Security Bulletin: Vulnerabbilities exists in the IBM® SDK, Java™ Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619).

Summary

Multiple vulnerabilities exist in IBM® SDK Java™ Technology Edition, Version 8, which is used by IBM Tivoli Network Manager IP Edition v4.2, which was included in the October 2022 Critical Patch Update. CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619

Vulnerability Details

CVEID:CVE-2022-21628
**DESCRIPTION:**Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238623 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21626
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238689 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21624
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-21619
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Note that only standalone worker servers and compliance servers (i.e. those which are not co-located on the same machine as a presentation server) need to have their JRE updated. To update the Java Runtime Environment (JRE), complete the following steps.

1. Locate the appropriate IBM JRE for your operating system on the IBM Fix Central website.

AIX: IBM Java 8.0.8.0 for AIX

Linux: IBMJava 8.0.8.0 for 64-bit Linux

zLinux: IBM Java 8.0.8.0 for Linux for z/OS

2. Download version 8.0.8.0 in archive, rather than binary, form and install it.

3. Back up the directory $NCMHOME/jre.

4. Stop all running processes of the compliance or worker server by using the “itncm.sh stop” command.

5. Delete the contents of the $NCMHOME/jre/bin and $NCMHOME/jre/lib directory.

6. Copy the contents of the bin and lib directories from the JRE that you installed in step 2 to $NCMHOME/jre/bin and $NCHOME/jre/lib, respectively.

7. Restart the compliance or worker server by using the “itncm.sh start” command.

To roll back to the previous Netcool Configuration Manager compliance or worker server JRE, restore the backup that you made in step 3. Perform the rollback, then perform steps 4 to 7 again.

Workarounds and Mitigations

None