Security Bulletin: Multiple vulnerabilities exist in the IBM® SDK, Java™ Technology Edition affecting IBM Tivoli Network Manager

Summary

Multiple vulnerabilities exist in IBM® SDK Java™ Technology Edition, Version 8, which is used by IBM Tivoli Network Manager IP Edition v4.2, which was disclosed in the Oracle January 2022 Critical Patch Update. CVE-2022-21365, CVE-2022-21360, CVE-2022-21349, CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21294, CVE-2022-21293, CVE-2022-21291, CVE-2022-21248

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Remediation/Fixes

To update the Java Runtime Environment (JRE), complete the following steps.

1. Locate the appropriate IBM JRE for your operating system on the IBM Fix Central website.

AIX: IBM Java 8.0.7.5 for AIX

Linux: IBMJava 8.0.7.5 for 64-bit Linux

zLinux: IBM Java 8.0.7.5 for Linux for z/OS

2. Download version 8.0.7.5 in archive, not binary, format and install it as per following steps.

3. Back up the directory $NCHOME/precision/jre.

4. Stop all running processes of the Network Manager Core Components and Apache Storm by using the itnm_stop command.

5. Delete the contents of the $NCHOME/precision/jre/bin and $NCHOME/precision/jre/lib directory.

6. Copy the contents of the bin and lib directories from the JRE that you installed in step 2 to $NCHOME/precision/jre/bin and $NCHOME/precision/jre/lib, respectively.

7. Restart the Network Manager Core Components and Apache Storm by using the itnm_start command.

To upgrade or rollback the Network Manager Core Components, restore the backup that you made in step 3. Perform the upgrade or rollback, then perform steps 4 to 7 again.

Workarounds and Mitigations

None