IBM Updates
2204Warning Date
Severity Level
Warning Number
Target Sector
28 April, 2021
● High
2021-2839
All
Description:
IBM has released a security update to address several vulnerabilities in their products, the most important ones:
- IBM Spectrum Scale
- 5.0.0 – 5.0.5.6
- 5.1.0 – 5.1.0.2
- IBM Spectrum Protect Snapshot for Db2 on AIX and Linux
- 8.1.0.0-8.1.11.0
- IBM Spectrum Protect Snapshot for Custom Applications on AIX and Linux
- 8.1.0.0-8.1.11.0
- IBM Spectrum Protect Snapshot for Oracle on AIX and Linux
- 8.1.0.0-8.1.11.0
- IBM Spectrum Protect Snapshot for Oracle with SAP on AIX and Linux
- 8.1.0.0-8.1.11.0
- All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5
- IBM Transformation Extender
- 9.0
- 10.0
- 10.1
- WebSphere Transformation Extender
- 8.4.1
- all versions of Liberty for Java in IBM Cloud up to and including v3.55.
- BAM
- 1.0
- APM SaaS
- 8.1.4
- APM on-premise
- 8.1.4
- ICAM
- 2019.3.0
- IBM Tivoli Monitoring
- 6.3.0 Fix Pack 7 Service Pack 5 (or later Service Pack)
- Content Collector for Email
- 4.0.x
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- Denial of service attack (DoS)
- Execute arbitrary code
- XML external entity (XXE) attack
- Cross-site request forgery (CSRF)
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2020-16044-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2021-23954-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-application-server-is-vulnerable-to-a-directory-traversal-vulnerability-affects-content-collector-for-email/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2021-23987-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2020-26974-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-tivoli-monitoring-installed-websphere-application-server/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-78-9-0-esr-cve-2021-23978-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if13-icam2019-3-0-2020-2-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-db2fm-is-vulnerable-to-a-buffer-overflow-cve-2020-5025-7/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-vulnerable-to-cross-site-scripting-4/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-myfaces-affects-liberty-for-java-for-ibm-cloud-cve-2021-26296-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerability-in-ibm-sdk-affects-ibm-transformation-extender-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-denial-of-service-cve-2020-5024-6/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affects-ibm-spectrum-protect-snapshot-on-aix-and-linux-cve-2020-27221/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-vulnerable-to-cross-site-scripting-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-the-ibm-spectrum-scale-gui-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-weak-file-permissions-allowing-access-to-specific-files-cve-2020-4976-6/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-spectrum-scale-csi-could-allow-insecure-external-command-execution-cve-2020-4981/