Security bulletins and fixes

Stay informed about known security vulnerabilities and fixes for IBM Cloud Pak® for AIOps by subscribing to the security bulletins and by reviewing the list of fixed security-related vulnerabilities.

Security bulletins

Subscribe to IBM Cloud Pak for AIOps notifications by following these steps:

  1. Go to the IBM Support site Opens in a new tab.

  2. Scroll to the Support basics section. Then, click the Notification settings card.

  3. Log in to IBM with your IBM ID and password to continue.

  4. Enter IBM Cloud Pak for AIOps in the Product lookup field. Click Subscribe.

  5. In the Select document types page, select Security bulletin and Fixes > Security Vulnerability (Sec/Int). You can also select any other document types that you need to keep informed about.

  6. Click Submit.

  7. To configure how you receive notifications, click Delivery preferences in the banner at the beginning of the page. Edit your settings as needed.

Fixed security-related vulnerabilities in version 4.5.1

Review the following tables, which lists the fixed reported security-related vulnerabilities with IBM Cloud Pak for AIOps, and any included IBM or third-party software.

Table. Fixed Common Vulnerabilities and Exposures in Version 4.5.0
CVE-ID Issue Description
CVE-2018-20200 Opens in a new tab CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967
CVE-2020-25644 Opens in a new tab wildfly-openssl denial of service wildfly-openssl is vulnerable to a denial of service, caused by a memory leak flaw. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-3538 Opens in a new tab go.uuid information disclosure go.uuid could allow a remote attacker to obtain sensitive information, caused by the use of insecure randomness in the g.rand.Read function. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain the UUIDs information, and use this information to launch further attacks against the affected system.
CVE-2021-20328 Opens in a new tab MongoDB Java driver man-in-the-middle MongoDB Java driver is vulnerable to a man-in-the-middle attack, caused by improper host name verification on the KMS server's certificate. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVE-2021-30465 Opens in a new tab Open Container Initiative runc security bypass Open Container Initiative runc could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink exchange attack. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow host filesystem being bind-mounted into the container.
CVE-2022-21221 Opens in a new tab Go fasthttp package directory traversal Go fasthttp package could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests. by the ServeFile function. An attacker could send a specially-crafted URL request containing the backslash (%5c) character to read or write arbitrary files on the system.
CVE-2022-26945 Opens in a new tab HashiCorp go-getter command execution HashiCorp go-getter could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection vulnerability. An attacker could exploit this vulnerability to access the host and execute arbitrary commands on the system.
CVE-2022-29810 Opens in a new tab Hashicorp go-getter library information disclosure Hashicorp go-getter library could allow a local authenticated attacker to obtain sensitive information, caused by writing SSH credentials into its logfile. By accessing a specific file, an attacker could exploit this vulnerability to obtain sensitive information.
CVE-2022-30321 Opens in a new tab HashiCorp go-getter denial of service An unspecified error in HashiCorp go-getter could allow a remote attacker to cause a denial of service.
CVE-2022-30322 Opens in a new tab HashiCorp go-getter denial of service An unspecified error in HashiCorp go-getter could allow a remote attacker to cause a denial of service.
CVE-2022-30323 Opens in a new tab HashiCorp go-getter denial of service An unspecified error in HashiCorp go-getter could allow a remote attacker to cause a denial of service.
CVE-2023-0833 Opens in a new tab Red Hat AMQ-Streams information disclosure Red Hat AMQ-Streams could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in OKHttp componen. By sending a specially crafted request, an attacker could exploit this vulnerability to access information outside of their regular permissions.
CVE-2023-3635 Opens in a new tab Okio GzipSource denial of service Okio GzipSource is vulnerable to a denial of service, caused by unhandled exception. By sending a specially crafted gzip buffer, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-4759 Opens in a new tab Eclipse JGit code execution Eclipse JGit could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of case insensitive filesystems. By using a specially crafted symlink, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-6135 Opens in a new tab Mozilla Network Security Services information disclosure Mozilla Network Security Services (NSS) NIST curves, as used in Mozilla Firefox, could allow a remote attacker to obtain sensitive information, caused by a side-channel attack known as "Minerva". By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to recover private keys.
CVE-2023-22025 Opens in a new tab Oracle Java SE unspecified An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK related to the Hotspot component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVE-2023-22081 Opens in a new tab Oracle Java SE unspecified An unspecified vulnerability in Oracle Java SE, Oracle GraalVM for JDK related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVE-2023-39017 Opens in a new tab Quartz Job Scheduler code execution Quartz Job Scheduler could allow a remote attacker to execute arbitrary code on the system, caused by improper neutralization of user supplied-input by the org.quartz.jobs.ee.jms.SendQueueMessageJob.execute component. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-51074 Opens in a new tab json-path denial of service json-path is vulnerable to a denial of service, caused by a stack-based buffer overflow in the Criteria.parse method. By sending a specially crafted input, a remote attacker could exploit this vulnerability to cause an uncontrolled recursion, and results in a denial of service condition.
CVE-2023-51775 Opens in a new tab jose4j denial of service jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-21892 Opens in a new tab Node.js privilege escalation Node.js could allow a local authenticated attacker to gain elevated privileges on the system, caused by a bug in the implementation of the exception of CAP_NET_BIND_SERVICE. An attacker could exploit this vulnerability to inject code that inherits the process's elevated privileges.
CVE-2024-22019 Opens in a new tab Node.js denial of service Node.js is vulnerable to a denial of service, caused by an error when reading unprocessed HTTP request with unbounded chunk extension. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to exhaust all available resources.
CVE-2024-22201 Opens in a new tab Eclipse Jetty denial of service Eclipse Jetty is vulnerable to a denial of service, caused by a flaw when an HTTP/2 connection gets TCP congested. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the server to stop accepting new connections from valid clients, and results in a denial of service condition.
CVE-2024-22259 Opens in a new tab VMware Tanzu Spring Framework open redirect VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVE-2024-28110 Opens in a new tab CloudEvents Go SDK for CloudEvents information disclosure CloudEvents Go SDK for CloudEvents could allow a remote attacker to obtain sensitive information, caused by a flaw when using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system.
CVE-2024-28219 Opens in a new tab Pillow buffer overflow Pillow is vulnerable to a buffer overflow, caused by improper bounds checking in _imagingcms.c. By sending a specially crafted request, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVE-2024-28757 Opens in a new tab libexpat information disclosure libexpat could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML_ExternalEntityParserCreate function. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

Fixed security-related vulnerabilities in previous versions

Review the following documentation, which includes the list of fixed reported security-related vulnerabilities in previous versions of IBM Cloud Pak for AIOps: