Lucene search

IBM46ABB026206A29F51AFBE06566E9CC41AB30AAD09777C24D4EC36543FD9D5AD4

HistoryFeb 09, 2023 - 11:12 p.m.

Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to information disclosure (CVE-2021-38924)

2023-02-0923:12:20

www.ibm.com

ibm maximo asset management

ibm maximo manage

information disclosure

cve-2021-38924

vulnerability

sensitive information

remote attacker

version 7.6.1.3

version 7.6.1.2

version 7.6.1.1

mas 8.7-manage 8.3

mas 8.8-manage 8.4

interim fix

fix pack

security update

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

50.5%

JSON

Summary

IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to information disclosure.

Vulnerability Details

CVEID:CVE-2021-38924
**DESCRIPTION:**IBM Maximo Asset Management could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210163 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following versions of the IBM Maximo Asset Management core product and IBM Maximo Manage Application in IBM Maximo Application Suite. Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version.

Product versions affected:

Affected Product(s)	Version(s)
IBM Maximo Asset Management	7.6.1.3
IBM Maximo Asset Management	7.6.1.2
IBM Maximo Asset Management	7.6.1.1
Maximo Manage Application in IBM Maximo Application Suite	MAS 8.7-Manage 8.3
Maximo Manage Application in IBM Maximo Application Suite	MAS 8.8-Manage 8.4

To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Platform Matrix for a list of supported product combinations.

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

For Maximo Asset Management 7.6:

VRM	Fix Pack, Feature Pack, or Interim Fix	Download
7.6.1.3	Maximo Asset Management 7.6.1.3 Feature Pack:
7.6.1.3-TIV-MAMMT-FP003 or latest Interim Fix available	FixCentral
7.6.1.2	Maximo Asset Management 7.6.1.2 iFix:
7.6.1.2-TIV-MBS-IF023 or latest Interim Fix available	FixCentral
7.6.1.1	Maximo Asset Management 7.6.1.1 iFix:
7.6.1.1-TIV-MBS-IF022 or latest Interim Fix available	FixCentral

For IBM Maximo Manage application in IBM Maximo Application Suite:

MAS	MAS Patch Fix or Release	Manage Patch Fix or Release
8.7

Maximo Application Suite 8.7.3:
Maximo Application Suite version 8.7.3 or latest Patch Fix available

| 8.3.3 or latest (available from the Catalog under Update Available)
8.8 |

Maximo Application Suite 8.8:
Upgrade to Maximo Application Suite version 8.8 or latest Patch Fix available

| 8.4 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

No manual changes are required for Manage.

For MAM, edit the following files:

applications/maximo/maximouiweb/webmodule/WEB-INF/web.xml
deployment/was-liberty-default/config-deployment-descriptors/maximo-report/webmodule/WEB-INF/web.xml
deployment/was-liberty-default/config-deployment-descriptors/maximo-ui/webmodule/WEB-INF/web.xml

In the files make sure the ReportRequestFilter filter-mappings are defined as follows (add any missing ones):

	&lt;filter-mapping&gt;
	  &lt;filter-name&gt;ReportRequestFilter&lt;/filter-name&gt;
	  &lt;url-pattern&gt;/report/*&lt;/url-pattern&gt;
	&lt;/filter-mapping&gt;
	&lt;filter-mapping&gt;
	  &lt;filter-name&gt;ReportRequestFilter&lt;/filter-name&gt;
	  &lt;url-pattern&gt;/download/*&lt;/url-pattern&gt;
	&lt;/filter-mapping&gt;
	&lt;filter-mapping&gt;
	  &lt;filter-name&gt;ReportRequestFilter&lt;/filter-name&gt;
	  &lt;url-pattern&gt;/output/*&lt;/url-pattern&gt;
	&lt;/filter-mapping&gt;
	&lt;filter-mapping&gt;
	  &lt;filter-name&gt;ReportRequestFilter&lt;/filter-name&gt;
	  &lt;url-pattern&gt;/extract/*&lt;/url-pattern&gt;
	&lt;/filter-mapping&gt;

Affected configurations

Vulners

Node

ibmmaximo_asset_managementMatch7.6.1

ibmmaximo_for_service_providersMatch7.6.3.3

ibmmaximo_for_service_providersMatch7.6.3.2

ibmmaximo_for_service_providersMatch7.6.3.1

ibmmaximo_for_life_sciencesMatch7.6

ibmmaximo_for_oil_and_gasMatch7.6.1

ibmmaximo_asset_configuration_managerMatch7.6.6

ibmmaximo_asset_configuration_managerMatch7.6.7

ibmmaximo_for_transportationMatch7.6.2.5

ibmmaximo_for_transportationMatch7.6.2.4

ibmmaximo_for_transportationMatch7.6.2.3

ibmcontrol_deskMatch7.6.1.1

ibmcontrol_deskMatch7.6.1

ibmmaximo_for_aviationMatch7.6.8

ibmmaximo_for_aviationMatch7.6.7

ibmmaximo_for_aviationMatch7.6.6

ibmmaximo_for_utilitiesMatch7.6.0.2

ibmmaximo_for_utilitiesMatch7.6.0.1

ibmmaximo_for_nuclear_powerMatch7.6.1

ibmmaximo_spatial_asset_managementMatch7.6.0.5

ibmmaximo_spatial_asset_managementMatch7.6.0.4

ibmmaximo_spatial_asset_managementMatch7.6.0.3

ibmmaximo_spatial_asset_managementMatch7.6.0.2

CPENameOperatorVersion
ibm maximo asset managementeq7.6.1
maximo for service providerseq7.6.3.3
maximo for service providerseq7.6.3.2
maximo for service providerseq7.6.3.1
maximo for life scienceseq7.6
maximo for oil and gaseq7.6.1
maximo asset configuration managereq7.6.6
maximo asset configuration managereq7.6.7
maximo for transportationeq7.6.2.5
maximo for transportationeq7.6.2.4

Name	Operator	Version
ibm maximo asset management	eq	7.6.1
maximo for service providers	eq	7.6.3.3
maximo for service providers	eq	7.6.3.2
maximo for service providers	eq	7.6.3.1
maximo for life sciences	eq	7.6
maximo for oil and gas	eq	7.6.1
maximo asset configuration manager	eq	7.6.6
maximo asset configuration manager	eq	7.6.7
maximo for transportation	eq	7.6.2.5
maximo for transportation	eq	7.6.2.4

Rows per page:

1-10 of 231

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

50.5%

JSON

Related for 46ABB026206A29F51AFBE06566E9CC41AB30AAD09777C24D4EC36543FD9D5AD4