Apache Struts Jakarta Multi-part Parser Code Execution (CVE-2017-5638)

On March 6, 2017 a vulnerability in the Apache Struts Jakarta Multi-part parser code execution was reported by Apache. IBM is analyzing its products to determine which ones may be affected by this vulnerability. Affected IBM products will be issuing mitigations and/or fixes as soon as possible. Please actively monitor both your IBM Support Portal […]


IBM Product Security Incident Response

Acknowledgement



Mar 28, 2017 2:00 pm EDT

IBM acknowledges and thanks the security researchers and organizations listed below for reporting and working with us to resolve one or more security vulnerabilities in our products and services. Disclosures for 2017 Angelis Pseftis (Cyber Innovations Center, Jacobs) Kiran Shirali (LinkedIn,   Twitter) Kravchenko Stas (LinkedIn, Twitter) Martin Carpenter Matthias Kaiser  (Code White) Mohammed Shameem ...read more


IBM Security Bulletin: Remote Code Execution (RCE) Vulnerability in Apache Struts affects IBM Connections

Mar 28, 2017 10:01 am EDT | High Severity

Certain versions of Apache Struts 2 Framework are vulnerable to RCE attacks. IBM Connections uses an Apache Struts 2 version which is vulnerable to this attack. CVE(s): CVE-2017-5638 Affected product(s) and affected version(s): The following versions of IBM Connections are impacted: IBM Connections 5.5 IBM Connections 5.0 IBM Connections 4.5 IBM Connections 4.0 Refer to ...read more


IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™ in IBM Bluemix (CVE-2017-3731 CVE-2017-3732 CVE-2016-7055)

Mar 28, 2017 10:01 am EDT | Medium Severity

OpenSSL vulnerabilities were disclosed on January 26, 2017 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. CVE(s): CVE-2017-3731, CVE-2017-3732, CVE-2016-7055 Affected product(s) and affected version(s): These vulnerabilities affect IBM SDK for Node.js v4.7.2.0 and earlier releases. These vulnerabilities affect IBM SDK for ...read more


IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server in Bluemix

Mar 28, 2017 10:01 am EDT | High Severity

There are multiple vulnerabiltities in the IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM Java SDK updates in January 2017. These may affect some configurations of IBM WebSphere Application Server Traditional, IBM WebSphere Application Server Liberty and IBM WebSphere Application Server ...read more


IBM Security Bulletin: OpenStack Cinder/Glance/Nova vulnerabilities affect IBM Cloud Manager with OpenStack (CVE-2015-5162)

Mar 28, 2017 10:00 am EDT | Medium Severity

IBM Cloud Manager has addressed vulnerabilities in OpenStack Nova/Glance/Cinder. CVE(s): CVE-2015-5162 Affected product(s) and affected version(s): IBM Cloud Manager with OpenStack 4.3.0 through 4.3.0.7 IBM Cloud Manager with OpenStack 4.1.0 through 4.1.0.5 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=isg3T1024954X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/118290 ...read more


IBM Security Bulletin: Vulnerability in GSKit affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2016-2183)

Mar 28, 2017 10:00 am EDT | Low Severity

An OpenSSL vulnerability disclosed by the OpenSSL Project affects GSKit. IBM Sterling Connect:Direct for Microsoft Windows uses GSKit and therefore is also vulnerable. This vulnerability is known as the SWEET32 Birthday attack. CVE(s): CVE-2016-2183 Affected product(s) and affected version(s): IBM Sterling Connect:Direct for Microsoft Windows 4.7.0.0 through 4.7.0.4_iFix027 Refer to the following reference URLs for ...read more


IBM Security Bulletin: Open Source OpenStack Neutron ,Horizon and Ironic Vulnerabilities affect IBM Cloud Manager with OpenStack (CVE-2016-4985, CVE-2016-5362, CVE-2015-8914, CVE-2016-5363, CVE-2016-4428)

Mar 28, 2017 10:00 am EDT | Medium Severity

IBM Cloud Manager has address vulnerabilities in OpenStack Neutron, Horizon and Ironic. CVE(s): CVE-2016-5362, CVE-2015-8914, CVE-2016-5363, CVE-2016-4428 Affected product(s) and affected version(s): IBM Cloud Manager with OpenStack 4.3.0 through 4.3.0.7 IBM Cloud Manager with OpenStack 4.1.0 through 4.1.0.5 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=isg3T1024250X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/113941X-Force Database: ...read more


IBM Security Bulletin: Vulnerabilities in SSH affect IBM DataPower Gateways (CVE-2016-10009, CVE-2016-10012)

Mar 27, 2017 10:00 am EDT | Medium Severity

SSH vulnerabilities were disclosed by the OpenSSH Project. IBM DataPower Gateways has addressed the applicable CVEs. CVE(s): CVE-2016-10009, CVE-2016-10012 Affected product(s) and affected version(s): CVE-2016-10009: IBM DataPower Gateway version 7.5.2.0-7.5.2.2 CVE-2016-10012: IBM DataPower Gateway, versions 7.0.0.0-7.0.0.17, 7.1.0.0-7.1.0.14, 7.2.0.0-7.2.0.11, 7.5.0.0-7.5.0.5, 7.5.1.0-7.5.1.4, 7.5.2.0-7.5.2.2 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22000413&myns=swgws&mynp=OCSS9H2Y&mync=E&cm_sp=swgws-_-OCSS9H2Y-_-EX-Force ...read more


IBM Security Bulletin: Vulnerabilities in OpenSSH and OpenSSL affect GPFS for Windows V3.5

Mar 27, 2017 10:00 am EDT | High Severity

OpenSSH vulnerabilities were disclosed on December 23, 2016 by the OpenSSH Project. OpenSSL vulnerabilities were disclosed on November 10, 2016 and January 26, 2017 by the OpenSSL Project. OpenSSH and OpenSSL are used by GPFS V3.5 for Windows. GPFS V3.5 for Windows has addressed the applicable CVEs. CVE(s): CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-7055, CVE-2017-3731, CVE-2017-3732 ...read more