High Severity

IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274)

A vulnerability in the IBM Domino server IMAP EXAMINE command potentially could be exploited by an authenticated user resulting in a stack buffer overflow. This could allow a remote attacker to execute code with the privileges of the Domino server. Current 64-bit platforms leverage ASLR (Address Space Layout Randomization) which dramatically reduces the probability of […]

Apache Struts Jakarta Multi-part Parser Code Execution (CVE-2017-5638)

On March 6, 2017 a vulnerability in the Apache Struts Jakarta Multi-part parser code execution was reported by Apache. IBM is analyzing its products to determine which ones may be affected by this vulnerability. Affected IBM products will be issuing mitigations and/or fixes as soon as possible. Please actively monitor both your IBM Support Portal […]


IBM Product Security Incident Response

Acknowledgement



Dec 13, 2017 10:10 am EST

IBM acknowledges and thanks the security researchers and organizations listed below for reporting and working with us to resolve one or more security vulnerabilities in our products and services. Disclosures for 2017 Adeel Imtiaz (LinkedIn) Alberto Garcia Illera (SalesForce) Angelis Pseftis (Cyber Innovations Center, Jacobs) Bosko Stankovic (DefenseCode) Christopher Haney (LinkedIn) Dominique Righetto (Excellium) Eddie ...read more


IBM Security Bulletin: IBM MQ Appliance is affected by a Network Security Services (NSS) vulnerability (CVE-2017-7805)

Dec 13, 2017 10:00 am EST | High Severity

IBM MQ Appliance has addressed a vulnerability in Network Security Services (NSS). CVE(s): CVE-2017-7805 Affected product(s) and affected version(s): IBM MQ Appliance 8.0 Maintenance levels between 8.0.0.0 and 8.0.0.7 IBM MQ Appliance 9.0.x Continuous Delivery (CD) Release Continuous delivery updates between 9.0.1 and 9.0.3 Refer to the following reference URLs for remediation and additional vulnerability ...read more


IBM Security Bulletin: IBM Integration Bus is affected by Open Source Apache Tomcat Vulnerabilities (CVE-2017-12617,CVE-2017-12615)

Dec 13, 2017 10:00 am EST | High Severity

IBM Integraton Bus has addressed the following vulnerabilities CVE(s): CVE-2017-12617, CVE-2017-12615 Affected product(s) and affected version(s): IBM Integration Bus V9.0.0.0 – V9.0.0.9 IBM Integration Bus V10.0.0.0 – V10.0.0.10. Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22011500X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/132484X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/132277 ...read more


IBM Security Bulletin: Vulnerability in system log on IBM MQ Appliance WebGUI (CVE-2017-1591)

Dec 13, 2017 10:00 am EST | Medium Severity

A potential cross-site scripting vulnerability exists in the IBM MQ Appliance system log. IBM has addressed the applicable CVE. CVE(s): CVE-2017-1591 Affected product(s) and affected version(s): IBM MQ Appliance 8.0 Maintenance levels between 8.0.0.0 and 8.0.0.7 IBM MQ Appliance 9.0.x Continuous Delivery (CD) Release Continuous delivery updates between 9.0.1 and 9.0.3 Refer to the following ...read more


IBM Security Bulletin: Multiple Vulnerabilities in Samba affect IBM i

Dec 12, 2017 10:00 am EST | High Severity

Samba is supported on IBM i. IBM i has addressed the applicable CVEs. CVE(s): CVE-2017-15275, CVE-2017-15087, CVE-2017-15086, CVE-2017-15085, CVE-2017-14746 Affected product(s) and affected version(s): Releases 7.2 and 7.3 of IBM i are affected. Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=nas8N1022397X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/135221X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/134666X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/134665X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/134664X-Force ...read more


IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server October 2017 CPU that is bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud.

Dec 12, 2017 10:00 am EST | High Severity

There are multiple vulnerabiltities in the IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in October 2017. CVE(s): CVE-2017-10388, CVE-2017-10356 Affected product(s) and affected version(s): IBM Java SDK shipped with IBM WebSphere Application Server Patterns 1.0.0.0 through 1.0.0.7 and 2.2.0.0 ...read more


IBM Security Bulletin: IBM Maximo Asset Management could allow a remote attacker to conduct phishing attacks, using an open redirect attack (CVE-2017-1558)

Dec 12, 2017 10:00 am EST | High Severity

IBM Maximo Asset Management could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. ...read more


IBM Security Bulletin: May 2016 OpenSSL Vulnerabilities affect Multiple N series Products

Dec 12, 2017 10:00 am EST | High Severity

OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by Multiple N series products. Multiple N series products has addressed the applicable CVEs. CVE(s): CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176, CVE-2016-2108 Affected product(s) and affected version(s): Data ONTAP operating in 7-Mode: 8.2.1, 8.2.2, 8.2.3, 8.2.4; SnapDrive for Unix: 5.2, 5.2.2, ...read more


IBM Security Bulletin: March 2016 OpenSSL Vulnerabilities affect Multiple N series Products

Dec 12, 2017 10:00 am EST | High Severity

OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL Project. OpenSSL is used by Multiple N series. Multiple N series has addressed the applicable CVEs. CVE(s): CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-2842 Affected product(s) and affected version(s): Data ONTAP operating in 7-Mode: 8.2.1, 8.2.2, 8.2.3, 8.2.4; SnapDrive for Unix: 5.2, 5.2.2, ...read more