IBM Security Bulletins
IBM uses various methods to communicate security vulnerability information to customers. A Security Bulletin is used when publicly disclosing security vulnerabilities discovered in IBM offerings. Alternative tools and processes are used, where appropriate (i.e. for z Systems, managed and cloud-based services, etc.), when targeted or discrete communication with entitled customers is required. To protect our customers, IBM does not publically disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations.
Security Bulletins notify customers about one or more vulnerabilities. Customers are responsible for assessing the impact of any actual or potential security vulnerability in the context of their environment.
Subscribing to Security Bulletins and Other Notifications
Most Security Bulletins are accessible via the IBM Support Portal. Subscribe to My Notifications to be alerted of the release or update of a Security Bulletin.
In addition to My Notifications, you can also subscribe to the RSS feed for the IBM Product Security Incident Response (PSIRT) Blog: https://www.ibm.com/blogs/psirt/.
z Systems customers should subscribe to the Systems Security Portal to receive information about security and system integrity APARs, their associated fixes, and critical IBM Systems security and integrity service updates.
Bluemix customers should monitor the Bluemix console ( https://console.ng.bluemix.net/status/ ) for additional important product alerts.
IBM Security Bulletin Structure and Content
IBM Security Bulletins follow a standard format and include elements that identify the type of vulnerability and its potential impact. Given their sensitive nature, Security Bulletins do not include detailed vulnerability exploitation information. The structure of an IBM Security Bulletin is defined below.
To aid in identification, the title of the security bulletin includes the phrase “Security Bulletin:” followed by a brief statement that includes information such as the nature, or type, of vulnerability and the affected IBM Offering Name. It may also include one or more associated CVE IDs.
Security Bulletin: Unauthorized access vulnerability affects $Offering (CVE-xxxx-xx Security Bulletins: Multiple SNMP vulnerabilities affect $Offering
The security bulletin summary provides general information about the nature of the vulnerability.
The vulnerability details section provides a list of Common Vulnerabilities and Exposures (CVE) identifiers and descriptions. CVE IDs are standardized identifiers for common computer vulnerabilities and exposures. Additional CVE information is available via the CVE FAQs.
The vulnerability details section also includes the Common Vulnerability Scoring System (CVSS) details associated with each CVE. IBM intends to use the Common Vulnerability Scoring System (CVSS) as a standard for communicating the impact of security vulnerabilities in IBM products and solutions. CVSS is an open standard for assessing the severity or impact of computer system security vulnerabilities. This standard attempts to establish a numeric measure that represents how much concern or attention the vulnerability warrants. The resulting CVSS 'score' is based on an assessment of a series of metrics. The CVSS Base Score represents the intrinsic and fundamental characteristics of the vulnerability that are typically constant over time and across user environments. Additional information CVSS v3.0 User Guide.
A CVSS score is assigned to each CVE by IBM and included in an IBM X-Force Vulnerability Report available via the IBM X-Force Exchange platform’s FAQ.
CVE and CVSS details information is presented in the following format:
CVEID: CVE-XXXX-XXXX (where XXXX-XXXX represents an assigned CVE ID)
CVSS Base Score: X.X
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/XXXXX for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X) or CVSS Vector: (CVSS:3.0/AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X)
The information represented by this format is as follows:
CVEID: The assigned CVE identifier presented as a hotlink to the associated Mitre CVE information web page.
Description: A high level description of the vulnerability. IBM does not intend to provide vulnerability details that could enable someone to craft an exploit of the vulnerability.
CVSS Base Score: The CVSS score assigned to the CVE by IBM. The score range is 0 – 10.
CVSS Temporal Score: The temporal score can change over the lifetime of the vulnerability as exploits are developed and disclosed and as mitigations and fixes are made available. The IBM X-Force Exchange Vulnerability Report link includes the current temporal score information.
CVSS Environmental Score: The environmental score uses the base and current temporal score to assess the severity of a vulnerability in the context of the way that the vulnerable product or software is deployed. The CVSS Environment Score is customer environment specific. Customers can evaluate the impact of the vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
CVSS Vector: The CVSS Vector is a representation of the metric values used to score the vulnerability. The CVSS 2 Calculator and the CVSS 3 Calculator provide details regarding the meaning of the vector string metrics.
Affected products and versions
The affected products and versions section identifies the names of affected IBM Offerings and the versions of those offerings which are affected by the vulnerabilities identified in the security bulletin.
The remediation/fixes section identifies associated fixes, by affected version, as well as how and where to obtain those fixes.
Workarounds and Mitigations
The workarounds and mitigations section identifies usage or configuration changes that may be available in place of fix installation.
The references section identifies additional resources that may be useful when evaluating the security bulletin.
The related information section identifies additional, related information resources that may be useful when evaluating the security bulletin.
The change history section summarizes publication and update information associated with the security bulletin. In the event that you receive multiple notifications for a bulletin, re-review the bulletin to determine if the new updates are applicable to your environment.