High Severity

IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274)

A vulnerability in the IBM Domino server IMAP EXAMINE command potentially could be exploited by an authenticated user resulting in a stack buffer overflow. This could allow a remote attacker to execute code with the privileges of the Domino server. Current 64-bit platforms leverage ASLR (Address Space Layout Randomization) which dramatically reduces the probability of […]

Apache Struts Jakarta Multi-part Parser Code Execution (CVE-2017-5638)

On March 6, 2017 a vulnerability in the Apache Struts Jakarta Multi-part parser code execution was reported by Apache. IBM is analyzing its products to determine which ones may be affected by this vulnerability. Affected IBM products will be issuing mitigations and/or fixes as soon as possible. Please actively monitor both your IBM Support Portal […]

IBM Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2017-5638)

Apr 25, 2017 10:00 am EDT | High Severity

IBM Sterling Order Management use Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2 CVE(s): CVE-2017-5638 Affected product(s) and affected version(s): IBM Sterling Selling and Fulfillment Foundation 9.1.0 IBM Sterling Selling and Fulfillment Foundation 9.2.0 IBM Sterling Selling and Fulfillment Foundation 9.2.1 IBM Sterling Selling and Fulfillment ...read more


IBM Security Bulletin: IBM WebSphere Commerce REST framework has a vulnerability in session management (CVE-2017-1170)

Apr 25, 2017 10:00 am EDT | Medium Severity

WebSphere Commerce REST framework could allow a local user to hijack a user’s session CVE(s): CVE-2017-1170 Affected product(s) and affected version(s): WebSphere Commerce versions 8.0.3.0 – 8.0.3.3 WebSphere Commerce versions 8.0.1.0 – 8.0.1.9 WebSphere Commerce versions 8.0.0.0 – 8.0.0.17 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22001225X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/123230 ...read more


IBM Security Bulletin: Vulnerability in password strength policy affects IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x (CVE-2016-8962)

Apr 25, 2017 10:00 am EDT | Medium Severity

IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x does not require strong passwords by default, which makes it easier for attackers to compromise user accounts. CVE(s): CVE-2016-8962 Affected product(s) and affected version(s): IBM License Metric Tool v9.x IBM BigFix Inventory v9.x Refer to the following reference URLs for remediation and additional vulnerability details:Source ...read more


IBM Security Bulletin: IBM Maximo Asset Management could allow a remote attacker to hijack a user’s session, caused by the failure to invalidate an existing session identifier (CVE-2016-8924)

Apr 25, 2017 10:00 am EDT | Medium Severity

IBM Maximo Asset Management could allow a remote attacker to hijack a user’s session, caused by the failure to invalidate an existing session identifier. An attacker could exploit this vulnerability to gain access to another user’s session. CVE(s): CVE-2016-8924 Affected product(s) and affected version(s): This vulnerability affects the following versions of the IBM Maximo Asset ...read more


IBM Security Bulletin: BigFix Platform is vulnerable to OpenSSL denial of service attack

Apr 25, 2017 10:00 am EDT | Medium Severity

OpenSSL is vulnerable to a denial of service, caused by the incorrect use of pointer arithmetic for heap-buffer boundary checks. By leveraging unexpected malloc behavior, a remote attacker could exploit this vulnerability to trigger an integer overflow and cause the application to crash. CVE(s): CVE-2016-2177 Affected product(s) and affected version(s): BigFix Platform 9.1 BigFix Platform ...read more



IBM Product Security Incident Response

Acknowledgement



Apr 25, 2017 9:30 am EDT

IBM acknowledges and thanks the security researchers and organizations listed below for reporting and working with us to resolve one or more security vulnerabilities in our products and services. Disclosures for 2017 Angelis Pseftis (Cyber Innovations Center, Jacobs) Jakub Palaczynski (ING Services Polska) Juho Nurminen Kiran Shirali (LinkedIn,   Twitter) Kravchenko Stas (LinkedIn, Twitter) Martin ...read more


IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Composite Application Manager for Transactions(CVE-2017-3241, CVE-2017-3253, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-5552, CVE-2016-2183)

Apr 24, 2017 10:28 am EDT | High Severity

There are multiple vulnerabilities in IBM Java Runtime, Version 6.0, 7.0 and 8.0 that is used by IBM Tivoli Composite Application Manager for Transactions. These issues were disclosed as part of the IBM Java SDK updates in January 2017. CVE(s): CVE-2017-3241, CVE-2017-3253, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-5552, CVE-2016-2183 Affected product(s) and affected version(s): IBM Tivoli ...read more


IBM Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem models 840 and 900

Apr 24, 2017 10:00 am EDT | High Severity

There are vulnerabilities in Apache Tomcat to which the IBM® FlashSystem™ 840 and FlashSystem™ 900 are susceptible. An exploit of these vulnerabilities (CVE-2016-6816, CVE-2016-6817, and CVE-2016-6796) could allow a remote attacker to obtain sensitive information, cause an application to enter an infinite loop, or bypass a configured SecurityManager, CVE(s): CVE-2016-6816, CVE-2016-6817, CVE-2016-6796 Affected product(s) and ...read more


IBM Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem model V840

Apr 24, 2017 10:00 am EDT | High Severity

There are vulnerabilities in Apache Tomcat to which the IBM® FlashSystem™ V840 is susceptible. An exploit of these vulnerabilities (CVE-2016-6816, CVE-2016-6817, and CVE-2016-6796) could allow a remote attacker to obtain sensitive information, cause an application to enter an infinite loop, or bypass a configured SecurityManager CVE(s): CVE-2016-6816, CVE-2016-6817, CVE-2016-6796 Affected product(s) and affected version(s): Affected ...read more