Security bulletins and fixes
Stay informed about known security vulnerabilities and fixes for IBM Cloud Pak® for AIOps by subscribing to the security bulletins and by reviewing the list of fixed security-related vulnerabilities.
- Security bulletins
- Fixed security-related vulnerabilities in version 4.5.1
- Fixed security-related vulnerabilities in previous versions
Security bulletins
Subscribe to IBM Cloud Pak for AIOps notifications by following these steps:
-
Go to the IBM Support site .
-
Scroll to the Support basics section. Then, click the Notification settings card.
-
Log in to IBM with your IBM ID and password to continue.
-
Enter IBM Cloud Pak for AIOps in the Product lookup field. Click Subscribe.
-
In the Select document types page, select Security bulletin and Fixes > Security Vulnerability (Sec/Int). You can also select any other document types that you need to keep informed about.
-
Click Submit.
-
To configure how you receive notifications, click Delivery preferences in the banner at the beginning of the page. Edit your settings as needed.
Fixed security-related vulnerabilities in version 4.5.1
Review the following tables, which lists the fixed reported security-related vulnerabilities with IBM Cloud Pak for AIOps, and any included IBM or third-party software.
CVE-ID | Issue | Description |
---|---|---|
CVE-2018-20200 | CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. | ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967 |
CVE-2020-25644 | wildfly-openssl denial of service | wildfly-openssl is vulnerable to a denial of service, caused by a memory leak flaw. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2021-3538 | go.uuid information disclosure | go.uuid could allow a remote attacker to obtain sensitive information, caused by the use of insecure randomness in the g.rand.Read function. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain the UUIDs information, and use this information to launch further attacks against the affected system. |
CVE-2021-20328 | MongoDB Java driver man-in-the-middle | MongoDB Java driver is vulnerable to a man-in-the-middle attack, caused by improper host name verification on the KMS server's certificate. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. |
CVE-2021-30465 | Open Container Initiative runc security bypass | Open Container Initiative runc could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink exchange attack. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow host filesystem being bind-mounted into the container. |
CVE-2022-21221 | Go fasthttp package directory traversal | Go fasthttp package could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests. by the ServeFile function. An attacker could send a specially-crafted URL request containing the backslash (%5c) character to read or write arbitrary files on the system. |
CVE-2022-26945 | HashiCorp go-getter command execution | HashiCorp go-getter could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection vulnerability. An attacker could exploit this vulnerability to access the host and execute arbitrary commands on the system. |
CVE-2022-29810 | Hashicorp go-getter library information disclosure | Hashicorp go-getter library could allow a local authenticated attacker to obtain sensitive information, caused by writing SSH credentials into its logfile. By accessing a specific file, an attacker could exploit this vulnerability to obtain sensitive information. |
CVE-2022-30321 | HashiCorp go-getter denial of service | An unspecified error in HashiCorp go-getter could allow a remote attacker to cause a denial of service. |
CVE-2022-30322 | HashiCorp go-getter denial of service | An unspecified error in HashiCorp go-getter could allow a remote attacker to cause a denial of service. |
CVE-2022-30323 | HashiCorp go-getter denial of service | An unspecified error in HashiCorp go-getter could allow a remote attacker to cause a denial of service. |
CVE-2023-0833 | Red Hat AMQ-Streams information disclosure | Red Hat AMQ-Streams could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in OKHttp componen. By sending a specially crafted request, an attacker could exploit this vulnerability to access information outside of their regular permissions. |
CVE-2023-3635 | Okio GzipSource denial of service | Okio GzipSource is vulnerable to a denial of service, caused by unhandled exception. By sending a specially crafted gzip buffer, a remote attacker could exploit this vulnerability to cause a denial of service. |
CVE-2023-4759 | Eclipse JGit code execution | Eclipse JGit could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of case insensitive filesystems. By using a specially crafted symlink, an attacker could exploit this vulnerability to execute arbitrary code on the system. |
CVE-2023-6135 | Mozilla Network Security Services information disclosure | Mozilla Network Security Services (NSS) NIST curves, as used in Mozilla Firefox, could allow a remote attacker to obtain sensitive information, caused by a side-channel attack known as "Minerva". By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to recover private keys. |
CVE-2023-22025 | Oracle Java SE unspecified | An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK related to the Hotspot component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact. |
CVE-2023-22081 | Oracle Java SE unspecified | An unspecified vulnerability in Oracle Java SE, Oracle GraalVM for JDK related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact. |
CVE-2023-39017 | Quartz Job Scheduler code execution | Quartz Job Scheduler could allow a remote attacker to execute arbitrary code on the system, caused by improper neutralization of user supplied-input by the org.quartz.jobs.ee.jms.SendQueueMessageJob.execute component. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. |
CVE-2023-51074 | json-path denial of service | json-path is vulnerable to a denial of service, caused by a stack-based buffer overflow in the Criteria.parse method. By sending a specially crafted input, a remote attacker could exploit this vulnerability to cause an uncontrolled recursion, and results in a denial of service condition. |
CVE-2023-51775 | jose4j denial of service | jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition. |
CVE-2024-21892 | Node.js privilege escalation | Node.js could allow a local authenticated attacker to gain elevated privileges on the system, caused by a bug in the implementation of the exception of CAP_NET_BIND_SERVICE. An attacker could exploit this vulnerability to inject code that inherits the process's elevated privileges. |
CVE-2024-22019 | Node.js denial of service | Node.js is vulnerable to a denial of service, caused by an error when reading unprocessed HTTP request with unbounded chunk extension. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to exhaust all available resources. |
CVE-2024-22201 | Eclipse Jetty denial of service | Eclipse Jetty is vulnerable to a denial of service, caused by a flaw when an HTTP/2 connection gets TCP congested. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the server to stop accepting new connections from valid clients, and results in a denial of service condition. |
CVE-2024-22259 | VMware Tanzu Spring Framework open redirect | VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. |
CVE-2024-28110 | CloudEvents Go SDK for CloudEvents information disclosure | CloudEvents Go SDK for CloudEvents could allow a remote attacker to obtain sensitive information, caused by a flaw when using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system. |
CVE-2024-28219 | Pillow buffer overflow | Pillow is vulnerable to a buffer overflow, caused by improper bounds checking in _imagingcms.c. By sending a specially crafted request, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system. |
CVE-2024-28757 | libexpat information disclosure | libexpat could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML_ExternalEntityParserCreate function. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. |
Fixed security-related vulnerabilities in previous versions
Review the following documentation, which includes the list of fixed reported security-related vulnerabilities in previous versions of IBM Cloud Pak for AIOps:
- Fixed security-related vulnerabilities in version 4.5.0
- Fixed security-related vulnerabilities in version 4.4.1
- Fixed security-related vulnerabilities in version 4.4.0
- Fixed security-related vulnerabilities in version 4.3.0
- Fixed security-related vulnerabilities in version 4.2.1
- Fixed security-related vulnerabilities in version 4.2.0
- Fixed security-related vulnerabilities in version 4.1.2
- Fixed security-related vulnerabilities in version 4.1.1
- Fixed security-related vulnerabilities in version 4.1.0