IBM has released patches to fix several critical vulnerabilities across its product line. These patches fixes security issues in popular enterprise solutions, including Cloud Pak for Security, QRadar Suite Software, and Db2 database systems.
Session Invalidation Vulnerability
The first vulnerability, identified as CVE-2022-38382, affects IBM Cloud Pak for Security (CP4S) and IBM QRadar Suite Software. It was discovered that these products do not invalidate sessions after logout, allowing an authenticated user to obtain sensitive information. This vulnerability could have serious consequences, including unauthorized access to sensitive data. IBM has since fixed this issue, ensuring that sessions are properly invalidated after logout.
Sensitive Information Disclosure Vulnerability
The second vulnerability, CVE-2022-38710, affects IBM Robotic Process Automation. It was found that this product could disclose sensitive version information to an unauthorized control sphere, potentially aiding in further attacks against the system. IBM has addressed this issue by ensuring that sensitive information is properly protected.
Improper Data Disclosure Vulnerability
The third vulnerability, CVE-2024-28799, affects IBM QRadar Suite Software and IBM Cloud Pak for Security. It was discovered that these products display sensitive data improperly to local privileged users in non-default configurations, potentially leading to the unexpected disclosure of this information. IBM has fixed this issue by ensuring that sensitive data is properly protected and only accessible to authorized users.
Denial of Service Vulnerability
The fourth vulnerability, CVE-2024-31882, affects IBM Db2 for Linux, UNIX and Windows. It was found that this product is vulnerable to denial of service attacks under specific non-default configurations. IBM has addressed this issue by implementing measures to prevent denial of service attacks.
Open Redirect Vulnerability
The fifth vulnerability, CVE-2024-35133, affects IBM Security Verify Access. It was discovered that this product is vulnerable to open redirect attacks, which could allow an attacker to conduct phishing attacks and obtain sensitive information. IBM has fixed this issue by implementing measures to prevent open redirect attacks.
Denial of Service Vulnerability
The sixth and final vulnerability, CVE-2024-35136, affects IBM Db2 for Linux, UNIX and Windows federated server. It was found that this product is vulnerable to denial of service attacks under certain non-default conditions. IBM has addressed this issue by implementing measures to prevent denial of service attacks.