Security Bulletin: Due to use of Apache Pulsar, IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to a security restrictions bypass.

Summary

Pulsar is used by IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library. [CVE-2024-28098, CVE-2024-29834] The below vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2024-28098
**DESCRIPTION:**Apache Pulsar could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization validation. By sending a specially crafted request, an attacker could exploit this vulnerability to modify topic-level policies.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285480 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

CVEID:CVE-2024-29834
**DESCRIPTION:**Apache Pulsar could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization for namespace and topic management endpoints. By sending a specially crafted request, an attacker could exploit this vulnerability to read, create, modify, and delete namespace properties in any namespace in any tenant.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286806 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)

Affected Products and Versions

Transport Module Common Integration Library

|

common-transportmodule-29_0 up to and including common-transportmodule-39_0

Remediation/Fixes

Product(s)

|

Version(s)

|

Remediation / First Fix

—|—|—

Transport Module Common Integration Library

|

common-transportmodule-40_0

|

Refer to release notice for the part number of the new package and instructions for the upgrade

Workarounds and Mitigations

None