Lucene search

IBM0552F84D3AF8328B9042D0120F7FBDA5D70E2F02F489E530B9CDFC4D67AC2083

HistorySep 19, 2021 - 11:39 p.m.

Security Bulletin: Multiple vulnerabilities is affecting Tivoli Netcool/OMNIbus WebGUI

2021-09-1923:39:00

www.ibm.com

0.001 Low

EPSS

Percentile

32.8%

JSON

Summary

Fix is available for multiple vulnerabilities affecting Tivoli Netcool/OMNIbus WebGUI.

Vulnerability Details

CVEID:CVE-2021-29808
**DESCRIPTION:**IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204269 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-29809
**DESCRIPTION:**IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204270 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-29819
**DESCRIPTION:**IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-29856
**DESCRIPTION:**IBM Tivoli Netcool/OMNIbus_GUI could allow an authenticated usre to cause a denial of service through the WebGUI Map Creation page.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-29820
**DESCRIPTION:**IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204347 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-29811
**DESCRIPTION:**IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI stores user credentials in plain clear text which can be read by an authenticated admin user.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204329 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-29818
**DESCRIPTION:**IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204345 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-29817
**DESCRIPTION:**IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204343 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-29821
**DESCRIPTION:**IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204348 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-29806
**DESCRIPTION:**IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204264 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-29807
**DESCRIPTION:**IBM Jazz for Service Management and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204265 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Tivoli Netcool/OMNIbus_GUI	8.1.x

Remediation/Fixes

Product	VRMF	APAR	Remediation/First Fix
Tivoli Netcool/OMNIbus WebGUI	8.1.0	IJ33573	Apply Fix Pack 24 (Fix Pack for WebGUI 8.1.0 Fix Pack 24)

For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.

Workarounds and Mitigations

Upgrade to WebGUI 8.1.0 Fix Pack 24.

CPENameOperatorVersion
tivoli netcool/omnibuseq8.1.0

CPE	Name	Operator	Version
	tivoli netcool/omnibus	eq	8.1.0

0.001 Low

EPSS

Percentile

32.8%

JSON

Related for 0552F84D3AF8328B9042D0120F7FBDA5D70E2F02F489E530B9CDFC4D67AC2083