The official site for Saudi CERT
IBM Updates
2672
Warning Date
Severity Level
Warning Number
Target Sector
11 October, 2020
● High
2020-1904
All
Description:
IBM has released security updates to address vulnerabilities in the following products:
- OTB build scripts
- Cúram Social Program Management 7.0.10, 7.0.9
- IBM Cúram Social Program Management 7.0.10, 7.0.9
- BM API Connect's API Manager V2018.4.1.0-2018.4.1.12, V10.0.0
- Oracle MySQL
- IBM Security Guardium 10.6, 11.0, 11.1, 11.2
- IBM QRadar SIEM 7.4.0 – 7.4.1 GA, 7.3.0 – 7.3.3 Patch 4
- IBM Java Runtime
- IBM App Connect Enterprise V11 , V11.0.0.0 – V11.0.0.10
- IBM Integration Bus V10.0.0.0 – V10.0.0.21, V9.0.0.0 – V9.0.0.11
- Node.js
- IBM Integration Bus V10.0.0 – V10.0.0.21
- IBM App connect Enterprise V11 , V11.0.0.0 – V11.0.0.9
- IBM Security Access Manager 9.07
- IBM Security Verify Access 10.0.0
- IBM Kenexa LCMS Premier on premise 14.0 and Below
- IBM Security Guardium 10.5, 10.6, 11.0, 11.1
- Java Technology Edition Quarterly CPU
- IBM Security Guardium 11.1, 11.2
- IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5
- IBM Cognos Analytics
- IBM License Metric Tool
- SQLite
- IBM Security Guardium 11.x, 10.6, 10.5
- IBM InfoSphere Metadata Asset Manager 11.7, 11.5
- InfoSphere Information Server 11.7, 11.5
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- Unauthorized disclosure of information
- Bypass of a protection mechanism
- Escalation of privilege
- Spoofing attacks
- Execute arbitrary code
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/security-bulletin-ootb-build-scripts-does-not-set-the-secure-attribute-on-session-cookie-which-may-impact-ibm-cram-social-program-management-cve-2020-4780/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-path-traversal-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4776/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-http-verb-tampering-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4779/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-request-forgery-csrf-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4773/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-api-manager-is-vulnerable-to-privilege-escalationcve-2020-4638-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-an-xml-external-entity-injection-xxe-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4772/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities-9/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-kdc-spoofing-cve-2019-4545-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-bus-and-ibm-app-connect-enterpise-v11-5/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-integration-bus-ibm-app-connect-enterprise-v11/
- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable-to-denial-of-service-cve-2020-16845/
- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-have-been-fixed-in-ibm-security-access-manager-and-ibm-security-verify-access-cve-2020-4661-cve-2020-4699-cve-2020-4660/
- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable-to-denial-of-service-via-kubernetes-cve-2020-8557-cve-2020-8559/
- https://www.ibm.com/blogs/psirt/security-bulletin-an-improper-input-validation-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4781/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-on-premise-ibm-sdk-java-technology-edition-quarterly-cpu-jul-2020-includes-oracle-jul-2020-cpu-plus-one-additional-vulnerability/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-xss-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4775/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cram-social-program-management-uses-md5-algorithm-cve-2020-4778/
- https://www.ibm.com/blogs/psirt/security-bulletin-an-xpath-vulnerability-may-impact-ibm-cram-social-program-management-cve-2020-4774/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-use-of-a-broken-or-risky-cryptographic-algorithm-vulnerability-5/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-cross-site-scripting-vulnerabilities/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-java-technology-edition-quarterly-cpu-apr-2020-includes-oracle-apr-2020-cpu-vulnerability/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-may-be-vulnerable-to-a-denial-of-service-attack-cve-2020-4355-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-addressed-multiple-vulnerabilities-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-have-been-identified-in-ibm-db2-shipped-with-ibm-license-metric-tool-v9-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-denial-of-service-attack-cve-2020-4420-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-cve-2020-4387-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-and-denial-of-service-cve-2020-4414-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-buffer-overflow-leading-to-a-privileged-escalation-cve-2020-4363-4/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-sqlite-vulnerability-6/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-metadata-asset-manager-is-vulnerable-to-stored-cross-site-scripting/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-cve-2020-4386-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-deserialization-of-untrusted-data-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-html-injection/
Rate the content
Share the page
