High Severity

IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274)

A vulnerability in the IBM Domino server IMAP EXAMINE command potentially could be exploited by an authenticated user resulting in a stack buffer overflow. This could allow a remote attacker to execute code with the privileges of the Domino server. Current 64-bit platforms leverage ASLR (Address Space Layout Randomization) which dramatically reduces the probability of […]

Apache Struts Jakarta Multi-part Parser Code Execution (CVE-2017-5638)

On March 6, 2017 a vulnerability in the Apache Struts Jakarta Multi-part parser code execution was reported by Apache. IBM is analyzing its products to determine which ones may be affected by this vulnerability. Affected IBM products will be issuing mitigations and/or fixes as soon as possible. Please actively monitor both your IBM Support Portal […]

IBM Security Bulletin: Vulnerabilities in Mozilla NSS affect the IBM FlashSystem models 840 and 900

Apr 26, 2017 10:00 am EDT | High Severity

There are vulnerabilities in Mozilla Network Security Services (NSS) to which the IBM® FlashSystem™ 840 and FlashSystem™ 900 are susceptible. An exploit of these vulnerabilities (CVE-2016-2834, CVE-2016-5285, and CVE-2016-8635) could allow a remote attacker to execute arbitrary code, to recover private keys, to crash a TLS/SSL server, or to cause a denial of service. CVE(s): ...read more


IBM Security Bulletin: Vulnerabilities in Mozilla NSS affect the IBM FlashSystem model V840

Apr 26, 2017 10:00 am EDT | High Severity

There are vulnerabilities in Mozilla Network Security Services (NSS) to which the IBM® FlashSystem™ V840 is susceptible. An exploit of these vulnerabilities (CVE-2016-2834, CVE-2016-5285, and CVE-2016-8635) could allow a remote attacker to execute arbitrary code, to recover private keys, to crash a TLS/SSL server, or to cause a denial of service. CVE(s): CVE-2016-2834, CVE-2016-5285, CVE-2016-8635 ...read more


IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products

Apr 26, 2017 10:00 am EDT | High Severity

Multiple vulnerabilities in the Oracle Java SE and the Java SE Embedded impact the IBM SDK, Java Technology Edition. CVE(s): CVE-2016-5542, CVE-2016-5568, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554 Affected product(s) and affected version(s): IBM Monitoring 8.1.3 IBM Application Diagnostics 8.1.3 IBM Application Performance Management 8.1.3 IBM Application Performance Management Advanced 8.1.3 IBM Cloud Application Performance Management Refer ...read more


IBM Security Bulletin: A vulnerability in the GSKIT component of the Core Framework affects IBM Performance Management products (CVE-2016-2183)

Apr 26, 2017 10:00 am EDT | Low Severity

OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover ...read more


IBM Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2017-5638)

Apr 25, 2017 10:00 am EDT | High Severity

IBM Sterling Order Management use Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2 CVE(s): CVE-2017-5638 Affected product(s) and affected version(s): IBM Sterling Selling and Fulfillment Foundation 9.1.0 IBM Sterling Selling and Fulfillment Foundation 9.2.0 IBM Sterling Selling and Fulfillment Foundation 9.2.1 IBM Sterling Selling and Fulfillment ...read more


IBM Security Bulletin: IBM WebSphere Commerce REST framework has a vulnerability in session management (CVE-2017-1170)

Apr 25, 2017 10:00 am EDT | Medium Severity

WebSphere Commerce REST framework could allow a local user to hijack a user’s session CVE(s): CVE-2017-1170 Affected product(s) and affected version(s): WebSphere Commerce versions 8.0.3.0 – 8.0.3.3 WebSphere Commerce versions 8.0.1.0 – 8.0.1.9 WebSphere Commerce versions 8.0.0.0 – 8.0.0.17 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22001225X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/123230 ...read more


IBM Security Bulletin: Vulnerability in password strength policy affects IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x (CVE-2016-8962)

Apr 25, 2017 10:00 am EDT | Medium Severity

IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x does not require strong passwords by default, which makes it easier for attackers to compromise user accounts. CVE(s): CVE-2016-8962 Affected product(s) and affected version(s): IBM License Metric Tool v9.x IBM BigFix Inventory v9.x Refer to the following reference URLs for remediation and additional vulnerability details:Source ...read more


IBM Security Bulletin: IBM Maximo Asset Management could allow a remote attacker to hijack a user’s session, caused by the failure to invalidate an existing session identifier (CVE-2016-8924)

Apr 25, 2017 10:00 am EDT | Medium Severity

IBM Maximo Asset Management could allow a remote attacker to hijack a user’s session, caused by the failure to invalidate an existing session identifier. An attacker could exploit this vulnerability to gain access to another user’s session. CVE(s): CVE-2016-8924 Affected product(s) and affected version(s): This vulnerability affects the following versions of the IBM Maximo Asset ...read more


IBM Security Bulletin: BigFix Platform is vulnerable to OpenSSL denial of service attack

Apr 25, 2017 10:00 am EDT | Medium Severity

OpenSSL is vulnerable to a denial of service, caused by the incorrect use of pointer arithmetic for heap-buffer boundary checks. By leveraging unexpected malloc behavior, a remote attacker could exploit this vulnerability to trigger an integer overflow and cause the application to crash. CVE(s): CVE-2016-2177 Affected product(s) and affected version(s): BigFix Platform 9.1 BigFix Platform ...read more