Description:

IBM has released a security update to address several vulnerabilities in the following products:

• XStream, Apache HTTP, Jackson Databind, OpenSSL, and Node.js
  • IBM Spectrum Control 5.3.0.1-5.4.1
• BM Java SDK
  • IBM WebSphere Cast Iron v 7.5.0.0, 7.5.0.1, 7.5.1.0
  • App Connect Professional v 7.5.2.0
  • App Connect Professional v 7.5.3.0
  • App Connect Professional v 7.5.4.0
• WebSphere Application Server 9.0, 8.5, 8.0
• Node.js xml-crypto module
  • IBM Cloud Pak for Multicloud Management Infrastructure Management
• Java
  • IBM Cloud Application Business Insights 1.1.3, 1.1.4, 1.1.5
• Node.js y18n module
  • IBM Cloud Pak for Multicloud Management Infrastructure Management
• PostgreSQL
  • IBM Cloud Pak for Multicloud Management Infrastructure Management
• GO
  • IBM Cloud Pak for Multicloud Management Infrastructure Management
• Apache Tomcat
  • IBM WebSphere Cast Iron Solution v 7.5.0.0, 7.5.0.1, 7.5.1.0
  • App Connect Professional v 7.5.2.0
  • App Connect Professional v 7.5.3.0
  • App Connect Professional v 7.5.4.0
• FasterXML Jackson Databind
  • IBM Tivoli Netcool/OMNIbus Integration – Transport Module Common Integration Library
• Node.js ini module
  • IBM Cloud Pak for Multicloud Management Infrastructure Management
• Bouncy Castle
  • IBM Rational Performance Tester
• Node.js codemirror module
  • IBM Cloud Pak for Multicloud Management
• Node.js
  • IBM Cloud Pak for Multicloud Management
• IBM Spectrum Conductor 2.5.0
• IBM Spectrum Symphony 7.3.1

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Server-side request forgery (SSRF)
• Execute arbitrary code -remotely
• Denial of service attack (DoS)
• Bypass of a protection mechanism

Best practice and Recommendations:

The CERT team encourages users to review IBM security advisory and apply the necessary updates:

• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-xstream-apache-http-jackson-databind-openssl-and-node-js-affect-ibm-spectrum-control/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-5/
• https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-directory-traversal-vulnerability-cve-2021-20354/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-xml-crypto-module-affects-ibm-cloud-pak-for-multicloud-management/
• https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-affects-ibm-cloud-application-business-insights/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-y18n-module-affects-ibm-cloud-pak-for-multicloud-management/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-postgresql-affects-ibm-cloud-pak-for-multicloud-management/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-go-affects-ibm-cloud-pak-for-multicloud-management/
• https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-ibm-websphere-cast-iron-solution-are-affected-by-apache-tomcat-vulnerabilities/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been-identified-in-fasterxml-jackson-databind-shipped-with-ibm-tivoli-netcool-omnibus-transport-module-common-integration-library-cve-2020-25649/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-ini-module-affects-ibm-cloud-pak-for-multicloud-management/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-bouncy-castle-affects-ibm-rational-performance-tester-cve-2020-26939/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-codemirror-module-affects-ibm-cloud-pak-for-multicloud-management/
• https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-affects-ibm-cloud-pak-for-multicloud-management/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerability-issues-affect-ibm-spectrum-conductor-2-5-0/
• https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerability-issues-affect-ibm-spectrum-symphony-7-3-1/