تنبيه IBM
2959تاريخ التحذير
مستوى الخطورة
رقم التحذير
القطاع المستهدف
10 مايو, 2022
● عالي
2022-4801
الكل
أصدرت IBM عدّة تحديثات لمعالجة عددٍ من الثغرات في المنتجات التالية:
- Cúram SPM
- 7.0.11
- Platform Navigator in IBM Cloud Pak for Integration (CP4I)
- 2020.4.1
- 2021.1.1
- 2021.2.1
- 2021.3.1
- 2021.4.1
- Automation Assets in IBM Cloud Pak for Integration (CP4I)
- 2020.4.1
- 2021.1.1
- 2021.2.1
- 2021.4.1
- IBM Cloud Pak System
- V2.3.0.1, V.2.3.1.1, v.2.3.2.0
- IBM Cloud Pak System
- v2.3.3.0 v.2.3.3.1, v.2.3.3.2, v.2.3.3.3, v2.3.3.3 iFix 1
- IBM Business Automation Workflow traditional
- V21.0.1 – V21.0.3
- V20.0.0.1 – V20.0.0.2
- V19.0.0.1 – V19.0.0.3
- V18.0.0.0 – V18.0.0.1
- IBM Business Automation Workflow containers
- V21.0.1 – V21.0.3
- V20.0.0.1 – V20.0.0.2
- IBM Business Process Manager
- V8.6.0.0 – V8.6.0.201803
- IBM Business Process Manager
- V8.5.0.0 – V8.5.0.201706
يمكن للمهاجم استغلال الثغرات وتنفيذ ما يلي:
- هجمة حجب الخدمة (DoS attack)
- تنفيذ برمجيات خبيثة
يوصي المركز بتحديث المنتجات المتأثرة، حيث أصدرت IBM توضيحًا لهذه التحديثات:
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-ibm-cloud-pak-for-data-is-vulnerable-to-string-injection-vulnerability-due-to-node-js-cve-2021-44532-cve-2021-44532/
- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-management-is-vulnerable-to-arbitrary-code-execution-and-sql-injection-issues-due-to-apache-log4j-cve-2022-23302-cve-2022-23305-cve-2022-23307/
- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-denial-of-service-due-to-go-cve-2022-23806/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-os-command-injection-cve-2022-22454/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-vmware-esxi-affect-ibm-cloud-pak-system-cve-2021-21994-cve-2021-21995-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-ibm-sdk-for-node-js-might-affect-the-configuration-editor-used-by-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2021-39024-in-ibm-guardium-data-encryption-gde/