IBM product line (IBM Security verify Access Appliance, IBM Personal Communications, etc.) security update recommendations
Overview
We have released security updates to fix vulnerabilities in IBM products. users of affected products are advised to update to the latest version.
Affected Products
Cve-2024-31871, cve-2024-31872, cve-2024-31873
- IBM Security verify Access Appliance versions 10.0.0 through 10.0.7 or below
CVE-2024-25029
- IBM Personal Communications 14.0.6 through 15.0.1 or below
CVE-2024-31887
- IBM Security verify Privilege On-Premises 11.6.25 version
CVE-2024-22354
- IBM Cloud Pak for Applications 5.1 version
- IBM WebSphere Application Server Liberty 17.0.0.3 – 24.0.0.3 versions
- IBM WebSphere Application Server 9.0, 8.5 versions
Resolved Vulnerabilities
Man-in-the-middle attack vulnerability in IBM Security verify Access Appliance due to improper certificate validation when deploying python scripts (CVE-2024-31871)
Man-in-the-middle attack vulnerability in IBM Security verify Access Appliance due to improper certificate validation when deploying python scripts (CVE-2024-31872)
Hardcoded credential exposure vulnerability in IBM Security verify Access Appliance used for self-inbound authentication (CVE-2024-31873)
Command execution vulnerability via privilege escalation due to a Windows service vulnerable to RCE and LPE in IBM Personal Communications (CVE-2024-25029)
Sensitive information disclosure vulnerability in the SOAP API in IBM Security verify Privilege (CVE-2024-31887)
XXE Injection Vulnerability in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty (CVE-2024-22354)
Vulnerability Patches
Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
Cve-2024-31871, cve-2024-31872, cve-2024-31873
- Update according to the Remediation/Fixes section of the Referenced Sites[4]
CVE-2024-25029
- PCOMM 14.0.7 Version
- PCOMM 15.0.2
CVE-2024-31887
- IBM Security verify Privilege On-Premises 11.6.26 version\
CVE-2024-22354
- Update according to the Remediation/Fixes section of Referenced Sites[8]
Referenced Sites
[1] CVE-2024-31871 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-31871
[2] CVE-2024-31872 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-31872
[3] CVE-2024-31873 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-31873
[4] Security Bulletin: Multiple Security Vulnerabilities were found in Open Source libraries used to deploy IBM Security Verify Access Appliances (CVE-2024-31871, CVE-2024-31872, CVE-2024-31873, CVE-2024-31874)
https://www.ibm.com/support/pages/node/7147932
[5] CVE-2024-25029 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-25029
[6] Security Bulletin: Issue in RCE in PCOMM Service through unprotected named pipe
https://www.ibm.com/support/pages/node/7147672
[7] Security Bulletin: IBM Security Verify Privilege could allow an unauthenticated actor to obtain sensitive information (CVE-2024-31887)
https://www.ibm.com/support/pages/node/7148438
[8] Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354)
https://www.ibm.com/support/pages/node/7148426
[9] Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are bundled with IBM Cloud Pak for Applications, are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354)