/>
X

IBM issues patches for Java Runtime, Planning Analytics Workspace, Kenexa LMS

The worst bugs could lead to malicious code execution and application crashes.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on

IBM has issued security patches designed to resolve high- and medium-severity bugs impacting the tech giant's enterprise software solutions. 

This week, the tech giant published a set of security advisories laying out fixes for vulnerabilities that impact IBM Java Runtime, IBM Planning Analytics Workspace, and IBM Kenexa LMS On Premise. 

The first advisory addresses CVE-2020-14782 and CVE-2020-27221, two security flaws in IBM Runtime Environment Java 7 and 8 which are used by IBM Integration Designer -- enterprise software used to integrate data and applications into existing business processes -- in IBM's Business Automation Workflow and Business Process Manager software suites. 

CVE-2020-14782 is a bug in Java SE's library component that could allow attackers to compromise Java SE via multiple protocols, but this takes a sandbox environment to trigger and so is considered difficult to exploit. 

CVE-2020-27221, however, is of far more concern and has been issued a CVSS base score of 9.8, a critical rating. This stack-based buffer overflow vulnerability relates to Eclipse OpenJ9 and could be used by remote attackers to execute arbitrary code or cause an application crash. 

The second advisory focuses on IBM Planning Analytics Workspace, a component of Planning Analytics, the firm's collaboration and management planning software. In total, five vulnerabilities that impact the software have been resolved, including a Node.js HTTP request smuggling issue (CVE-2020-8201), CVE-2020-8251 -- a Node.js denial of service flaw -- and a Node.js buffer overflow bug, CVE-2020-8252, that could be exploited by attackers to execute arbitrary code. 

Two further vulnerabilities, a data integrity weakness that can be triggered via XML external entity (XXE) attacks in FasterXML Jackson Databind (CVE-2020-25649), and CVE-2020-4953, a problem in Workspace that could allow remote -- but authenticated -- attackers to steal sensitive data exposed in HTTP responses -- have also been tackled.

IBM also posted a security advisory describing vulnerabilities affecting IBM Kenexa LMS On Premise, an enterprise learning management system. In total, five low-impact bugs have been patched, all of which relate to the use of Java SE and could lead to problems including denial of service and potential data theft if combined with other attack vectors. 

Last week, IBM issued security bulletins for IBM Spectrum Symphony 7.3.1 and IBM Spectrum Conductor 2.5.0 and upgrades to third-party libraries that are susceptible to a wide range of vulnerabilities.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Related

Save 33% on this 11.6-inch Lenovo Chromebook for work and entertainment
replace-this-image.jpg

Save 33% on this 11.6-inch Lenovo Chromebook for work and entertainment

Deals
Microsoft is enabling Kubernetes for Windows edge-computing devices via 'Project Haven'
microsofthavenkubernetesedge.jpg

Microsoft is enabling Kubernetes for Windows edge-computing devices via 'Project Haven'

AI & Robotics
Big Data Exchange enters Indonesian data centre market with joint venture deal
data-center.png

Big Data Exchange enters Indonesian data centre market with joint venture deal

Data Centers