IBM Product Security Incident Response Team News

IBM PSIRT News Security vulnerabilities affecting IBM products

News & Alerts

PSIRT news and alerts
Title Date Link
Important Information on vulnerability in PowerVM on Power9 and Power10 systems (CVE-2023-30438) May 17, 2023 Read more
DS8900, TS7770, and ESS 5000 are not exposed to the vulnerability in PowerVM on Power9 and Power10 systems (CVE-2023-30438) May 17, 2023 Read more
Sign up for My Notifications March 8, 2023 Read more
An update on the OpenSSL vulnerability CVE-2022-3602 November 1, 2022 Read more
IBM suspends business in Russia June 14, 2022 Read more
An update on the war in Ukraine March 7, 2022 Read more
An update on the Apache Log4j 2.x vulnerabilities February 11, 2022 Read more


IBM acknowledges and thanks the security researchers and organizations listed for reporting and working with us to resolve one or more security vulnerabilities in our products and services.

The names of individuals and organizations appear with their permission. To report a potential security issue with any IBM product or offering, see Report Security Issue.

Disclosures for 2024

Credit to

  • Ariel Rachamim
  • Omri Inbar
  • Taha Diwan with IZYITS (LinkedIn)
  • Hiren Sojitra (LinkedIn)
  • Christian Guavez  (Twitter)
  • Pankaj Kumar Thakur (Chief Information Security Officer) at Green Tick Nepal Pvt. Ltd. (LinkedIn)
  • Nisha Thakur (LinkedIn)
  • Karsten Brusch (LinkedIn)

Disclosures for 2023

Credit to

Disclosures for 2022

Credit to

Disclosures for 2021

Credit to

  • Keith Lee
  • Hassan Raza

Disclosures for 2020

  • Andri (Pwn0sec Research Group)
  • Honggang Ren of Fortinet’s FortiGuard Labs
  • Pawel Gocyla (ING Tech Poland)
  • Dries Eestermans (nynox-dries)

Disclosures for 2019

  • Andri
  • Danang Tri Atmaja
  • Jafar Abo Nada
  • Jarad Kopf
  • Mohamed Yousif (SecureMisr)
  • Neil Kettle (Trustwave)
  • Pawel Gocyla (ING Tech Poland)
  • Rich Mirch
  • Steve Petz

Disclosures for 2018

  • Artem Metla
  • Cody Wass (NetSPI)
  • David Azria, Alex Mor (Ernst & Young, Hacktics Advanced Security Center)
  • Eddie Zhu (Beijing DBSEC Technology CO, LTD)
  • Ekzhin Ear and Christophe Schleypen (NCI Agency Cyber Security)
  • Emanuele Bartoli (Verizon Enterprise Solutions, LinkedIn)
  • Giulio Comi (Horizon Security)
  • Jakub Tyrlik (ING TECH)
  • Jan Bee (Google Security)
  • Lasse Trolle Borup (Langkjaer Cyber Defence)
  • Martin Strand
  • Mayank Somani
  • Mohamed M. Fouad (SecureMisr)
  • Mohamed Sayed (SecureMisr)
  • Moshe Mizrahi (Ernst & Young, Hacktics Advanced Security Center)
  • Okan Coskun (Biznet Bilisim)
  • Omar Eissa (Deloitte Germany)
  • Panu Tamminen
  • Patrick Schmid (Redguard)
  • Pawel Gocyla (ING Tech Poland)
  • Quentin Rhodes-Herrera
  • Rich Mirch
  • Ryan Adamson
  • Sebastian Neuner (Google Security)
  • Spyridon Chatzimichail
  • Tim Brown (Security Advisory EMEAR, Cisco)
  • Vasilis Sikkis (QSecure)
  • Vikas Khanna (LinkedIn)
  • Yicheng Dong
  • Yoganandam Dayalan (Cognizant, LinkedIn)

Disclosures for 2017

  • Adeel Imtiaz (LinkedIn)
  • Alberto Garcia Illera (SalesForce)
  • Alex Haynes (CDL)
  • Angelis Pseftis (Cyber Innovations Center, Jacobs)
  • Bosko Stankovic (DefenseCode)
  • Christopher Haney (LinkedIn)
  • Dale Thornton (PwC)
  • Daniel Hamid (Centurion Information Security, LinkedIn)
  • Dominique Righetto (Excellium)
  • Eddie Zhu (Beijing DBSEC Technology CO, LTD)
  • Eduardo Naranjo Pessota
  • Emanuele Calvelli (Quantum Leap)
  • Farzad Nehru-Sehabu (The Missing Link SecurityLinkedIn)
  • Francisco Oca (SalesForce)
  • Gabriele Gristina (LinkedIn)
  • Goh Zhi Hao (SEC Consult Vulnerability Lab)
  • Harjot Singh Lidher
  • Henri Salo
  • Honggang Ren (Fortinet’s FortiGuard Labs)
  • Jakub Palaczynski (ING Services Polska)
  • James Nichols (80/20 Labs)
  • Jarad Kopf (Deltek, LinkedIn)
  • John Moss (IRM Security)
  • Juho Nurminen
  • Kenneth F. Belva (LinkedIn, Twitter, OpCode Security, Inc) for identifying vulnerabilities in IBM Merge PACS
  • Kiran Shirali (LinkedIn, Twitter)
  • Kravchenko Stas (LinkedIn, Twitter)
  • Leiliang Sun (NSFOCUS)
  • Leon Juranic (DefenseCode)
  • Lukasz Juszczyk (ING Services Polska)
  • Luke Valenta (University of Pennsylvania)
  • Marc Ströbel (HvS-Consulting AG, Twitter)
  • Martin Carpenter
  • Mathijs Schmittmann
  • Matthias Kaiser  (Code White)
  • Michael Bentley (appthority)
  • Mohammed Adel (Facebook)
  • Mohammad Shah Bin Mohammad Esa (SEC Consult Vulnerability Lab)
  • Mohammed Shameem Shahnawaz (Twitter)
  • Nalla Muthu S  (LinkedIn)
  • Nebojsa Bajagic (Security Compass)
  • Prasath K  (LinkedIn)
  • Rich Mirch
  • Robert McClellan (Blue Canopy Group LLC, LinkedIn)​
  • Samandeep Singh (SEC Consult Vulnerability Lab, Singapore)
  • Sergio Ortega  (LinkedIn)
  • Spyridon Chatzimichail (OTE Hellenic Telecommunications Organization S.A., LinkedIn)
  • Suman Tiwari (LinkedInTwitterBlog)
  • Thierry De Leeuw (Avance Consulting SPRL)
  • Tim Brown (Security Advisory EMEAR, Cisco)
  • Vaibhav Gupta (LinkedIn, Twitter, Blog)
  • Valentinos Chouris (NCC Group) (LinkedIn)
  • Wayne Chang (WYC Technology, LLC)
  • William Easton (Stawgate, LLC)
  • Yuting Chen (Shanghai Jiao Tong University)
  • Zhendong Su (University of California)


According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product or service inventory, IBM addresses relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. IBM addresses relevant vulnerabilities as IBM becomes aware of them.


Affected: The software product contains code, which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time.

Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable.

Affected/Vulnerable Products and Versions: As used in IBM Security Bulletins, this category is intended to be only products and versions that are supported by IBM, and have not passed their end-of-support or warranty date. Thus, not including a reference in a Security Bulletin to unsupported or extended-support products or versions does not indicate a determination by IBM that they are unaffected by the vulnerability. Additionally, including a reference to one or more unsupported versions in a Security Bulletin (including reference to "All" versions) does not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.