IBM Updates
1948Warning Date
Severity Level
Warning Number
Target Sector
25 April, 2021
● High
2021-2821
All
Description:
IBM has released a security update to address several vulnerabilities in their products, the most important ones:
- IBM DB2 Server
- IBM Emptoris Supplier Lifecycle Mgmt 10.1.1.x
- IBM Emptoris Supplier Lifecycle Mgmt 10.1.0.x
- IBM Emptoris Supplier Lifecycle Mgmt 10.1.3.x
- IBM Emptoris Strategic Supply Management Platform 10.1.0.x,10.1.1.x,10.1.3.x
- IBM Emptoris Sourcing IBM Emptoris Sourcing 10.1.0.x
- IBM Emptoris Sourcing 10.1.1.x
- IBM Emptoris Sourcing IBM Emptoris Sourcing 10.1.3.x
- IBM Emptoris Program Management 10.1.0.x
- IBM Emptoris Program Management 10.1.1.x
- IBM Emptoris Program Management 10.1.3.x
- Apache MyFaces
- Liberty for Java in IBM Cloud up to and including v3.55
- Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 editions on Windows
- IBM® Runtime Environments Java™ Technology Edition
- DB2 9.7.x
- DB2 10.1.x
- DB2 10.5.x
- DB2 11.1.x
- DB2 11.5.x
- FasterXML jackson-databind
- Log Analysis 1.3.1
- Log Analysis 1.3.2
- Log Analysis 1.3.3
- Log Analysis 1.3.4
- Log Analysis 1.3.5
- Log Analysis 1.3.6
- IBM Spectrum Protect Backup-Archive Client 8.1.0.0-8.1.11.0
- IBM Spectrum Protect for Space Management 8.1.0.0-8.1.11.0
- IBM Spectrum Protect for Virtual Environments: Data Protection for VMware 8.1.0.0-8.1.11.0
- IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V 8.1.0.0-8.1.11.0
- IBM Spectrum Protect Plus 10.1.0-10.1.6
- Golang
- IBM Spectrum Protect Plus Container backup and restore for Kubernetes 10.1.5-10.1.7
- IBM Spectrum Protect Plus Container backup and restore for OpenShift 10.1.7
- IBM Db2
- IBM Spectrum Protect Server 8.1.0.000-8.1.11.xxx, 7.1.0.000-7.1.12.xxx
- Python
- IBM Spectrum Protect Plus Microsoft File Systems backup and restore 10.1.6-10.1.7
- Genivia gSOAP
- IBM Spectrum Protect for Virtual Environments: Data Protection for VMware 8.1.0.0-8.1.11.0
- IBM Java Runtime
- SPSS Statistics 27.0.1
- SPSS Statistics 26.0
- SPSS Statistics 25.0
- SPSS Statistics 24.0
- IBM Business Automation Workflow V20.0, V19.0, V18.0
- IBM Business Process Manager V8.6, V8.5
- OpenSSL
- IBM Spectrum Protect Backup-Archive Client 8.1.0.0-8.1.11.0
- Java SE and Eclipse OpenJ9
- DB2 Recovery Expert for LUW 5.5
- DB2 Recovery Expert for LUW 5.5 IF1
- DB2 Recovery Expert for LUW 5.5 IF2
- DB2 Recovery Expert for LUW 5.5.0.1
- DB2 Recovery Expert for LUW 5.5.0.1 IF0
- DB2 Recovery Expert for LUW 5.5.0.1 IF1
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- Denial of service attack (DoS)
- Execute arbitrary code
- XML external entity (XXE) attack
- Cross-site request forgery (CSRF)
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-affect-ibm-spectrum-protect-backup-archive-client-ibm-spectrum-protect-for-space-management-and-ibm-spectrum-protect-for-virtual-environments-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-and-eclipse-openj9-affect-db2-recovery-expert-for-linux-unix-and-windows/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-is-genivia-gsoap-affect-ibm-spectrum-protect-for-virtual-environments-data-protection-for-vmware-cve-2020-13575-cve-2020-13578-cve-2020-13574-cve-2020-13577-cv-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-python-affects-ibm-spectrum-protect-plus-microsoft-file-systems-backup-and-restore-cve-2020-25659-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus-allows-weak-cryptographic-algorithms-cve-2021-29694-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-golang-affect-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-openshift-cve-2021-3114-cve-2021-3115-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-golang-affect-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-openshift-cve-2021-3114-cve-2021-3115-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-and-node-js-affect-ibm-spectrum-protect-plus/
- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in-ibm-spectrum-protect-plus-microsoft-file-systems-backup-and-restore-log-files-cve-2021-20536-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vulnerability-in-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-20532-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libssh-affects-power-hardware-management-console-cve-2020-1730/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-spectrum-protect-backup-archive-client-netapp-services-cve-2020-1971-cve-2021-23840-cve-2021-23841/
- https://www.ibm.com/blogs/psirt/security-bulletin-xml-external-entity-injection-vulnerability-affects-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2021-20482/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-affect-ibm-spectrum-protect-backup-archive-client-ibm-spectrum-protect-for-space-management-and-ibm-spectrum-protect-for-virtual-environments/
- https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overflow-vulnerabilities-in-ibm-spectrum-protect-back-up-archive-client-and-ibm-spectrum-protect-for-space-management-cve-2021-29672-cve-2021-20546/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-linux-kernel-samba-sudo-python-and-tcmu-runner-affect-ibm-spectrum-protect-plus/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-ibm-spss-statistics-9/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-is-genivia-gsoap-affect-ibm-spectrum-protect-for-virtual-environments-data-protection-for-vmware-cve-2020-13575-cve-2020-13578-cve-2020-13574-cve-2020-13577-cv/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-python-affects-ibm-spectrum-protect-plus-microsoft-file-systems-backup-and-restore-cve-2020-25659/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus-allows-weak-cryptographic-algorithms-cve-2021-29694/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db2-affect-the-ibm-spectrum-protect-server-cve-2020-4701-cve-2020-4739/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-golang-affect-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-openshift-cve-2021-3114-cve-2021-3115/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-a-security-vulnerability/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-server-vulnerabilities-affect-ibm-emptoris-program-management/
- https://www.ibm.com/blogs/psirt/security-bulletin-static-credential-vulnerability-in-ibm-spectrum-protect-plus-cve-2020-4854-3/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-node-js-and-docker-affect-ibm-spectrum-protect-plus/
- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in-ibm-spectrum-protect-plus-microsoft-file-systems-backup-and-restore-log-files-cve-2021-20536/
- https://www.ibm.com/blogs/psirt/security-bulletin-cross-origin-resource-sharing-cors-vulnerability-in-ibm-spectrum-protect-plus-cve-2021-20432/
- https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vulnerability-in-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-for-virtual-environments-cve-2021-20532/
- https://www.ibm.com/blogs/psirt/security-bulletin-series-of-vulnerabilities-in-fasterxml-jackson-databind-affect-apache-solr-shipped-with-ibm-operations-analytics-log-analysis/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-runtime-environments-java-technology-edition-versions-affects-ibm-db2-january-2021-cpu/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-authenticated-attacker-to-execute-arbitrary-code-on-the-system-caused-by-dll-search-order-hijacking-vulnerability-in-microsoft-windows-clie-12/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-vulnerabilities-affect-ibm-emptoris-sourcing-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-vulnerabilities-affect-ibm-emptoris-strategic-supply-management-platform-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-myfaces-affects-liberty-for-java-for-ibm-cloud-cve-2021-26296/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-vulnerabilities-affect-ibm-emptoris-contract-management-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-server-vulnerabilities-affect-ibm-emptoris-emptoris-supplier-lifecycle-mgmt/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-solr-affects-ibm-operations-analytics-log-analysis-cve-2017-1000190/