Critical Severity

Security Bulletin: IBM Spectrum Discover is vulnerable to multiple vulnerabilities

August 23, 2022 | Critical Severity

Ramda(CVE-2021-42581) is vulnerable to remote attackers to execute arbitrary code on the system, caused by a prototype pollution in functions. An attacker could exploit this vulnerability to execute arbitrary code on the system. Node-forge(CVE-2022-24773, 217313, CVE-2022-24771, CVE-2020-7720, CVE-2022-0122, CVE-2022-24772) is vulnerable to remote attackers to bypass security restrictions, caused by improper signature verification. Axios(CVE-2022-1214) is vulnerable to remote atackers to obtain sensitive information. Nginx(CVE-2021-46461, CVE-2021-46462, CVE-2021-46463) is vulnerable to remote atackers and denial service attacks caused by weaknesses in njs. Async(CVE-2021-43138) allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution in the mapValues() method. Paramiko(CVE-2022-24302) is vulnerable to local attackers to obtain sensitive information caused by a race condition in the write_private_key_file function. Python(CVE-2022-26488) allow a local authenticated attacker to gain elevated privileges on the systemcaused by an issue when the search path is inadequately secured. Psutil(CVE-2019-18874) is vulnerable to a denial of service, caused by a double free, this vulnerability to cause the application to crash. dns-packet(CVE-2021-23386) could allow a remote authenticated attacker to obtain sensitive information, caused by an issue when creating buffers and does not always fill them before forming network packets. express-jwt(CVE-2020-15084) could allow a remote attacker to bypass security restrictions, caused by improper enforcement of algorithms. oslo.utils(CVE-2022-0718) could allow a remote authenticated attacker to obtain sensitive information, caused by improper character masking by the mask_passwords functions. Python-RSA(CVE-2020-13757, CVE-2020-25658) is vulnerable to denial of service attacks and remote attackers, caused by a flaw during the decryption of ciphertext and the Bleichenbacher timing attack. Minimist(CVE-2020-7598, CVE-2021-44906) could provide weaker than expected security, caused by a prototype pollution flaw, and could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. Reportlab(CVE-2020-28463) is vulnerable to server-side request forgery, caused by improper input validation. Ansible(CVE-2021-20180, CVE-2021-3533, CVE-2020-14330) could allow a local authenticated attacker to obtain sensitive information, caused by disclosure of information in the console log when using the bitbucket_pipeline_variable, by an improper output neutralization for logs and by a flaw in race condition in ansible's async code. NumPy(CVE-2021-34141, CVE-2021-41496) is vulnerable to a denial of service, caused by incomplete string comparison in the numpy.core component and by a buffer overflow in the array_from_pyobj function of fortranobject.c. Ljharb qs(CVE-2017-1000048) is vulnerable to a denial of service, caused by sending a specially-crafted request and by insufficient sanitization of property in the gs.parse function. Node.js debug module(CVE-2017-16137) is vulnerable to regular expression denial of service when passing untrusted user input. ...read more


Security Bulletin: IBM QRadar SIEM includes components with multiple known vulnerabilities

August 23, 2022 | Critical Severity

The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM has addressed the relevant vulnerabilities. ...read more


Security Bulletin: Multiple security vulnerabilities have been identified in dojo library shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2019-10785, CVE-2020-5259, CVE-2020-4051, CVE-2018-15494, CVE-2021-23450)

August 22, 2022 | Critical Severity

Multiple security vulnerabilities have been identified in dojo library shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM). SKLM/GKLM has addressed the issues by releasing a fix. ...read more


Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses

August 18, 2022 | Critical Severity

Docker CLI (CVE-2021-41092) is vulnerable to attacks to obtain sensitive information. Docker CLI is used by IBM Spectrum Discover as part to the infrastructure to manage the images and containers in the system. Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) is vulnerable to attackers to execute arbitrary code to view, add, modify or delete information in the databases. Apache Log4j is used by IBM Spectrum Discover to authenticate inside to the modules of Apache kafka to log events. The fix include upgrade Apache Log4j to v2.17.1. ...read more


Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in ICU [CVE-2017-14952 and CVE-2020-10531]

August 18, 2022 | Critical Severity

These vulnerabilties affect only those customers who have configured a binary transform action using a tx-map. IBM has addressed the CVEs. [CVE-2017-14952 and CVE-2020-10531] ...read more


Security Bulletin: Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System

August 17, 2022 | Critical Severity

Multiple Vulnerabilities have been found in Node.js used by the Common UI Cloud Pak System. Cloud Pak System has addressed these vulnerabilities. ...read more


Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to remote code execution due to Apache Commons Configuration (CVE-2022-33980)

August 16, 2022 | Critical Severity

There is a vulnerability in Apache Commons Configuration used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVE [CVE-2022-33980]. ...read more


Security Bulletin: Multiple vulnerabilities in expat, glibc, http server, dojo, openssl shipped with IBM Cloud Pak System

August 15, 2022 | Critical Severity

Multiple vulnerabilities in expat, glibc, http server, dojo, openssl shipped with Cloud Pak System. Cloud Pak System has addressed these vulnerabilities. ...read more


Security Bulletin: Apache Commons Configuration Vulnerability affects IBM SPSS Modeler [CVE-2022-33980]

August 15, 2022 | Critical Severity

There is a vulnerability in the version of Apache Commons Configuration that was included in IBM SPSS Modeler. This vulnerability has been addressed. [CVE-2022-33980] ...read more