Security Bulletin: Vulnerabilities found within Apache Storm that is used by IBM Tivoli Network Manager (ITNM) IP Edition

Summary

Vulnerabilities found within Apache Storm (CVE-2020-25649, CVE-2020-36518, CVE-2021-22569, CVE-2021-38153) that is used by IBM Tivoli Network Manager (ITNM) IP Edition

Vulnerability Details

CVEID:CVE-2020-25649
**DESCRIPTION:**FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192648 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2020-36518
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a Java StackOverflow exception. By using a large depth of nested objects, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222319 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-22569
**DESCRIPTION:**Google Protocol Buffer (protobuf-java) is vulnerable to a denial of service, caused by an issue with allow interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open a specially-crafted content, a remote attacker could exploit this vulnerability to cause a timeout in ProtobufFuzzer function, and results in a denial of service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216851 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2021-38153
**DESCRIPTION:**Apache Kafka could allow a remote attacker to obtain sensitive information, caused by a timing attack flaw due to the use of “Arrays.equals” to validate a password or key. By utilizing brute-force attack techniques, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209762 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now. The issue has been partly fixed (CVE-2020-25649, CVE-2020-36518) in ITNM 4.2 Fix Pack 16 (i.e. 4.2.0.16) and workaround is available for remaining part (CVE-2021-22569, CVE-2021-38153). Upgrade ITNM 4.2 to latest Fix Pack version 16 from Fix Central and apply below workaround.

Workarounds and Mitigations

Follow below steps to address CVE-2021-22569, CVE-2021-38153

• Stop apache storm processes using itnm_stop storm
• Remove following two files
o $NCHOME/precision/storm/apache-storm/lib-tools/sql/core/protobuf-java-4.0.0-rc-2.jar
o $NCHOME/precision/storm/apache-storm/lib-tools/storm-kafka-monitor/storm-kafka-monitor-2.4.0.jar

• Start apache storm processes using itnm_start storm