IBM Updates
2006Warning Date
Severity Level
Warning Number
Target Sector
20 December, 2020
● High
2020-2237
All
Description:
IBM has released security updates to address vulnerabilities in the following products:
- Version 12.18.0 of Node.js included in IBM Netcool Operations Insight 1.6.2.x
- IBM Cloud Event Management on IBM Cloud Private
- IBM Planning Analytics 2.0.9.4
- z/Transaction Processing Facility 1.1
- IBM Content Navigator 3.0CD
- Datacap Taskmaster Capture 9.1.7
- Financial Transaction Manager for Digital Payments for Multi-Platform 2.1.1, 3.0.0, 3.1.0, 3.2.3, 3.2.4, 3.0.2, 3.2.2, 3.0.5, 3.0.6
- IBM Java Runtime
- RDS 5.2.1 iFix 13 and earlier
- RDA 6.0.0.2 iFix 06 and earlier
- IBM Rational ClearCase 9.0, 9.0.1, 9.0.2
- json-c
- IBM MQ 9.1 LTS, 9.2 CD, 9.2 LTS
- IBM MQ Appliance 9.2 CD, 9.2 LTS
- IBM MQ 8.0, 9.0 LTS, 9.1 LTS, 9.1 CD, 9.2 CD, 9.2 LTS
- IBM WebSphere MQ 7.5
- Pacemaker
- IBM MQ 9.1 LTS, 9.1 CD, 9.2 CD, 9.2 LTS
- IBM Cloud Pak for Automation 20.0.1, 20.0.2 IF002
- BIND
- AIX 7.1, 7.2
- VIOS 3.1
- IBM Cloud Pak for Automation IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 20.0.2
- IBM Business Automation Workflow V18.0, V19.0, V20.0 traditional, V20.0 containers
- IBM Business Process Manager V8.6
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- Denial of service attack (DoS)
- Cross-site scripting (XSS)
- Sensitive information disclosure
- Execute arbitrary code
- Escalation of privilege
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/security-bulletin-version-12-18-0-of-node-js-included-in-ibm-netcool-operations-insight-1-6-2-x-has-several-security-vulnerabilities/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-has-addressed-a-security-vulnerability-cve-2020-4764/
- https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-an-openssl-vulnerability/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-susceptible-to-a-cross-site-scripting-vunlerability/
- https://www.ibm.com/blogs/psirt/security-bulletin-datacap-taskmaster-capture-is-affected-by-vulnerable-to-server-supports-a-deprecated-ssl-version-either-sslv2-or-sslv3/
- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-for-digital-payments-is-affected-by-a-potential-logout-session-timeout-cve-2020-4555/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-java-runtime-affect-ibm-rational-clearcase-cve-2020-14577-cve-2020-14578-cve-2020-14579/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-vulnerability-in-json-c-cve-2020-12762/
- https://www.ibm.com/blogs/psirt/security-bulletin-datacap-taskmaster-capture-is-affected-by-vulnerable-to-appscans-sslv3-client-hello-with-cbc-cipher-suites-that-contain-tls_fallback_scsv/
- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-for-high-value-payments-is-affected-by-a-potential-logout-session-timeout-cve-2020-4555/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-denial-of-service-vulnerability-cve-2020-4870/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a-denial-of-service-attack-caused-by-an-error-processing-connecting-applications-cve-2020-4870/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-multiple-vulnerabilities-in-pacemaker/
- https://www.ibm.com/blogs/psirt/security-bulletin-datacap-taskmaster-capture-is-affected-by-vulnerable-to-using-a-cookie-without-the-secure-attribute/
- https://www.ibm.com/blogs/psirt/security-bulletin-datacap-taskmaster-capture-is-affected-by-vulnerable-to-weak-cipher-suites-by-successfully-creating-ssl-connections/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-rational-directory-server-tivoli-rational-directory-administrator-6/
- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-for-corporate-payment-services-v2-1-1-is-affected-by-a-potential-logout-session-timeout-cve-2020-4555/
- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-for-corporate-payment-services-is-affected-by-a-potential-logout-session-timeout-cve-2020-4555/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-middleware-software-affect-ibm-cloud-pak-for-automation-4/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-denial-of-service-vulnerabilities-cve-2020-5481-cve-2020-4580-cve-2020-4579/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-java-runtime-affect-ibm-rational-clearquest/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-affects-aix-cve-2020-8622/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-an-authenticated-user-under-nondefault-configuration-to-cause-a-data-corruption-attack-due-to-an-error-when-using-segmented-messages-cve-2020-4592/
- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-for-check-services-is-affected-by-a-potential-logout-session-timeout-cve-2020-4555/
- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-for-ach-services-is-affected-by-a-potential-logout-session-timeout-cve-2020-4555/
- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-and-denial-of-service-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2020-4794/