IBM issues patches for Java Runtime, Planning Analytics Workspace, Kenexa LMS

IBM has issued security patches designed to resolve high- and medium-severity bugs impacting the tech giant's enterprise software solutions. 

This week, the tech giant published a set of security advisories laying out fixes for vulnerabilities that impact IBM Java Runtime, IBM Planning Analytics Workspace, and IBM Kenexa LMS On Premise. 

The first advisory addresses CVE-2020-14782 and CVE-2020-27221, two security flaws in IBM Runtime Environment Java 7 and 8 which are used by IBM Integration Designer -- enterprise software used to integrate data and applications into existing business processes -- in IBM's Business Automation Workflow and Business Process Manager software suites. 

CVE-2020-14782 is a bug in Java SE's library component that could allow attackers to compromise Java SE via multiple protocols, but this takes a sandbox environment to trigger and so is considered difficult to exploit. 

CVE-2020-27221, however, is of far more concern and has been issued a CVSS base score of 9.8, a critical rating. This stack-based buffer overflow vulnerability relates to Eclipse OpenJ9 and could be used by remote attackers to execute arbitrary code or cause an application crash. 

The second advisory focuses on IBM Planning Analytics Workspace, a component of Planning Analytics, the firm's collaboration and management planning software. In total, five vulnerabilities that impact the software have been resolved, including a Node.js HTTP request smuggling issue (CVE-2020-8201), CVE-2020-8251 -- a Node.js denial of service flaw -- and a Node.js buffer overflow bug, CVE-2020-8252, that could be exploited by attackers to execute arbitrary code. 

Two further vulnerabilities, a data integrity weakness that can be triggered via XML external entity (XXE) attacks in FasterXML Jackson Databind (CVE-2020-25649), and CVE-2020-4953, a problem in Workspace that could allow remote -- but authenticated -- attackers to steal sensitive data exposed in HTTP responses -- have also been tackled.

IBM also posted a security advisory describing vulnerabilities affecting IBM Kenexa LMS On Premise, an enterprise learning management system. In total, five low-impact bugs have been patched, all of which relate to the use of Java SE and could lead to problems including denial of service and potential data theft if combined with other attack vectors. 

Last week, IBM issued security bulletins for IBM Spectrum Symphony 7.3.1 and IBM Spectrum Conductor 2.5.0 and upgrades to third-party libraries that are susceptible to a wide range of vulnerabilities.

Previous and related coverage

• Masslogger Trojan reinvented in quest to steal Outlook, Chrome credentials
  
• Stored XSS bug in Apple iCloud domain disclosed by bug bounty hunter
  
• Chinese hackers cloned attack tool belonging to NSA's Equation Group
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0