Critical Severity

Security Bulletin: IBM Sterling Order Management Apache Struts upgrade strategy (various CVEs, see below)

September 14, 2022 | Critical Severity

Apache Struts is used by IBM Sterling Order Management as part of its web application framework used for creating Java EE web applications . We recommend upgrading to the latest supported version of Struts that was released as part of the latest FixPack 29. ...read more


Security Bulletin: Vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM® Intelligent Operations Center [CVE-2021-23450]

September 13, 2022 | Critical Severity

Vulnerabilities have been identified in IBM WebSphere Application Server Liberty (17.0.0.3 - 22.0.0.2) shipped with IBM® Intelligent Operations Center. Information about these vulnerabilities affecting IBM® Intelligent Operations Center have been published and addressed in the applicable CVEs [CVE-2021-23450]. ...read more


Security Bulletin: Apache Commons Configuration Vulnerability affects IBM SPSS Analytic Server [CVE-2022-33980]

September 6, 2022 | Critical Severity

There is a vulnerability in the version of Apache Commons Configuration that was included in IBM SPSS Analytic Server. This vulnerability has been addressed. [CVE-2022-33980] ...read more


Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to remote code execution due to Apache Commons Configuration (CVE-2022-33980)

September 6, 2022 | Critical Severity

IBM Sterling Connect:Direct for UNIX object storage file IO exits, and IBM Sterling Connect:Direct for UNIX components Install Agent and File Agent are vulnerable to remote code execution due to Apache Commons Configuration CVE-2022-33980. Apache Commons Configuration has been upgraded to version 2.8.0 in IBM Sterling Connect:Direct for UNIX Install Agent and File Agent, and removed from IBM Sterling Connect:Direct for UNIX object storage file IO exits. ...read more


Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2022-22968, CVE-2022-24785, CVE-2017-18214, CVE-2016-4055, CVE-2018-1000613, CVE-2020-15522, CVE-2018-1000180, CVE-2020-26939, CVE-2022-22314)

September 6, 2022 | Critical Severity

IBM Planning Analytics Workspace is affected by multiple vulnerabilities. Spring is used in IBM Planning Analytics Workspace in Server-Side Rest APIs as an indirect dependency by MongoDB that is used to store content (CVE-2022-22968). Node.js moment is used in IBM Planning Analytics Workspace to parse, validate, manipulate and format dates (CVE-2022-24785, CVE-2017-18214, CVE-2016-4055). Legion of Bouncy Castle APIs are used by IBM Planning Analytics in cryptography. (CVE-2018-1000613, CVE-2020-15522, CVE-2018-1000180, CVE-2020-26939). A vulnerability affecting cached web data has also been addressed (CVE-2022-22314). ...read more


Security Bulletin: Prototype pollution vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – [CVE-2021-23450]

September 2, 2022 | Critical Severity

IBM Business Process Manager and IBM Business Automation Workflow are vulnerable to a prototype pollution attack. [CVE-2021-23450] ...read more


Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

August 31, 2022 | Critical Severity

Security vulnerabilities have been addressed in IBM Cognos Analytics 11.2.3. These vulnerabilities have also been previously addressed in IBM Cognos Analytics 11.1.7 FP5 where applicable. Multiple Cross-Site Request Forgery vulnerabilities have been addressed (CVE-2020-4301, CVE-2021-20468, CVE-2021-29823). A vulnerability where passwords were being logged in plain text has been addressed (CVE-2021-39009). A vulnerability where a password field had autocomplete enabled has been addressed (CVE-2021-39045). A Denial of Service (DOS) vulnerability via email flooding has been addressed (CVE-2022-30614). An XML Entity Expansion vulnerability has been addressed CVE-2022-36773). The following 3rd party components are used by IBM Cognos Analytics: Node.js glob-parent is a package that helps extracts the non-magic parent path from a glob string (CVE-2020-28469). Chalk ansi-regex is a regular expression for matching ANSI escape codes (CVE-2021-3807). Axios is a promise-based HTTP client for the browser and node.js (CVE-2021-3749). Node.js mpath is a package that gets/sets javascript object values using MongoDB-like path notation (CVE-2021-23438). Node.js netmask is a library that parses and understands IPv4 CIDR blocks so they can be explored and compared (CVE-2021-29418, CVE-2021-28918). Netty is a Java-based non-blocking I/O networking framework (CVE-2021-43797). FasterXML Jackson is a JSON to Java object conversion API (CVE-2020-36518, XFID: 217968). Node.js is an open-source and cross-platform Javascript runtime environment (CVE-2021-44533, CVE-2022-21824, CVE-2021-44531, CVE-2021-44532). Node.js ejs is an embedded JavaScript templating language lets users to generate HTML markup with plain JavaScript (CVE-2022-29078). Node.js nconf is a hierarchical node.js configuration with files, environment variables, command-line arguments, and atomic object merging (CVE-2022-21803). Maven okhttp is an efficient HTTP & HTTP/2 client for Android and Java applications (XFID: 233967). ...read more


Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

August 25, 2022 | Critical Severity

Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ...read more


Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

August 25, 2022 | Critical Severity

Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ...read more