IBM Updates
1870Warning Date
Severity Level
Warning Number
Target Sector
13 December, 2020
● High
2020-2193
All
Description:
IBM has released security updates to address several vulnerabilities in the following products:
- IBM Cloud Pak for Data – Python 2.5, 3.0
- NGINX vulnerability
- IBM Aspera High-Speed Transfer Server 3.9.6.2 and earlier
- IBM Aspera High-Speed Transfer Endpoint 3.9.6.2 and earlier
- cURL
- IBM Aspera High-Speed Transfer Server 3.9.6.2 and earlier
- IBM Aspera High-Speed Transfer Endpoint 3.9.6.2 and earlier
- IBM Aspera Streaming / IBM Aspera Streaming for Video 3.9.6.1 and earlier
- HAProxy
- IBM Aspera High-Speed Transfer Server 3.9.6.2 and earlier
- IBM Aspera High-Speed Transfer Endpoint 3.9.6.2 and earlier
- IBM® Db2® V9.7, V10.1, V10.5, V11.1, and V11.5
- NGINX
- IBM Aspera High-Speed Transfer Server 3.9.6.2 and earlier
- IBM Aspera High-Speed Transfer Endpoint 3.9.6.2 and earlier
- BM Java Runtime
- IBM App Connect Enterprise V11 , V11.0.0.0 – V11.0.0.10
- HAProxy
- IBM Aspera High-Speed Transfer Server 3.9.6.2 and earlier
- IBM Aspera High-Speed Transfer Endpoint 3.9.6.2 and earlier
- App Connect Enterprise Certified Container Integration Servers
- App Connect Enterprise Certified Container 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5
- AWS storage layer in NPS
- IBM Netezza for Cloud Pak for Data
- OpenSSL
- IBM Aspera Streaming / IBM Aspera Streaming for Video 3.9.6.1 and earlier
- IBM Aspera High-Speed Transfer Server 3.9.6.2 and earlier
- IBM Aspera High-Speed Transfer Endpoint 3.9.6.2 and earlier
- IBM Aspera Desktop Client 3.9.6 and earlier
- IBM Aspera Connect 3.9.9 and earlier
- App Connect Enterprise Certified Container 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6 with Operator
- CP4D
- IBM Netezza for Cloud Pak for Data
- Resilient OnPrem IBM Security SOAR
- IBM Elastic Storage System GUI 6.0.1.0, 5.36
- NPS softlayer provisioner
- IBM Netezza for Cloud Pak for Data
- IBM SDK, Java Technology Edition Quarterly CPU – Jul 2020
- InfoSphere Streams 4.3.1.x, 4.2.1.x, 4.1.1.x
- glibc
- IBM Elastic Storage System 6.0.0 – 6.0.1.1
- WebSphere Application Server Liberty
- IBM Cloud Transformation Advisor 2.3.0, 2.3.1
- Node.js
- IBM Cloud Transformation Advisor 2.3.0, 2.3.1
- IBM Business Automation Workflow V20.0, V19.0, V18.0
- IBM Business Process Manager V8.6, V8.5
- IBM Spectrum Scale
- IBM Elastic Storage Server 5.3.0 through ESS 5.3.6, 5.0.0 through ESS 5.2.10
- Linux Kernel
- IBM Elastic Storage System 6.0.0 – 6.0.1.1
- Java
- InfoSphere Streams 4.2.1.x, 4.3.1.x
- IBM MQ for HPE NonStop 8.1.0, 8.0.4
- IBM Java SDK
- IBM WebSphere Application Server Patterns 1.0.0.0 through 1.0.0.7 and 2.2.0.0 through 2.3.3.3.
- Apache Hadoop
- InfoSphere Streams 4.2.1.x, 4.3.1,x
- Apache Commons Codec
- InfoSphere Streams 4.2.1.x, 4.3.1,x
- GNU glibc
- IBM Cloud Pak for Data 3.0
- IBM Java Runtime
- IBM Security SiteProtector System 3.0.0, 3.1.1
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- Code injection
- Sensitive information disclosure
- Man in the middle attack
- Buffer overflow
- Denial of service attack (DoS)
- Escalation of privilege
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-affect-ibm-cloud-pak-for-data-python-cve-2019-20907/
- https://www.ibm.com/blogs/psirt/security-bulletin-nginx-vulnerability-cve-2020-5863-impacts-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-versions-prior-to-v4-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-curl-vulnerability-cve-2019-15601-impacts-ibm-aspera-high-speed-transfer-server-3-9-6-2-and-earlier-and-aspera-high-speed-transfer-endpoint-3-9-6-2-and-earlier/
- https://www.ibm.com/blogs/psirt/security-bulletin-haproxy-vulnerability-cve-2019-14241-impacts-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-versions-prior-to-v4-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-authenticated-attacker-to-execute-arbitrary-code-on-the-system-caused-by-dll-search-order-hijacking-vulnerability-in-microsoft-windows-clie-5/
- https://www.ibm.com/blogs/psirt/security-bulletin-nginx-vulnerability-cve-2020-7621-impacts-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-versions-prior-to-v4-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-may-be-vulnerable-to-a-denial-of-service-attack-cve-2020-4355-5/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-v11-is-affected-by-vulnerabilities-in-ibm-java-runtime-cve-2020-2601/
- https://www.ibm.com/blogs/psirt/security-bulletin-haproxy-vulnerability-cve-2019-19330-impacts-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-versions-prior-to-v4-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-curl-vulnerabilities-cve-2019-5481-cve-2019-5482-impact-ibm-aspera-streaming-ibm-aspera-streaming-for-video-version-3-9-6-1-and-earlier/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-denial-of-service-attack-cve-2020-4420-5/
- https://www.ibm.com/blogs/psirt/security-bulletin-haproxy-vulnerability-cve-2019-11323-impacts-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-versions-prior-to-v4-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-certified-container-integration-servers-could-allow-information-exposure-when-using-mq-cve-2020-4498/
- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-affect-ibm-cloud-pak-for-data-golang-cve-2020-24553/
- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-security-issues-for-aws-storage-layer-in-nps/
- https://www.ibm.com/blogs/psirt/security-bulletin-haproxy-vulnerability-cve-2020-11100-impacts-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-versions-prior-to-v4-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-certified-container-integration-servers-could-cause-a-denial-of-service-or-a-buffer-overflow-when-using-mq/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-cve-2020-4387-6/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-buffer-overflow-leading-to-a-privileged-escalation-cve-2020-4363-7/
- https://www.ibm.com/blogs/psirt/security-bulletin-haproxy-vulnerability-cve-2019-18277-impacts-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-versions-prior-to-v4-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-certified-container-is-vulnerable-to-code-injection-and-denial-of-service-attacks/
- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-cve-2020-1968-impacts-ibm-aspera-streaming-ibm-aspera-streaming-for-video-version-3-9-6-1-and-earlier/
- https://www.ibm.com/blogs/psirt/security-bulletin-fixed-cp4d-timeout-for-ibm-netezza-for-cloud-pak-for-data-11-1-1-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-buffer-overflow-cve-2020-4701-4/
- https://www.ibm.com/blogs/psirt/security-bulletin-nginx-vulnerability-cve-2019-20372-impacts-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-versions-prior-to-v4-0/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-platform-could-allow-formula-injection-in-excel-cve-2020-4633/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-the-ibm-elastic-storage-system-gui/
- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-certified-container-operator-and-integration-servers-are-vulnerable-to-code-injection-and-denial-of-service-attacks/
- https://www.ibm.com/blogs/psirt/security-bulletin-curl-vulnerabilities-cve-2020-8169-cve-2020-8177-impact-ibm-aspera-high-speed-transfer-server-3-9-6-2-and-earlier-and-aspera-high-speed-transfer-endpoint-3-9-6-2-and-earlier/
- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-secuity-issues-fixed-for-nps-softlayer-provisioner/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-jul-2020-vulnerabilities-affecting-infosphere-streams-4-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affects-ibm-elastic-storage-system-cve-2020-1752/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-advisor-is-affected-by-a-vulnerability-in-websphere-application-server-liberty-cve-2020-4590/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-advisor-is-affected-by-a-node-js-vulnerability/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-spectrum-scale-packaged-in-ibm-elastic-storage-server-could-cause-a-denial-of-service-cve-2020-4756/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-node-js-may-affect-configuration-editor-used-in-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2020-8201-cve-2020-8252-c/
- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulnerabilities-in-the-linux-kernel-used-in-ibm-elastic-storage-system-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-advisor-is-affected-by-a-vulnerability-in-websphere-application-server-liberty-cve-2020-10693/
- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-cve-2019-1551-impacts-ibm-aspera-high-speed-transfer-server-3-9-6-2-and-earlier-aspera-high-speed-transfer-endpoint-3-9-6-2-and-earlier-aspera-desktop-client/
- https://www.ibm.com/blogs/psirt/security-bulletin-curl-vulnerability-cve-2019-10789-impacts-ibm-aspera-high-speed-transfer-server-3-9-6-2-and-earlier-and-aspera-high-speed-transfer-endpoint-3-9-6-2-and-earlier/
- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerability-cve-2020-2601-affecting-ibm-streams/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-server-is-affected-by-vulnerability-cve-2020-4592/
- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-security-issues-for-nps-service-provider/
- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerability-cve-2020-2590-affecting-ibm-streams/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affects-websphere-application-server-october-2020-cpu-that-is-bundled-with-ibm-websphere-application-server-patterns/
- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-certified-container-may-be-vulnerable-to-man-in-the-middle-attack-through-use-of-openssl-cve-2019-1551/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-hadoop-could-allow-a-remote-attacker-to-obtain-sensitive-information-that-could-affect-ibm-streams/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-codec-could-allow-a-remote-attacker-to-obtain-sensitive-information-caused-by-the-improper-validation-of-input/
- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-gnu-glibc-affect-ibm-cloud-pak-for-data-gnu-glibc-cve-2020-1751/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-advisor-is-affected-by-a-node-js-vulnerability-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-platform-could-allow-formula-injection-in-excel-cve-2020-4633-2/