Buffer overflow in ncurses 5.0, and the ncurses4 compatibility package as used in Red Hat Linux, allows local users to gain privileges, related to "routines for moving the physical cursor and scrolling."

Skip to content

Red Hat

*   *   Customer support
    *   Documentation
    *   Support cases
    *   Subscription management
    
    *   Partner login
    *   Partner support
    *   Become a partner
    
    *   Red Hat Marketplace
    *   Red Hat Ecosystem Catalog
    *   Red Hat Store
    *   Contact sales
    *   Start a trial
    
    *   For developers
    *   Hybrid cloud learning hub
    *   Interactive labs
    *   Training and certification
    *   Learning community
    *   Red Hat TV
    
    *   Ansible
    *   For open source enthusiasts
    *   For system administrators
    *   For IT leaders
    *   For architects
    

Welcome,

Log in to your Red Hat account

Log in

Your Red Hat account gives you access to your member profile and preferences, and the following services based on your customer status:

*   Customer Portal
*   User management

*   Certification Central

Register now

Not registered yet? Here are a few reasons why you should be:

*   Browse Knowledgebase articles, manage support cases and subscriptions, download updates, and more from one place.
*   View users in your organization, and edit their account information, preferences, and permissions.
*   Manage your Red Hat certifications, view exam history, and download certification-related logos and documents.

For your security, if you're on a public computer and have finished using your Red Hat services, please be sure to log out.

Log out

Account Log in

Red Hat

*   Products
*   Solutions
*   Training & services
*   Resources
*   Partners
*   About

**Red Hat Support****Go beyond support by engaging with our experts**

Our teams collaborate with you to ensure you accomplish your goals with Red Hat solutions. The relationship we build with you is designed to provide you with the tools and resources you need to find success on your IT journey.

**Configured for your success**

We develop a holistic understanding of your experience as a customer by ensuring our support and engineering teams work together.

Our support team works hand in hand with the best engineers in the industry to quickly turn customer feedback into product improvements. This direct line of communication allows us to hone in on proactive fixes that can impact your bottom line.

**Find the right level of support**

We have different tiers of support designed to meet your unique needs.

**Self-support**

**Standard**

**Premium**

Access to Red Hat products

Access to our knowledgebase and tools in our  
award-winning Customer Portal

Access to support engineers during standard business hours

Access to support engineers 24x7 for high-severity issues

We also feature specialized support options that can be tailored to the unique needs of companies of all sizes and industries. The Red Hat® Enhanced Solution Support offering reduces downtime and boosts confidence through access to senior level engineers, as well as resolution and restoration SLAs—helping you stay up and running as you innovate, scale, and deploy. Our engineers help restore your operations quickly and accelerate the path to final resolution, identifying the root cause which helps protect against recurrences in the future. Enhanced Solution Support engineers, who are already familiar with your environment, will be there to assist with critical issues in production environments so that you can consistently deliver the cloud services your customers demand. This offering is available for Red Hat OpenShift® and Red Hat OpenStack® Platform customers.

**Personalized support**

Connect with a technical adviser for collaborative planning and specialized guidance. Our Technical Account Managers help you streamline deployments, resolve issues, and shape your technology strategy to meet your toughest business challenges.

Explore Technical Account Management

**Award winners since 2011**

We’ve evolved the traditional software subscription model, combining the best elements of our services to exceed customer expectations. The Association of Support Professionals has honored Red Hat’s Customer Portal as one of “The Top Ten Best Support Websites” for 9 years running.

See why the Customer Portal keeps earning industry recognition

**What they're saying**

> We have found the support from Red Hat to be exemplary. Whenever we need anything from them, they have given it … Red Hat is now our backbone. Our business cannot run if Red Hat is not there.

> We cannot afford the service to go down. Too many people depend on it. Red Hat is a trusted vendor. Our customers can have faith in us...If there is an issue, Red Hat support means it can be addressed quickly.

> I like the fact that they really dig into things and then provide answers. As the single Linux guy, I kind of need that second admin next to me sometimes to say, "Hey, what about this?" and I am able to do that through the portal. I get my questions answered and trouble tickets resolved.

**Check out our support channels**

**Have questions?**

CVE-2002-0062: Support

Google has announced that it's rolling out a new set of features to its Chrome browser that gives users more control over their data when surfing the internet and protects against online threats.
"With the newest version of Chrome, you can take advantage of our upgraded Safety Check, opt out of unwanted website notifications more easily and grant select permissions to a site for one time only,"

Browser Security / Privacy

Google has announced that it's rolling out a new set of features to its Chrome browser that gives users more control over their data when surfing the internet and protects them against online threats.

"With the newest version of Chrome, you can take advantage of our upgraded Safety Check, opt out of unwanted website notifications more easily and grant select permissions to a site for one time only," the tech giant said.

The improvements to Safety Check allow it to run automatically in the background, notifying users of the actions it has taken, such as revoking permissions for websites they no longer visit, and flagging potentially unwanted notifications.

It's also designed to notify users of security issues that need to be addressed, while automatically revoking notification permissions from suspicious sites identified by Google Safe Browsing.

"On Desktop, Safety Check will continue to notify you if you have any Chrome extensions installed that may pose a security risk to you, then bring you to the extensions page and show a summary panel with quick controls to remove them," Andrew Kamau, product manager of Chrome, said,

Safety Check, besides offering users the option to enable Google Safe Browsing protections, is also capable of warning if a username or password stored in the Google Password Manager was involved in a data breach, the search and advertising company added.

Some of the other key updates include the ability to unsubscribe from unwanted website notifications directly on the notifications drawer on both Pixel and Android devices, as well as grant one-time permissions for Chrome on Android and Desktop.

"With this feature, you can choose to grant select permissions — such as access to your camera or mic — to a site for one time only, helping you better manage your online privacy," Kamau said. "Once you leave the site, Chrome will revoke the permissions. The site won't be able to use those permissions until you explicitly grant them again."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chrome Introduces One-Time Permissions and Enhanced Safety Check for Safer Browsing

"IBM InfoSphere Information Server 11.7 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 223598."

  

**Summary**

A potential CSV Injection in IBM InfoSphere Information Server was addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-22425  
**DESCRIPTION:**   IBM InfoSphere Information Server is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents.  
CVSS Base score: 7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223598 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

InfoSphere Information Server

11.7

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

24 Oct 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSZJPZ","label":"InfoSphere Information Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"11.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-22425: Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to CSV Injection (CVE-2022-22425)

IBM InfoSphere DataStage 11.7 is vulnerable to a command injection vulnerability due to improper neutralization of special elements. IBM X-Force ID: 236687.

  

**Summary**

A command injection vulnerability in IBM InfoSphere DataStage was addressed. \[CVE-2022-40752\]

**Vulnerability Details**

**CVEID:**   CVE-2022-40752  
**DESCRIPTION:**   IBM InfoSphere DataStage is vulnerable to a command injection vulnerability due to improper neutralization of special elements.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236687 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

InfoSphere Information Server, InfoSphere Information Server on Cloud

11.7

**Remediation/Fixes**

IBM strongly suggests the following:

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

02 November 2022: Initial Publication10 November 2022: Parallel Engine linux64 patch published16 November 2022: Published Parallel Engine patches for remaining platforms

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSZJPZ","label":"InfoSphere Information Server"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}\],"Version":"11.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-40752: Security Bulletin: IBM InfoSphere DataStage is vulnerable to a command injection vulnerability [CVE-2022-40752]

IBM CICS TX 11.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 229463.

  

**Summary**

IBM CICS TX Advanced could allow an attacker to decrypt highly sensitive information. The fix removes this vulnerability (CVE-2022-34319) from IBM CICS TX Advanced.

**Vulnerability Details**

**CVEID:**   CVE-2022-34319  
**DESCRIPTION:**   IBM CICS TX uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229463 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM CICS TX Advanced

11.1

  

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability by downloading and applying the interim fixes from the table below  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

31 Oct 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSLSSK3","label":"CICS TX Advanced"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"11.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2022-34319: IBM CICS TX Advanced is vulnerable to an attacker decrypting highly sensitive information (CVE-2022-34319).

IBM CICS TX 11.7 could allow an attacker to obtain sensitive information from HTTP response headers. IBM X-Force ID: 229467.

  

**Summary**

IBM CICS TX Advanced could allow an attacker to obtain sensitive information from HTTP response headers. The fix removes this vulnerability (CVE-2022-34329) from IBM CICS TX Advanced.

**Vulnerability Details**

**CVEID:**   CVE-2022-34329  
**DESCRIPTION:**   IBM CICS TX could allow an attacker to obtain sensitive information from HTTP response headers.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229467 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM CICS TX Advanced

11.1

  

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability by downloading and applying the interim fixes from the table below  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

31 Oct 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSLSSK3","label":"CICS TX Advanced"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"11.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2022-34329: Security Bulletin: IBM CICS TX Advanced could allow an attacker to obtain sensitive information from HTTP response headers (CVE-2022-34329).

IBM CICS TX 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 229464.

  

**Summary**

IBM CICS TX Advanced could allow an attack because it uses weak crytopgraphic algorithms. The fix removes this vulnerability (CVE-2022-34320) from IBM CICS TX Advanced.

**Vulnerability Details**

**CVEID:**   CVE-2022-34320  
**DESCRIPTION:**   IBM CICS TX uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229464 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM CICS TX Advanced

11.1

  

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability by downloading and applying the interim fixes from the table below  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

31 Oct 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSLSSK3","label":"CICS TX Advanced"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"11.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2022-34320: IBM CICS TX Advanced is vulnerable to attack because it uses weak crytopgraphic algorithms (CVE-2022-34320).

IBM CICS TX 11.1 could disclose sensitive information to a local user due to insecure permission settings. IBM X-Force ID: 229450.

  

**Summary**

IBM CICS TX Standard could allow sensitive information to be disclosed due to insecure permission settings. The fix removes this vulnerability (CVE-2022-34314) from IBM CICS TX Standard.

**Vulnerability Details**

**CVEID:**   CVE-2022-34314  
**DESCRIPTION:**   IBM CICS TX could disclose sensitive information to a local user due to insecure permission settings.  
CVSS Base score: 4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229450 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM CICS TX Standard

All

  

**Remediation/Fixes**

         Product 

        Version 

         Defect 

         Remediation / First Fix 

          IBM CICS TX Standard  

11.1

127954

Download fix here

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

31 Oct 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSL1TD","label":"CICS TX Standard"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"All","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}\]

CVE-2022-34314: IBM CICS TX Standard is vulnerable to allowing sensitive information to be disclosed due to insecure permission settings (CVE-2022-34314).

IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage of client data to be stored locally which can be read by another user on the system. IBM X-Force ID: 230424.

  

**Summary**

IBM Sterling Partner Engagement Manager has addressed a client HTML5 vulnerability that allows encrypted storage of client data to be stored locally which can be read by another user on the system.

**Vulnerability Details**

**CVEID:**   CVE-2022-34354  
**DESCRIPTION:**   IBM Sterling Partner Engagement Manager allows encrypted storage of client data to be stored locally which can be read by another user on the system.  
CVSS Base score: 4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230424 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

Partner Engagement Manager

2.0

  

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

14 Nov 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSKPRS","label":"Partner Engagement Manager"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"6.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2022-34354: Security Bulletin: IBM Partner Engagement Manager is vulnerable to sensitive data exposure (CVE-2022-34354)

IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could disclose sensitive information in a SQL error message that could aid in further attacks against the system. IBM X-Force ID: 213726.

  

**Summary**

UI validation to Folder Name field is missing in IBM Engineering Lifecycle Optimization - Publishing Document Builder, resulting in display of SQL error to UI. This indicates the presence of SQL injection vulnerability. (CVE-2021-39018)

**Vulnerability Details**

**CVEID:**   CVE-2021-39018  
**DESCRIPTION:**   IBM Engineering Lifecycle Optimization - Publishing could disclose sensitive information in a SQL error message that could aid in further attacks against the system.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213726 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

PUB

7.0.1

PUB

7.0.2

RPE

6.0.6

RPE

6.0.6.1

PUB

7.0

  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

08 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSUBFB","label":"IBM Engineering Lifecycle Optimization - Publishing"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

Search

lenovo warranty check/lookup | check warranty status | lenovo support us