The official site for Saudi CERT
IBM Updates
2836
Warning Date
Severity Level
Warning Number
Target Sector
20 February, 2020
● High
2020-940
All
Description:
IBM has released an updates to address a vulnerabilities in the following products:
- IBM Emptoris Spend Analysis:
- 10.1.3.x
- 10.1.1.x
- 10.1.0.x
- IBM Resilient
- v33.x
- IBM WebSphere Cast Iron Solution
- 7..5.0.0
- 7.5.1.0
- 7.0.0.0
- 7.0.0.2
- IBM Security Secret Server:
- All versions
- WebSphere Cast Iron:
- 7.5.0.0
- 7.5.0.1
- 7.5.1.0
- 7.0.0.0
- 7.0.0.1
- 7.0.0.2
- App Connect Professional:
- 7.5.2.0
- 7.5.3.0
- IBM i:
- 7.4
- 7.3
- 7.2
- API Connect:
- 5.0.0.0
- 5.0.8.7
- 2018.1
- 2018.4.1.9
- 2018.4.1.8
- IBM Emptoris Strategic Supply Management Platform:
- 10.1.0.x
- 10.1.1.x
- 10.1.1.x
- 10.1.3.x
- IBM Maximo Asset Management:
- 7.6.0.10
- 7.6.1.1
- Industry Solutions products affected if using an affected core version:
- Maximo for Aviation
- Maximo for Life Sciences
- Maximo for Nuclear Power
- Maximo for Oil and Gas
- Maximo for Transportation
- Maximo for Utilities
- IBM Control Desk products affected if using an affected core version:
- SmartCloud Control Desk
- IBM Control Desk
- Tivoli Integration Composer
- IBM Db2:
- 9.7
- 10.1
- 10.5
- 11.1
- 11.5
- IBM Tivoli Netcool/OMNIbus Integration - Transport Module Common Integration Library:
- common-transportmodule-12_0 up to and including common-transportmodule-22_0
- common-transportmodule-15_0 up to and including common-transportmodule-22_0
- IBM Tivoli Netcool/OMNIbus Integration - Transformer for Message Bus Integration:
- common-transformer-8_0 up to and including common-transformer-10_0
- CLM:
- 6.0.6.1
- 6.0.6
- 6.0.2
- IBM Tivoli Monitoring:
- Java (CANDLEHOME) IBM Tivoli Monitoring 6.3.0 through 6.3.0 fix pack 7 (including any service packs) (JRE 7 and JRE 8)
- COS SDK Java:
- Prior to v2.6.1
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- SQL injection remotley
- Denial of service
- Gain root privileges
- Obtain sensitive information
- Cross-site request forgery (CSRF)
- Elevated privileges
- Gain access to another user's session
- Process to abort remotely
- Bypass web application firewall protection
- Security bypass
- Credentials disclosure
- Execute arbitrary code remotely
- Server-side request forgery (SSRF) attacks
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
https://www.ibm.com/support/pages/node/2948919
https://www.ibm.com/support/pages/node/3011649 https://www.ibm.com/support/pages/node/2910147 https://www.ibm.com/support/pages/node/2875875 https://www.ibm.com/support/pages/node/2404185 https://www.ibm.com/support/pages/node/2801211 https://www.ibm.com/support/pages/node/2893881 https://www.ibm.com/support/pages/node/2878809 https://www.ibm.com/support/pages/node/2867997 https://www.ibm.com/support/pages/node/2895177 https://www.ibm.com/support/pages/node/2875251 https://www.ibm.com/support/pages/node/2801613 https://www.ibm.com/support/pages/node/2801607 https://www.ibm.com/support/pages/node/2874621 https://www.ibm.com/support/pages/node/2876307 https://www.ibm.com/support/pages/node/3002121 https://www.ibm.com/support/pages/node/2910789 https://www.ibm.com/support/pages/node/2950269 https://www.ibm.com/support/pages/node/1274986 https://www.ibm.com/support/pages/node/128240
https://www.ibm.com/support/pages/node/3022677 https://www.ibm.com/support/pages/node/2911497 https://www.ibm.com/support/pages/node/2929923
Rate the content
Share the page
