wid-sec-w-2026-0871 · Published 2026-03-25 · View on BSI CERT-Bund ↗

IBM Operational Decision Manager: Multiple Vulnerabilities

CVSS 9.4 CRITICAL

Risk Summary

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)

CVEs (3)

CVE-2025-12383 CVE-2025-31672 CVE-2025-41254

Affected Vendors

IBM

Affected Products (10)

IBM · Operational Decision Manager <8.11.0.1 Interim fix 054

IBM · Operational Decision Manager 8.11.0.1 Interim fix 054

IBM · Operational Decision Manager <8.11.1 Interim fix 053

IBM · Operational Decision Manager 8.11.1 Interim fix 053

IBM · Operational Decision Manager <8.12.0.1 Interim fix 037

IBM · Operational Decision Manager 8.12.0.1 Interim fix 037

IBM · Operational Decision Manager <9.0.0.1 Interim fix 022

IBM · Operational Decision Manager 9.0.0.1 Interim fix 022

IBM · Operational Decision Manager <9.5.0.1 Interim fix 005

IBM · Operational Decision Manager 9.5.0.1 Interim fix 005

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more