Security Bulletin: Multiple cross-site scripting vulnerabilities affect IBM DOORS Next Generation

Apr 7, 2020 8:01 pm EDT | Medium Severity

There are multiple cross-site scripting defects that affect IBM DOORS Next Generation (DNG/RRC) ...read more


Security Bulletin: IBM Security Information Queue has insufficient session expiration (CVE-2020-4284)

Apr 7, 2020 8:01 pm EDT | Medium Severity

IBM Security Information Queue (ISIQ) does not have a mechanism for terminating idle UI sessions. This leaves an unattended ISIQ session vulnerable to being compromised. As of v1.0.6, ISIQ automatically terminates a session that has been idle for 60 minutes. The timeout value is configurable. ...read more


Security Bulletin: IBM Security Information Queue uses components with known vulnerabilities (CVE-2019-8331, CVE-2019-11358)

Apr 7, 2020 8:00 pm EDT | Medium Severity

The IBM Security Information Queue (ISIQ) web server utilizes a Node.js runtime environment. The environment includes several open source packages with known vulnerabilities. As of ISIQ v1.0.6, the open source packages have been upgraded to the recommended secure versions. ...read more


Security Bulletin: IBM Security Information Queue does not invalidate sessions after logout (CVE-2020-4291)

Apr 7, 2020 8:00 pm EDT | Medium Severity

IBM Security Information Queue (ISIQ) session identifiers are not properly invalidated upon user logout from ISIQ's web UI. This create opportunities for an attacker to hijack a user session token. As of v1.0.6, ISIQ immediately invalidates the session token when a user logs out. ...read more


Security Bulletin: IBM Security Information Queue does not prevent a product's owner from being modified (CVE-2020-4290)

Apr 7, 2020 8:00 pm EDT | Medium Severity

Each configured product in IBM Security Information Queue (ISIQ) has an owner who controls access to the product. It's possible for an attacker to intercept a product configuration request object and change the owner value, which would grant unauthorized access. As of v1.0.6, a product's owner is no longer determined by the configuration request object, and thus is not subject to modification. ...read more


Security Bulletin: Multiple vulnerabilities affect IBM Quality Manager (RQM)

Apr 7, 2020 8:00 pm EDT | Medium Severity

There are multiple vulnerabilities that affect IBM Quality Manager (RQM) ...read more


Security Bulletin: IBM Security Information Queue does not set the HttpOnly flag in session cookies (CVE-2020-4289)

Apr 7, 2020 8:00 pm EDT | Medium Severity

IBM Security Information Queue (ISIQ) does not sufficiently protect session cookies by setting the HttpOnly flag. Consequently, a client-side script could obtain sensitive information from an ISIQ cookie. As of v1.0.6, ISIQ sets the HttpOnly flag. ...read more


Security Bulletin: Vulnerability in Open Source Jackson databind used in IBM Cloud Pak System (CVE-2020-8840)

Apr 7, 2020 8:00 pm EDT | Medium Severity

Vulnerability with unknown impact identified in jackson-databind used in IBM Cloud Pak System Software. IBM Cloud Pak System addressed vulnerability. It applies to IBM Cloud Pak System Software and Service. ...read more


Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony

Apr 6, 2020 8:00 pm EDT | Medium Severity

This interim fix provides instructions on upgrading Apache Tomcat to v8.5.53 in IBM Platform Symphony 7.1 Fix Pack 1 in order to address security vulnerabilities CVE-2020-1938, CVE-2020-1935 and CVE-2019-17569 in Apache Tomcat. ...read more