High Severity

IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274)

A vulnerability in the IBM Domino server IMAP EXAMINE command potentially could be exploited by an authenticated user resulting in a stack buffer overflow. This could allow a remote attacker to execute code with the privileges of the Domino server. Current 64-bit platforms leverage ASLR (Address Space Layout Randomization) which dramatically reduces the probability of […]

Apache Struts Jakarta Multi-part Parser Code Execution (CVE-2017-5638)

On March 6, 2017 a vulnerability in the Apache Struts Jakarta Multi-part parser code execution was reported by Apache. IBM is analyzing its products to determine which ones may be affected by this vulnerability. Affected IBM products will be issuing mitigations and/or fixes as soon as possible. Please actively monitor both your IBM Support Portal […]


IBM Product Security Incident Response

Acknowledgement



Sep 25, 2017 1:00 pm EDT

IBM acknowledges and thanks the security researchers and organizations listed below for reporting and working with us to resolve one or more security vulnerabilities in our products and services. Disclosures for 2017 Adeel Imtiaz (LinkedIn) Alberto Garcia Illera (SalesForce) Angelis Pseftis (Cyber Innovations Center, Jacobs) Bosko Stankovic (DefenseCode) Christopher Haney (LinkedIn) Dominique Righetto (Excellium) Eddie ...read more


IBM Security Bulletin: July 2016 Java Platform Standard Edition Vulnerabilities in N series Products

Sep 25, 2017 10:00 am EDT | High Severity

Multiple N series products incorporate the Oracle Java Platform, Standard Edition (Java SE) software libraries. Java SE (JDK and JRE) versions below 6u121, 7u111, and 8u101 are susceptible to multiple vulnerabilities, potentially leading to unauthenticated remote code execution, a partial denial of service (DoS) of Java, or unauthorized reading or modification of a subset of ...read more


IBM Security Bulletin: April 2016 Java Platform Standard Edition Vulnerabilities in N series Products

Sep 25, 2017 10:00 am EDT | High Severity

Multiple N series products incorporate the Oracle Java Platform, Standard Edition (Java SE) software libraries. Java SE (JDK and JRE) versions below 6u115, 7u101, and 8u92 are susceptible to multiple vulnerabilities, potentially leading to unauthenticated remote code execution, a partial denial of service (DoS) of Java, or unauthorized reading or modification of a subset of ...read more


IBM Security Bulletin: privilege escalation in IBM Business Process Manager (BPM) – CVE-2017-1539

Sep 23, 2017 10:00 am EDT | Medium Severity

Synchronization between the user registry and the IBM BPM database lead to invalid memberships in case there is an internal group in the IBM BPM database and a group in the user registry with the same name. CVE(s): CVE-2017-1539 Affected product(s) and affected version(s): – IBM Business Process Manager V7.5.0.0 through V7.5.1.2 – IBM Business ...read more


IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager Process Center Console (CVE-2017-1531)

Sep 23, 2017 10:00 am EDT | Medium Severity

IBM Business Process Manager (BPM) Process Center Console is vulnerable to a persisted Cross-Site Scripting attack. CVE(s): CVE-2017-1531 Affected product(s) and affected version(s): – IBM Business Process Manager V7.5.0.0 through V7.5.1.2 – IBM Business Process Manager V8.0.0.0 through V8.0.1.3 – IBM Business Process Manager V8.5.0.0 through V8.5.0.2 – IBM Business Process Manager V8.5.5.0 – IBM ...read more


IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager Process Admin Console (CVE-2017-1530)

Sep 23, 2017 10:00 am EDT | Medium Severity

IBM Business Process Manager (BPM) Process Admin Console is vulnerable to a persisted Cross-Site Scripting attack. CVE(s): CVE-2017-1530 Affected product(s) and affected version(s): – IBM Business Process Manager V7.5.0.0 through V7.5.1.2 – IBM Business Process Manager V8.0.0.0 through V8.0.1.3 – IBM Business Process Manager V8.5.0.0 through V8.5.0.2 – IBM Business Process Manager V8.5.5.0 – IBM ...read more


IBM Security Bulletin: XML External Entity (XXE) injection vulnerability affects IBM Business Process Manager (CVE-2017-1527)

Sep 23, 2017 10:00 am EDT | High Severity

IBM Business Process Manager (BPM) can process XML messages, including messages from untrusted sources. Because of insufficient restriction of an XML parser, XML External Entity injection allows an authenticated remote attacker to send specially crafted XML messages and thus cause a denial of service by exhausting system resources or exfiltrate sensitive information. CVE(s): CVE-2017-1527 Affected ...read more


IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (BPM) – CVE-2017-1425

Sep 23, 2017 10:00 am EDT | Medium Severity

IBM BPM reflects untrusted user input without fully removing HTML markup. This might allow controlling parts of the user interface, possibly script injection. CVE(s): CVE-2017-1425 Affected product(s) and affected version(s): – IBM Business Process Manager V8.0.1.1 – IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 Note that release 8.0.1.2, 8.0.1.3, 8.5.5.0, and 8.5.6 ...read more


IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler

Sep 23, 2017 10:00 am EDT | High Severity

OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM Workload Manager. IBM Workload Manager has addressed the applicable CVEs CVE(s): CVE-2016-6302, CVE-2016-6305, CVE-2016-6303, CVE-2016-6304, CVE-2016-2182, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-2181, CVE-2016-6309, CVE-2016-7052, CVE-2016-2180, CVE-2016-2179, , CVE-2000-1254, , Affected product(s) and affected version(s): TWS uses OpenSSL only for secure communication between internal processes. ...read more