High Severity

IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274)

A vulnerability in the IBM Domino server IMAP EXAMINE command potentially could be exploited by an authenticated user resulting in a stack buffer overflow. This could allow a remote attacker to execute code with the privileges of the Domino server. Current 64-bit platforms leverage ASLR (Address Space Layout Randomization) which dramatically reduces the probability of […]

Apache Struts Jakarta Multi-part Parser Code Execution (CVE-2017-5638)

On March 6, 2017 a vulnerability in the Apache Struts Jakarta Multi-part parser code execution was reported by Apache. IBM is analyzing its products to determine which ones may be affected by this vulnerability. Affected IBM products will be issuing mitigations and/or fixes as soon as possible. Please actively monitor both your IBM Support Portal […]

IBM Security Bulletin: Multiple vulnerabilities may affect ASP.NET Core in IBM Bluemix

Aug 19, 2017 10:00 am EDT | High Severity

Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege. Vulnerabilities in Node.js and the c-ares library were disclosed on July 11 2017 by the Node.js Foundation. IBM SDK for Node.js has addressed the applicable CVEs. CVE(s): CVE-2017-0256, CVE-2017-0249, CVE-2017-0247, CVE-2017-1000381, CVE-2017-11499 Affected product(s) and affected version(s): These vulnerabilities affect ASP.NET Core in IBM ...read more


IBM Security Bulletin: No verification of user rights for certain applications on MaaS360 Windows installations. (CVE-2017-1422).

Aug 19, 2017 10:00 am EDT | Medium Severity

EMSAgentCmd.exe executes commands without verifying the source of the request. Additionally, commands are not restricted to operating within the boundaries of the application’s self. CVE(s): CVE-2017-1422 Affected product(s) and affected version(s): Product/Version MaaS360 DTM all versions up to 3.81 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22006985X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/127412 ...read more


IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products

Aug 19, 2017 10:00 am EDT | High Severity

Multiple vulnerabilities in the Oracle Java SE and the Java SE Embedded impact the IBM SDK, Java Technology Edition. CVE(s): CVE-2017-3514, CVE-2017-3512, CVE-2017-3511, CVE-2017-3526, CVE-2017-3509, CVE-2017-3544, CVE-2017-3533, CVE-2017-3539, CVE-2017-1289, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, Not Applicable Affected product(s) and affected version(s): IBM Monitoring 8.1.3 IBM Application Diagnostics 8.1.3 IBM Application Performance Management 8.1.3 IBM Application Performance ...read more


IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere DataPower XC10 Appliance

Aug 19, 2017 10:00 am EDT | Medium Severity

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 6 and 7 that affect the WebSphere DataPower XC10 Appliance. These issues were disclosed as part of the IBM Java SDK updates in Jan 2017. CVE(s): CVE-2016-5548, CVE-2016-5547, CVE-2016-5552 Affected product(s) and affected version(s): WebSphere DataPower XC10 Appliance Version 2.1 WebSphere DataPower XC10 Appliance Version ...read more


IBM Security Bulletin: Vulnerabilities in zlib affect IBM Sterling Connect:Direct FTP+ (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843)

Aug 19, 2017 10:00 am EDT | Low Severity

Vulnerabilities were reported in zlib. zlib is used by IBM Sterling Connect:Direct FTP+. IBM Sterling Connect:Direct FTP+ has addressed the applicable CVEs. CVE(s): CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843 Affected product(s) and affected version(s): IBM Sterling Connect:Direct FTP+ 1.3.0 IBM Sterling Connect:Direct FTP+ 1.2.0 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: ...read more


IBM Security Bulletin: Multiple vulnerabilities in Oracle® Java™ Runtime Environment version 1.7 affect IBM Flex System Manager(FSM) Storage Manager Install Anywhere (SMIA) configuration tool

Aug 19, 2017 10:00 am EDT | High Severity

There are multiple vulnerabilities in Oracle® Java™ Runtime Environment version 1.7 that is used by IBM Flex System Manager (FSM) Storage Management Install Anywhere (SMIA) configuration tool. These issues were disclosed as part of the Java updates from July 2016, and January 2017. CVE(s): CVE-2016-3508, CVE-2016-3500, CVE-2016-5546, CVE-2017-3253, CVE-2017-3252, CVE-2016-5547, CVE-2016-5552, CVE-2016-2183 Affected product(s) and ...read more


IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring

Aug 18, 2017 10:00 am EDT | High Severity

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition that is used by IBM Tivoli Monitoring. These issues were disclosed as part of the IBM Java SDK updates in April 2017. CVE(s): CVE-2017-3514, CVE-2017-3512, CVE-2017-3511, CVE-2017-3509, CVE-2017-3544, CVE-2017-3533, CVE-2017-3539, CVE-2017-1289, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843 Affected product(s) and affected version(s): IBM Tivoli Monitoring version ...read more


IBM Security Bulletin: Security Vulnerabilities in Apache FOP and Apache Batik affect IBM WebSphere Portal (CVE-2017-5661, CVE-2017-5662)

Aug 17, 2017 10:00 am EDT | Medium Severity

XML external entity (XXE) security vulnerabilities in Apache FOP and Apache Batik affect IBM WebSphere Portal (CVE-2017-5661, CVE-2017-5662). CVE(s): CVE-2017-5661, CVE-2017-5662 Affected product(s) and affected version(s): Affected Product Affected Versions IBM WebSphere Portal 9.0.0.0 – 9.0.0.0 CF13 IBM WebSphere Portal 8.5.0.0 – 8.5.0.0 CF13 IBM WebSphere Portal 8.0.0.0 – 8.0.0.1 CF22 IBM WebSphere Portal 7.0.0.0 ...read more



IBM Product Security Incident Response

Acknowledgement



Aug 16, 2017 5:30 pm EDT

IBM acknowledges and thanks the security researchers and organizations listed below for reporting and working with us to resolve one or more security vulnerabilities in our products and services. Disclosures for 2017 Adeel Imtiaz (LinkedIn) Alberto Garcia Illera (SalesForce) Angelis Pseftis (Cyber Innovations Center, Jacobs) Bosko Stankovic (DefenseCode) Christopher Haney (LinkedIn) Dominique Righetto (Excellium) Francisco ...read more