الوصف:

أصدرت IBM عدة تحديثات لمعالجة عدد من الثغرات في المنتجات التالية:

• OTB build scripts
  • Cúram Social Program Management 7.0.10, 7.0.9
• IBM Cúram Social Program Management 7.0.10, 7.0.9
• BM API Connect's API Manager V2018.4.1.0-2018.4.1.12, V10.0.0
• Oracle MySQL
• IBM Security Guardium 10.6, 11.0, 11.1, 11.2
• IBM QRadar SIEM 7.4.0 – 7.4.1 GA, 7.3.0 – 7.3.3 Patch 4
• IBM Java Runtime
  • IBM App Connect Enterprise V11 , V11.0.0.0 – V11.0.0.10
  • IBM Integration Bus V10.0.0.0 – V10.0.0.21, V9.0.0.0 – V9.0.0.11
• Node.js
  • IBM Integration Bus V10.0.0 – V10.0.0.21
  • IBM App connect Enterprise V11 , V11.0.0.0 – V11.0.0.9
• IBM Security Access Manager 9.07
• IBM Security Verify Access 10.0.0
• IBM Kenexa LCMS Premier on premise 14.0 and Below
• IBM Security Guardium 10.5, 10.6, 11.0, 11.1
• Java Technology Edition Quarterly CPU
  • IBM Security Guardium 11.1, 11.2
• IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5
• IBM Cognos Analytics
• IBM License Metric Tool
• SQLite
  • IBM Security Guardium 11.x, 10.6, 10.5
• IBM InfoSphere Metadata Asset Manager 11.7, 11.5
• InfoSphere Information Server 11.7, 11.5

يمكن للمهاجم استغلال الثغرات وتنفيذ ما يلي:

• الكشف والإفصاح غير المصرح به للمعلومات
• تجاوز آلية حماية
• رفع الصلاحيات لزيادة قدرته على التعديل في النظام
• هجوم انتحال الشخصية (Spoofing attacks)
• تنفيذ برمجيات خبيثة

الإجراءات الوقائية:

يوصي المركز بتحديث النسخ المتأثرة حيث أصدرتIBM توضيحًا لهذه التحديثات:

• https://www.ibm.com/blogs/psirt/security-bulletin-ootb-build-scripts-does-not-set-the-secure-attribute-on-session-cookie-which-may-impact-ibm-cram-social-program-management-cve-2020-4780/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-path-traversal-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4776/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-http-verb-tampering-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4779/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-request-forgery-csrf-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4773/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-api-manager-is-vulnerable-to-privilege-escalationcve-2020-4638-3/
• https://www.ibm.com/blogs/psirt/security-bulletin-an-xml-external-entity-injection-xxe-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4772/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities-9/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-kdc-spoofing-cve-2019-4545-2/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-bus-and-ibm-app-connect-enterpise-v11-5/
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-integration-bus-ibm-app-connect-enterprise-v11/
• https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable-to-denial-of-service-cve-2020-16845/
• https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-have-been-fixed-in-ibm-security-access-manager-and-ibm-security-verify-access-cve-2020-4661-cve-2020-4699-cve-2020-4660/
• https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable-to-denial-of-service-via-kubernetes-cve-2020-8557-cve-2020-8559/
• https://www.ibm.com/blogs/psirt/security-bulletin-an-improper-input-validation-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4781/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-on-premise-ibm-sdk-java-technology-edition-quarterly-cpu-jul-2020-includes-oracle-jul-2020-cpu-plus-one-additional-vulnerability/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-xss-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4775/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cram-social-program-management-uses-md5-algorithm-cve-2020-4778/
• https://www.ibm.com/blogs/psirt/security-bulletin-an-xpath-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4774/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-use-of-a-broken-or-risky-cryptographic-algorithm-vulnerability-5/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-cross-site-scripting-vulnerabilities/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-java-technology-edition-quarterly-cpu-apr-2020-includes-oracle-apr-2020-cpu-vulnerability/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-may-be-vulnerable-to-a-denial-of-service-attack-cve-2020-4355-2/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-addressed-multiple-vulnerabilities-2/
• https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-have-been-identified-in-ibm-db2-shipped-with-ibm-license-metric-tool-v9-2/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-denial-of-service-attack-cve-2020-4420-2/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-cve-2020-4387-3/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-and-denial-of-service-cve-2020-4414-3/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-buffer-overflow-leading-to-a-privileged-escalation-cve-2020-4363-4/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-sqlite-vulnerability-6/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-metadata-asset-manager-is-vulnerable-to-stored-cross-site-scripting/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-cve-2020-4386-3/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-deserialization-of-untrusted-data-2/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-html-injection/