IBM Updates
1902Warning Date
Severity Level
Warning Number
Target Sector
31 October, 2021
● High
2021-3774
All
Description:
IBM has released security updates to address several vulnerabilities in some of its products, mainly:
- IBM Emptoris Strategic Supply Management Platform
- 10.1.0.x,10.1.1.x,10.1.3.
- ICP – Compare & Comply
- Storage Node machine type and models (MTMs)
- 9840-AE1 and 9843-AE1
- 9840-AE2 and 9843-AE2
- 9840-AE3 and 9843-AE3
- Supported storage node
- VRMFs prior to 1.5.2.10
- VRMFs prior to 1.6.1.4
- InfoSphere Information Server
- 11.7
- IBM Observability with Instana (OnPrem)
- ITCAM for Transactions
- 7.4.0.x
- Spectrum Discover
- 2.0.3
- 2.0.3.1
- 2.0.3.2
- 2.0.3.3
- 2.0.3.4
- 2.0.4
- 2.0.4.1
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- Denial of service attack (DoS)
- Execute arbitrary code -remotely
- Buffer overflow
- Code injection
- Take control of the system
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-compare-and-comply-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-apache-pdfbox-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-a-cross-frame-scripting-exploit-cve-2021-29827/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-vulnerability-in-dojo-toolkit-cve-2018-15494/
- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-information-disclosure-cve-2021-29842-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-virtualization-engine-ts7700-july-2021/
- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2341-may-affect-ibm-sdk-java-technology-edition-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-insecure-third-party-domain-access-cve-2021-29875/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-flow-designer-is-vulnerable-to-server-side-request-forgery/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-cross-site-scripting-cve-2021-29771/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-vulnerability-in-marked-cve-2017-1000427/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-denial-of-service-vulnerability-in-apache-commons-compress/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-flow-designer-is-vulnerable-due-to-improper-certificate-validation/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-cross-site-request-forgery-cve-2021-29888/
- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-strategic-supply-management-platform-cve-2021-2329/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-sdk-java-technology-edition-10/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in-the-restricted-shell-of-the-ibm-flashsystem-900-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-commons-affect-tivoli-netcool-omnibus-webgui-cve-2021-35515-cve-2021-35516-cve-2021-35517-cve-2021-36090-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-xxe-xml-external-entity-injection-vulnerability-cve-2021-38948/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-multiple-vulnerabilities-in-node-js/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-vulnerability-in-xstream-cve-2021-29505/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-ibm-observability-with-instana-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-july-2021-includes-oracle-july-2021-cpu-minus-cve-2021-2341-affects-ibm-tivoli-composite-application-manager-for-transactions-rob/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-python-python-cryptography-and-urllib3-affect-ibm-spectrum-discover-2/