and include elements that identify the type of vulnerability and its potential impact. Given their sensitive nature, Security Bulletins do not include detailed vulnerability exploitation information. The structure of an IBM Security Bulletin is defined below.
Title
To aid in identification, the title of the security bulletin includes the phrase “Security Bulletin:” followed by a brief statement that includes information such as the nature, or type, of vulnerability and the affected IBM Product Name. It may also include one or more associated CVE IDs.
Example:
Security Bulletin: Unauthorized access vulnerability affects $Offering (CVE-xxxx-xx Security Bulletins: Multiple SNMP vulnerabilities affect $Offering
Summary
The security bulletin summary provides general information about the nature of the vulnerability.
Vulnerability Details
The vulnerability details section provides a list of Common Vulnerabilities and Exposures (CVE) identifiers and descriptions. CVE IDs are standardized identifiers for common computer vulnerabilities and exposures. Additional CVE information is available via the CVE FAQs.
The vulnerability details section also includes the Common Vulnerability Scoring System (CVSS) details associated with each CVE. IBM intends to use the Common Vulnerability Scoring System, (CVSS) as a standard for communicating the impact of security vulnerabilities in IBM products and solutions. CVSS is an open standard for assessing the severity or impact of computer system security vulnerabilities. This standard attempts to establish a numeric measure that represents how much concern or attention the vulnerability warrants. The resulting CVSS 'score' is based on an assessment of a series of metrics. The CVSS Base Score represents the intrinsic and fundamental characteristics of the vulnerability that are typically constant over time and across user environments. Additional information CVSS v3.1 User Guide.
CVE and CVSS Information
CVE and CVSS details information is presented in the following format:
- CVEID: CVE-XXXX-XXXX (where XXXX-XXXX represents an assigned CVE ID)
- Description:.....
- CVSS Base Score: X.X
- CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/XXXXX for the current score
- CVSS Environmental Score*: Undefined
- CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X) or CVSS Vector: (CVSS:3.0/AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X)
The information represented by this format is as follows:
CVEID: The assigned CVE identifier presented as a hotlink to the associated Mitre CVE information web page.
Description: A high level description of the vulnerability. IBM does not intend to provide vulnerability details that could enable someone to craft an exploit of the vulnerability.
CVSS Base Score: The CVSS score assigned to the CVE by IBM. The score range is 0 – 10.
CVSS Temporal Score: The temporal score can change over the lifetime of the vulnerability as exploits are developed and disclosed and as mitigations and fixes are made available. The IBM X-Force Exchange Vulnerability Report link includes the current temporal score information.
CVSS Environmental Score: The environmental score uses the base and current temporal score to assess the severity of a vulnerability in the context of the way that the vulnerable product or software is deployed. The CVSS Environment Score is customer environment specific. Customers can evaluate the impact of the vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
CVSS Vector: The CVSS Vector is a representation of the metric values used to score the vulnerability. The CVSS 3.1 Calculator provides details regarding the meaning of the vector string metrics.
Affected products and versions: The affected products and versions section identifies the names of affected IBM Offerings and the versions of those offerings which are affected by the vulnerabilities identified in the security bulletin.
Remediation/fixes: The remediation/fixes section identifies associated fixes, by affected version, as well as how and where to obtain those fixes.
Workarounds and Mitigations: The workarounds and mitigations section identifies usage or configuration changes that may be available in place of fix installation.
References: The references section identifies additional resources that may be useful when evaluating the security bulletin.
Related Information: The related information section identifies additional, related information resources that may be useful when evaluating the security bulletin.
Affected products and versions: The affected products and versions section identifies the names of affected IBM Offerings and the versions of those offerings which are affected by the vulnerabilities identified in the security bulletin.
Remediation/fixes: The remediation/fixes section identifies associated fixes, by affected version, as well as how and where to obtain those fixes.
Workarounds and Mitigations: The workarounds and mitigations section identifies usage or configuration changes that may be available in place of fix installation.
References: The references section identifies additional resources that may be useful when evaluating the security bulletin.
Related Information: The related information section identifies additional, related information resources that may be useful when evaluating the security bulletin.
Change History: The change history section summarizes publication and update information associated with the security bulletin. In the event that you receive multiple notifications for a bulletin, re-review the bulletin to determine if the new updates are applicable to your environment.