Full Report
IBM security advisory (AV26-413)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in IBM Ecosystem (AV26-413)
## CVE Details
*Note: This advisory (AV26-413) acts as a rollup of multiple IBM security bulletins. Specific CVE IDs vary by product, but the advisory highlights critical severity scores.*
- **CVE ID:** Multiple (Refer to IBM Product Security Incident Response for specific identifiers)
- **CVSS Score:** Up to 10.0 (Critical)
- **CWE:** Varies (Includes common weaknesses found in integrated libraries like `lodash-es`)
## Affected Systems
- **Products & Versions:**
- **Carbon Charts lodash-es:** 0.4.0 to 1.27.3
- **Decision Optimization for Cloud Pak for Data:** 5.0 to 5.3.1
- **IBM Application Modernization Accelerator:** 4.0.0 to 4.6.0
- **IBM Business Automation Workflow (Containers/Traditional):** Multiple versions
- **IBM Cloud Pak for AIOps:** 4.1.0 to 4.13.0
- **IBM Cloud Pak for Business Automation:** Multiple versions/models
- **IBM Industry Solutions Workbench:** Versions prior to 5.0.0.0, 5.1.0.0, and 5.1.1.0
- **IBM Maximo Application Suite:** Multiple versions
- **IBM PowerVM Novalink:** Multiple versions
- **IBM Process Mining:** Version 2.1.1
- **IBM Rapid Infrastructure Automation:** Version 1.1.5
- **IBM Rapid Network Automation:** Version 1.1.4
- **IBM Transformation Advisor:** 2.0.1 to 4.6.0
- **IBM voice-gateway/media-relay:** 1.0.8.30
- **IBM voice-gateway/tts-adapter:** 1.0.8.19
- **IBM watsonx.data intelligence:** Versions prior to 5.2.0, 5.2.1, 5.3.0, and 5.3.1
- **ICP – Discovery:** 5.0.0 to 5.3.1
- **Configurations:** Default installations of the listed versions are generally targeted.
## Vulnerability Description
This advisory covers a broad range of security flaws across the IBM product suite. Key issues include vulnerabilities in integrated third-party libraries (notably `lodash-es` within Carbon Charts) and internal application logic flaws across Cloud Pak and automation products. These flaws typically encompass remote code execution (RCE), privilege escalation, and sensitive data exposure.
## Exploitation
- **Status:** Vulnerabilities are disclosed; exploit status varies by specific CVE (most are "Not exploited" at time of bulletin).
- **Complexity:** Generally Low to Medium.
- **Attack Vector:** Primarily Network (Remote).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
IBM has released updates for the affected components. Users are advised to upgrade to the following versions or newer:
- **Industry Solutions Workbench:** 5.0.0.0, 5.1.0.0, or 5.1.1.0
- **watsonx.data intelligence:** 5.2.0, 5.2.1, 5.3.0, or 5.3.1
- **All other products:** Consult the IBM Support portal for the specific maintenance release or "fix pack" associated with the product version.
### Workarounds
No specific workarounds are provided in the aggregate advisory. Standard mitigation involves restricting network access to management consoles and internal APIs until patches are applied.
## Detection
- **Indicators of Compromise:** Monitor for unusual outbound traffic from Cloud Pak environments and unauthorized administrative logins.
- **Detection Methods and Tools:** Use vulnerability scanners updated with the latest IBM plugin sets; check software versions against the affected list provided above.
## References
- **Vendor advisories:** hxxps[://]www[.]ibm[.]com/support/pages/bulletin/
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/ibm-security-advisory-av26-413