High Severity

IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274)

A vulnerability in the IBM Domino server IMAP EXAMINE command potentially could be exploited by an authenticated user resulting in a stack buffer overflow. This could allow a remote attacker to execute code with the privileges of the Domino server. Current 64-bit platforms leverage ASLR (Address Space Layout Randomization) which dramatically reduces the probability of […]

Apache Struts Jakarta Multi-part Parser Code Execution (CVE-2017-5638)

On March 6, 2017 a vulnerability in the Apache Struts Jakarta Multi-part parser code execution was reported by Apache. IBM is analyzing its products to determine which ones may be affected by this vulnerability. Affected IBM products will be issuing mitigations and/or fixes as soon as possible. Please actively monitor both your IBM Support Portal […]

IBM Security Bulletin: Vulnerability in Samba affects IBM Netezza Host Management

Jul 24, 2017 10:00 am EDT | High Severity

OpenSource Samba is used by IBM Netezza Host Mangement. IBM Netezza Host Management has addressed the applicable CVE. CVE(s): CVE-2017-7494 Affected product(s) and affected version(s): IBM Netezza Host Management 5.4.5.0 – 5.4.13.0 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22005381X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/126417 ...read more


IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM)

Jul 22, 2017 10:00 am EDT | High Severity

There are multiple vulnerabilities in IBM® SDKs Java™ Technology Edition, Versions 6, 7, 8 and IBM® Runtime Environments Java™ Technology Edition, Versions 6, 7, 8 used by IBM Tivoli Netcool Configuration Manager. These issues were disclosed as part of the IBM Java SDK updates in Apr 2017. CVE(s): CVE-2017-3539, CVE-2017-3533, CVE-2017-1289 Affected product(s) and affected ...read more



IBM Product Security Incident Response

Acknowledgement



Jul 21, 2017 3:30 pm EDT

IBM acknowledges and thanks the security researchers and organizations listed below for reporting and working with us to resolve one or more security vulnerabilities in our products and services. Disclosures for 2017 Adeel Imtiaz (LinkedIn) Alberto Garcia Illera (SalesForce) Angelis Pseftis (Cyber Innovations Center, Jacobs) Bosko Stankovic (DefenseCode) Dominique Righetto (Excellium) Francisco Oca (SalesForce) Gabriele ...read more


IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products

Jul 21, 2017 11:44 am EDT | High Severity

Multiple vulnerabilities in the Oracle Java SE and the Java SE Embedded impact the IBM SDK, Java Technology Edition. CVE(s): CVE-2017-3289, CVE-2017-3272, CVE-2017-3241, CVE-2017-3260, CVE-2016-5546, CVE-2017-3253, CVE-2016-5548, CVE-2016-5549, CVE-2017-3252, CVE-2016-5547, CVE-2016-5552, CVE-2017-3261, CVE-2017-3231, CVE-2017-3259, CVE-2016-2183 Affected product(s) and affected version(s): IBM Monitoring 8.1.3 IBM Application Diagnostics 8.1.3 IBM Application Performance Management 8.1.3 IBM Application Performance ...read more


IBM Security Bulletin: WebSphere Application Server may have insecure file permissions (CVE-2017-1382)

Jul 21, 2017 10:00 am EDT | Medium Severity

WebSphere Application Server may have insecure file permissions after custom startup scripts are run. The custom startup script will not pull the umask from the server.xml. This may cause some log files to have different permissions then expected. CVE(s): CVE-2017-1382 Affected product(s) and affected version(s): This vulnerability affects the following versions and releases of IBM ...read more


IBM Security Bulletin: Cross-site scripting vulnerability in Admin Console for WebSphere Application Server (CVE-2017-1380)

Jul 21, 2017 10:00 am EDT | Medium Severity

There is a potential cross-site scripting vulnerability in the Admin Console for WebSphere Application Server. CVE(s): CVE-2017-1380 Affected product(s) and affected version(s): This vulnerability affects the following versions and releases of IBM WebSphere Application Server: Version 9.0 Version 8.5 Version 8.0 Version 7.0 Refer to the following reference URLs for remediation and additional vulnerability details:Source ...read more


IBM Security Bulletin: API Connect is affected by SSH vulnerability (CVE-1999-1085)

Jul 21, 2017 10:00 am EDT | Low Severity

API Connect has addressed the following vulnerability: a vulnerability in SSH (Secure Shell) could allow a remote attacker to insert data into an encrypted session. CVE(s): CVE-1999-1085 Affected product(s) and affected version(s): IBM API Connect v5.0.0.0-5.0.7.0 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22005718X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/1126 ...read more


IBM Security Bulletin: Vulnerabilitiy in OpenSSL affect IBM Storwize V7000 Unified

Jul 21, 2017 10:00 am EDT | Medium Severity

OpenSSL is used by IBM Storwize V7000 Unified. IBM Storwize V7000 Unified has addressed the applicable CVEs. CVE(s): CVE-2017-3731 Affected product(s) and affected version(s): IBM Storwize V7000 Unified The product is affected when running code releases 1.5.0.0 to 1.5.2.5 and 1.6.0.0 to 1.6.2.1 Refer to the following reference URLs for remediation and additional vulnerability details:Source ...read more


IBM Security Bulletin: Cross-site Scripting vulnerabilities affect IBM Rational products based on IBM Jazz technology

Jul 21, 2017 10:00 am EDT | Medium Severity

Potential Cross-site scripting vulnerabilities affect the following IBM Rational Products: Rational Engineering Lifecycle Manager (RELM), Rational Rhapsody Design Manager (Rhapsody DM) CVE(s): CVE-2016-8975, CVE-2017-1245, CVE-2017-1249, CVE-2017-1287 Affected product(s) and affected version(s): Rational Rhapsody Design Manager 5.0.0-5.0.2, 6.0 – 6.0.3 (Versions 6.0.4 and above are not affected) Rational Engineering Lifecycle Manager 6.0 – 6.0.2 (Versions 6.0.3 ...read more