Description:

IBM has released security updates to address vulnerabilities in the following products:

• IBM Cloud Pak for Data – Golang
  • CP4D 2.5, 3.0
• IBM Java SDK
  • IBM License Metric Tool
• Apache Camel
  • IBM Resilient SOAR
• IBM DB2 Server
  • IBM Emptoris Supplier Lifecycle Mgmt 10.1.3.x,10.1.1.x, 10.1.0.x
  • IBM Emptoris Program Management
  • IBM Emptoris Sourcing
  • IBM Emptoris Contract Management
  • IBM Emptoris Strategic Supply Management Platform 10.1.0.x,10.1.1.x,10.1.3.x
• Plexus-utils
  • Resilient OnPrem IBM Security SOAR
• Node.js npm CLI module
  • BM Cloud
• WebSphere Application Server Liberty
  • IBM Operations Analytics – Log Analysis
• Apache
  • Curam SPM 7.0.10, 7.0.9
• IBM Maximo Asset Management 7.6.0, 7.6.1
• App Connect Enterprise Certified Container 1.0.0 with Operator, 1.0.1 with Operator, 1.0.2 with Operator, 1.0.3 with Operator
• Ruby on Rails
  • IBM License Metric Tool
• Asset Repository in IBM Cloud Pak for Integration (CP4I) Operator 1.0.0, 1.0.1
• Platform Navigator in IBM Cloud Pak for Integration (CP4I) Operator 4.0.0, 4.0.1
• IBM Cloud Pak for Integration (CP4I) Operator 1.0.0

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Sensitive information disclosure
• Denial of service attack (DoS)
• Execute arbitrary code
• Bypass of a protection mechanism

Best practice and Recommendations:

The CERT team encourages users to review IBM security advisory and apply the necessary updates:

• https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-affect-ibm-cloud-pak-for-data-golang-cve-2020-15586-cve-2020-14039-primary-tabs/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-license-metric-tool-v9-2/
• https://www.ibm.com/blogs/psirt/security-bulletinibm-resilient-soar-is-using-components-with-known-vulnerabilities-apache-camel-cve-2019-0188-cve-2020-11972-cve-2020-11973/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-security-vulnerabilities-affect-ibm-emptoris-supplier-lifecycle-mgmt/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-using-components-with-known-vulnerabilities-plexus-utils-cve-2017-1000487/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-node-js-npm-cli-module-vulnerability-affects-ibm-sdk-for-node-js-in-ibm-cloud-cve-2020-15095/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-security-vulnerabilities-affect-ibm-emptoris-program-management/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-security-vulnerabilities-affect-ibm-emptoris-sourcing/
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-websphere-application-server-liberty-affect-ibm-operations-analytics-log-analysis-cve-2020-4590/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-security-vulnerabilities-affect-ibm-emptoris-contract-management/
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-commons-codec-affects-ibm-cram-social-program-management-177835/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-authentication-bypass-cve-2020-4493/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-security-vulnerabilities-affect-ibm-emptoris-strategic-supply-management-platform/
• https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-certified-container-is-vulnerable-to-cve-2019-11324/
• https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-affect-ibm-cloud-pak-for-data-node-js-cve-2020-8203/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-on-rails-affects-ibm-license-metric-tool-v9-cve-2020-8164/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-on-rails-affects-ibm-license-metric-tool-v9-cve-2020-8166/
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ruby-on-rails-affect-ibm-license-metric-tool-v9/
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-operators-affected-by-multiple-vulnerabilities/