IBM Security Bulletins

Security Bulletins notify customers about one or more vulnerabilities.
A close-up of a person holding a smartphone while typing on a laptop in a casual indoor setting. The individual appears to be multitasking, possibly working or browsing. The focus is on the devices, with the smartphone and laptop prominently visible.

IBM uses various methods to communicate security vulnerability information to customers. A Security Bulletin is used when publicly disclosing security vulnerabilities discovered in IBM products. Alternative tools and processes are used, where appropriate (i.e., for Z, cloud-based services, etc.) and when targeted or discrete communication with entitled customers is required. To protect our customers, IBM does not publicly disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes or mitigations.

Security Bulletins notify customers about one or more vulnerabilities. Customers are responsible for assessing the impact of any actual or potential security vulnerability in the context of their environment.
Structure and Content

IBM Security Bulletins follow a standard format and include elements that identify the type of vulnerability and its potential impact. Given their sensitive nature, Security Bulletins do not include detailed vulnerability exploitation information. The structure of an IBM Security Bulletin is defined below.
Title

To aid in identification, the title of the security bulletin begins with the term “Security Bulletin:” followed by a brief descriptive statement including information about type of vulnerability and affected IBM Product Name. It may also include one or more CVE IDs.

Examples: 

  • Security Bulletin: Unauthorized access vulnerability affects $Offering (CVE-xxxx-xx
  • Security Bulletins: Multiple SNMP vulnerabilities affect $Offering  
Summary

The security bulletin summary provides general information about the nature of the vulnerability.
Vulnerability Details

The vulnerability details section provides a list of Common Vulnerabilities and Exposures (CVE) identifiers and descriptions. CVE IDs are standardized identifiers for common computer vulnerabilities and exposures. Additional CVE information is available via the CVE FAQs.

The vulnerability details section also includes the Common Vulnerability Scoring System (CVSS) details associated with each CVE. IBM intends to use the Common Vulnerability Scoring System, (CVSS) as a standard for communicating the impact of security vulnerabilities in IBM products and solutions. CVSS is an open standard for assessing the severity or impact of computer system security vulnerabilities. This standard attempts to establish a numeric measure that represents how much concern or attention the vulnerability warrants. The resulting CVSS 'score' is based on an assessment of a series of metrics. The CVSS Base Score represents the intrinsic and fundamental characteristics of the vulnerability that are typically constant over time and across user environments. Additional information CVSS v3.1 User Guide.  
CVE and CVSS Information

CVE and CVSS details information is presented in the following format:

  • CVEID: CVE-XXXX-XXXX (where XXXX-XXXX represents an assigned CVE ID)
  • Description
  • CWE
  • CVSS Source
  • CVSS Base Score: X.X
  • CVSS Vector: (CVSS:3.1/AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X)


The information represented by this format is as follows:

CVEID: The assigned CVE identifier presented as a hotlink to the associated NIST NVD CVE information web page.

Description: A high-level description of the vulnerability. IBM does not intend to provide vulnerability details that could enable someone to craft an exploit of the vulnerability.

CWE: Common Weakness Enumeration is a community-developed list of underlying conditions that are the root cause of vulnerabilities in software and hardware.

See the CWE list for more information and definitions of CWEs.

CVSS Source: The company or entity providing the Common Vulnerability Scoring System (CVSS) information. Sources: CISA-ADP, CVE Numbering Authority (CNA), NVD, X-Force.

CVSS Base Score: The CVSS score assigned to the CVE by IBM for IBM products or by CNA for non-IBM products. The score range is 0 – 10.

CVSS Vector: The CVSS Vector is a representation of the metric values used to score the vulnerability. The CVSS 3.1 Calculator provides details regarding the meaning of the vector string metrics.

Affected products and versions: The IBM products and their versions which are affected by the vulnerabilities identified in the security bulletin.

Remediation/fixes: Fix information and location by affected version.

Workarounds and Mitigations: Available usage or configuration changes.

References: Additional resources that may be useful when evaluating the security bulletin.

Related Information: Additional information and resources that may be useful when evaluating the security bulletin.