Description
IBM has released security updates to address several vulnerabilities in several products:
- Automation Assets in IBM Cloud Pak for Integration
- Operations Dashboard
- IBM Cloud Pak for Business Automation iFixes
- Direct File Agent
- IBM Security Identity Manager Virtual Appliance
- IBM InfoSphere Master Data Management
- IBM Cloud Pak System
- IBM SAN Volume Controller, IBM Storwize, and IBM FlashSystem
- IBM Cloud Pak System
Threats
Attacker could exploit these vulnerabilities by doing the following:
Execute arbitrary code remotely
Unauthorized disclosure of information
Execute arbitrary code remotely
Unauthorized disclosure of information
Best practice and Recommendations:
The CERT team encourages users to review IBM security advisory and apply the necessary updates:
https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-cloud-pak-for-integration-is-vulnerable-to-remote-code-execution-due-to-ejs-cve-2022-29078/
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-remote-connection-exploit-by-go-cve-2022-30629/
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-are-addressed-with-ibm-cloud-pak-for-business-automation-ifixes-for-july-2022/
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-file-agent-is-vulnerable-to-remote-code-execution-due-to-apache-commons-configuration-cve-2022-33980/
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-virtual-appliance-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-and-other-issues-cve-2021-4104-cve-2021-45046-cve-2021-38951/
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-infosphere-master-data-management-cve-2021-44228/
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-jackson-databind-shipped-with-ibm-cloud-pak-system-2/
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-san-volume-controller-ibm-storwize-and-ibm-flashsystem-shipped-with-cloud-pak-system/
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-affects-cloud-pak-system-cve-2021-4034/
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-vcenter-affect-ibm-cloud-pak-system-cve-2021-21980-cve-2021-22049/
https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-cloud-pak-for-integration-is-vulnerable-to-remote-code-execution-due-to-ejs-cve-2022-29078/
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-remote-connection-exploit-by-go-cve-2022-30629/
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-are-addressed-with-ibm-cloud-pak-for-business-automation-ifixes-for-july-2022/
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-file-agent-is-vulnerable-to-remote-code-execution-due-to-apache-commons-configuration-cve-2022-33980/
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-virtual-appliance-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-and-other-issues-cve-2021-4104-cve-2021-45046-cve-2021-38951/
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-infosphere-master-data-management-cve-2021-44228/
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-jackson-databind-shipped-with-ibm-cloud-pak-system-2/
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-san-volume-controller-ibm-storwize-and-ibm-flashsystem-shipped-with-cloud-pak-system/
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-affects-cloud-pak-system-cve-2021-4034/
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-vcenter-affect-ibm-cloud-pak-system-cve-2021-21980-cve-2021-22049/