IBM has recently released multiple security bulletins to address vulnerabilities in its products and various dependencies. Some of the fixed flaws are labelled Critical. We recommend applying the latest updates as soon as possible.
IBM received nine updates for vulnerabilities in OpenSSL, HTTP Server, and WebSphere Liberty components.
One of the updates addresses a critical vulnerability in the OpenSSL API implementation on IBM i. Tracked as CVE-2021-3711, the flaw could allow a remote threat actor to overflow a buffer by sending specially-crafted SM2 content. They could then execute arbitrary code on the system or cause the application to crash. The flaw received a CVSS Base score of 9.8 out of 10.
This and other issues can be fixed by applying the latest cumulative Program Temporary Fix (PTF) packages to IBM i. Release 7.1 is fixed with PTF SI77181, and Release 7.2, 7.3, and 7.4, with PTF SI77182. This PTF contains new fixes from the current service pack, as well as those from all previously released service packs.
Cloud Pak for Security (CP4S) versions 220.127.116.11 and earlier received fixes for 99 CVEs, with seven of them assigned a CVSS Base score of 9.8; these are tracked as CVE-2021-3177, CVE-2020-36329, CVE-2018-25011, CVE-2020-36328, CVE-2020-25712, CVE-2020-10878, and CVE-2020-10543. Updating to the CP4S 18.104.22.168 fixes these issues.
IBM QRadar Azure marketplace images are affected by a critical flaw in the Microsoft Azure Open Management Infrastructure RPM. Tracked as CVE-2021-38647, it could allow an unauthenticated, remote threat actor, to execute arbitrary code on the system. This CVE has CVSS Base of 9.8. The affected IBM QRadar Azure marketplace images are 7.3.0 to 7.3.3 Patch 9, and 7.4.0 to 7.4.3 Patch 2.
IBM Cloud Pak System is affected by two vulnerabilities in VMware vCenter plugin endpoints. One of them received a CVSS Base score of 9.8 and is tracked as CVE-2021-21972. It could allow a remote threat actor to execute arbitrary code on the affected system. There is no current update, and IBM recommends applying a workaround by disabling the plugin's endpoint.
Follow IBM's guidance and ensure that you applied the updates for the affected products.