IBM Updates
2947Warning Date
Severity Level
Warning Number
Target Sector
2 March, 2020
● High
2020-981
All
Description:
IBM has released security updates to address vulnerabilities in the following products:
- IBM Security Information Queue (ISIQ)
- NGINX
- IBM Aspera Shares
- Mozzila Firefox
- APM AM
- BAM 1.0
- APM SaaS
- APM on-premise
- ICAM
- TensorFlow
- Watson Machine Learning Community Edition
- IBM PowerAI
- SQLite
- Watson Machine Learning Community Edition
- IBM PowerAI
- ITCAM for Transactions
- OpenSLL
- G8264
- G8316
- G8052
- G8264
- G8332
- G8124/G8124E
- G8264T
- G8124/G8124E
- G8264CS_SI
- G8264CS
- IBM Aspera Faspex
- IBM Aspera Console
- IBM Aspera Orchestrator
- IBM Flex System EN2092 1Gb Ethernet Scalable Switch
- IBM Flex System Fabric SI4093 GbFSIM 10Gb ScSw
- IBM Flex System Fabric EN4093/EN4093R 10Gb Scalable Switch
- IBM Flex System CN4093 10Gb Converged Scalable Switch
- NGINX
- IBM Aspera Shares
- WebSphere Application Server
- Jazz for Service Management
- IBM Operations Analytics Predictive Insights
- IBM Spectrum Control (formerly Tivoli Storage Productivity Center)
- IBM MobileFirst Platform Foundation
- Python
- IBM Operations Analytics Predictive Insights
- netty
- IBM Operations Analytics Predictive Insights
- Spectrum Control
- IBM MQ Console and REST API
- IBM MQ
- IBM Java SDK
- IBM Tivoli System Automation for Multiplatforms
- IBM Spectrum Control (formerly Tivoli Storage Productivity Center)
- Apache ActiveMQ Client
- Jazz for Service Management
- libcurl
- IBM Integrated Management Module II (IMM2) for System x and Flex
- IBM Integrated Management Module II (IMM2) for BladeCenter
- IBM Java Runtime
- Financial Transaction Manager for Check Services for Multi-Platform
- Apache Log4j
- IBM Spectrum Control (formerly Tivoli Storage Productivity Center)
- Websphere Liberty and OpenLiberty
- IBM MobileFirst Platform Foundation
- IBM MobileFirst Foundation
- Node.js
- IBM Spectrum Control (formerly Tivoli Storage Productivity Center)
- TCP
- IBM Integrated Management Module II (IMM2) for System x and Flex
- IBM Integrated Management Module II (IMM2) for BladeCenter
- Apache HTTP Server
- IBM Security SiteProtector System
- WAS Liberty
- IBM MobileFirst Platform Foundation
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- Sensitive information disclosure
- Execute arbitrary code –remotely
- Denial of service attack (DoS)
- Application crash
- Buffer overflow
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in-websphere-application-server-affects-mobilefirst-platform-foundation-cve-2019-4441/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotector-system-is-affected-by-apache-http-server-vulnerabilities/
- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in-was-liberty-affects-ibm-mobilefirst-platform-foundation-cve-2019-4305/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-console-and-rest-api-could-expose-sensitive-information-to-an-attacker-cve-2019-4305/
- https://www.ibm.com/blogs/psirt/security-bulletin-netty-vulnerability-affects-ibm-spectrum-control-formerly-tivoli-storage-productivity-center-cve-2019-16869/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotector-system-is-affected-by-apache-http-server-vulnerabilities-2/
- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-in-websphere-application-server-which-is-shipped-with-jazz-for-service-management-cve-2019-4477/
- https://www.ibm.com/blogs/psirt/security-bulletin-mobilefirst-platform-foundation-is-affected-by-websphere-application-server-liberty-is-affected-by-apache-commons-compress-vulnerability-cve-2019-12402/
- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-handlebars-vulnerabilities-affect-ibm-spectrum-control-formerly-tivoli-storage-productivity-center/
- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-vulnerabilities-affect-ibm-spectrum-control-formerly-tivoli-storage-productivity-center-cve-2019-4663-and-cve-2019-4720/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-vulnerabilities-in-tcp-cve-2019-11477-cve-2019-11478-cve-2019-11479/
- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-vulnerabilities-affect-ibm-spectrum-control-formerly-tivoli-storage-productivity-center/
- https://www.ibm.com/blogs/psirt/security-bulletin-man-in-the-middle-vulnerability-cve-2014-3603-affects-websphere-liberty-and-openliberty-used-by-mobilefirst-platform-foundation/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-spectrum-control-formerly-tivoli-storage-productivity-center-cve-2019-17571/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-sdk-affect-ibm-spectrum-control-formerly-tivoli-storage-productivity-center-cve-2019-2989-cve-2020-2593-and-cve-2019-4732/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-firmware-products-are-affected-by-a-vulnerability-in-openssl-cve-2019-1559/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-console-and-rest-api-are-vulnerable-to-multiple-denial-of-service-attacks-within-http-2-cve-2019-9515-cve-2019-9518-cve-2019-9517-cve-2019-9514-cve-2019-9512-cve-2019/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-contains-hard-coded-credentials-cve-2020-4283/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-python-affects-ibm-operations-analytics-predictive-insights-cve-2019-16935/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affect-financial-transaction-manager-for-check-services-cve-2019-2964/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-a-libcurl-security-vulnerability-cve-2019-5482/
- https://www.ibm.com/blogs/psirt/security-bulletin-file-traversal-vulnerability-in-websphere-application-server-admin-console-which-is-shipped-with-jazz-for-service-management-cve-2019-4268/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-console-and-rest-api-could-expose-sensitive-information-to-an-attacker-cve-2019-4441/
- https://www.ibm.com/blogs/psirt/security-bulletin-apache-activemq-client-used-in-ibm-jazz-for-service-management-could-allow-a-remote-attacker-to-conduct-a-man-in-the-middle-attack-cve-2018-11775/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-affects-ibm-operations-analytics-predictive-insights-cve-2020-7238/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-netty-affect-ibm-operations-analytics-predictive-insights-cve-2019-9514-cve-2019-9512-cve-2019-9518-cve-2019-9515/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-netty-affect-ibm-operations-analytics-predictive-insights-cve-2019-20445-cve-2019-20444/
- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-for-multiplatforms-oct-2019-cpu-cve-2019-2964-cve-2019-2989/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-and-websphere-liberty-affects-ibm-operations-analytics-predictive-insights-cve-2019-4441/
- https://www.ibm.com/blogs/psirt/security-bulletin-http-parameter-pollution-and-xss-vulnerability-in-websphere-application-server-admin-console-which-is-shipped-with-jazz-for-service-management-cve-2019-4271/
- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-in-websphere-application-server-admin-console-shipped-with-jazz-for-service-managementcve-2019-4270/
- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-in-websphere-application-server-which-is-shipped-with-jazz-for-service-management-application-cve-2019-4441/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-shares-is-affected-by-the-following-nginx-vulnerability-cve-2019-13617/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-console-and-rest-api-are-vulnerable-to-a-privileged-escalation-attack-cve-2019-4304/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-affects-ibm-operations-analytics-predictive-insights-cve-2019-16869/
- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-applications-faspex-console-orchestrator-are-affected-by-openssl-vulnerabilities-cve-2019-1547-cve-2019-1549-cve-2019-1563/
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python-affect-ibm-operations-analytics-predictive-insights-cve-2019-9948-cve-2019-9947/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-python-affects-ibm-operations-analytics-predictive-insights-cve-2018-14647/
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-python-affects-ibm-operations-analytics-predictive-insights-cve-2019-10160/
- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-denial-of-service-shipped-with-jazz-for-service-management-cve-2019-4720/
- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-shares-application-is-affected-by-nginx-vulnerabilities-cve-2019-12208-cve-2019-12207/
- https://www.ibm.com/blogs/psirt/security-bulletin-addressing-the-sqlite-vulnerability-cve-2019-16168-cve-2019-19242-and-cve-2019-19244/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-products-are-affected-by-the-following-opensll-vulnerability/
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-has-overly-permissive-cors-policy-cve-2020-4292/