← Back to home
wid-sec-w-2026-0871  ·  Published 2026-03-25  ·  View on BSI CERT-Bund ↗

IBM Operational Decision Manager: Multiple Vulnerabilities

CVSS 9.4 CRITICAL

Risk Summary

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC) Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely. STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older, unsupported versions are also affected. MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.

CVEs (3)

Affected Vendors

IBM

Affected Products (10)

IBM · Operational Decision Manager <8.11.0.1 Interim fix 054
IBM · Operational Decision Manager 8.11.0.1 Interim fix 054
IBM · Operational Decision Manager <8.11.1 Interim fix 053
IBM · Operational Decision Manager 8.11.1 Interim fix 053
IBM · Operational Decision Manager <8.12.0.1 Interim fix 037
IBM · Operational Decision Manager 8.12.0.1 Interim fix 037
IBM · Operational Decision Manager <9.0.0.1 Interim fix 022
IBM · Operational Decision Manager 9.0.0.1 Interim fix 022
IBM · Operational Decision Manager <9.5.0.1 Interim fix 005
IBM · Operational Decision Manager 9.5.0.1 Interim fix 005

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more