IBM Updates
2195Warning Date
Severity Level
Warning Number
Target Sector
19 November, 2020
● High
2020-2093
All
Description:
IBM has released security updates to address multiple vulnerabilities in the following products:
- Master Console
- 0.7.0 – 1.0.0
- UCD – IBM UrbanCode Deploy
- IBM Integrated Analytics System
- 1.0.0-1.0.24.0
- IBM® SDK, Java™ Technology Edition
- 7.0.0.0 – 7.0.10.70
- 7.1.0.0 – 7.1.4.70
- 8.0.0.0 – 8.0.6.16
- IBM Cloud Pak for Data Streams
- 3.0
- IBM Jazz Reporting Service
- 7.0
- 7.0.1
- 6.0.6
- 6.0.6.1
- IBM® Db2®
- V10.5
- V11.1
- V11.5
- App Connect for Manufacturing
- 2.0.0.3
Threats:
An attacker could exploit these vulnerabilities by doing the following:
- Denial of service (DoS)
- Bypass security restrictions
- Buffer overflow
- Obtain sensitive information
- Execute arbitrary code
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-shiro-as-used-by-master-console-is-vulnerable-to-improper-acceess-control-cve-2020-13933/
- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-10173cve-2019-10173-xstream-api-if-the-security-framework-has-not-been-initialized-it-may-allow-a-remote-attacker-to-run-arbitrary-shell-commands/
- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-17638-jetty-double-release-of-a-byte-buffer/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-affects-ibm-integrated-analytics-system-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-sdk-java-technology-edition-4/
- https://www.ibm.com/blogs/psirt/security-bulletin-lucky-13-attack-vulnerability-in-ibm-cloud-pak-for-data-streams/
- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-affects-the-report-builder-that-is-shipped-with-jazz-reporting-service-cve-2020-4718/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-buffer-overflow-cve-2020-4701/
- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-for-manufacturing-2-0-is-affected-by-vulnerabilities-of-asn-1-parser-in-bouncy-castle-crypto-aka-bc-java-1-6-cve-2019-17359/
- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14782-may-affect-ibm-sdk-java-technology-edition/
- https://www.ibm.com/blogs/psirt/security-bulletin-the-web-server-or-application-server-are-configured-in-an-insecure-way-in-ibm-cloud-pak-for-data-streams/
- https://www.ibm.com/blogs/psirt/security-bulletin-tls-protocol-dhe_export-ciphers-downgrade-mitm-logjam-vulnerability-in-ibm-cloud-pak-for-data-streams/