Security Bulletin: IBM Tivoli Network Manager is vulnerable to information disclosure attacks due to vulnerabilities in Eclipse Jetty (CVE-2021-28169)

Summary

Eclipse Jetty libraries (jetty-io, jetty-client, jetty-http, jetty-util) used by IBM Tivoli Network Manager, in versions <= 9.4.40, <= 10.0.2, <= 11.0.2 , it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.All the libraries are upgraded to 9.4.45.v20220203 to address the issue.

Vulnerability Details

CVEID:CVE-2021-28169
**DESCRIPTION:**Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203492 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

This issue has been fixed in ITNM4.2 Fix Pack 15(i.e. 4.2.0.15) available from fix central.

ITNM Full builds

4.2.0-TIV-ITNMIP-Linux-FP0015

4.2.0-TIV-ITNMIP-zLinux-FP0015

4.2.0-TIV-ITNMIP-AIX-FP0015

Workarounds and Mitigations

None