Security Bulletin: Due to use of Apache Pulsar, IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to a security restrictions bypass.

Summary

Pulsar is used by IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library. [CVE-2023-30428, CVE-2023-30429, CVE-2023-37579 and CVE-2023-31007] The below vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2023-30428
**DESCRIPTION:**Apache Pulsar could allow a remote attacker to bypass security restrictions, caused by improper authorization validation for Rest Producer. By sending a specially crafted request, an attacker could exploit this vulnerability to produce garbage messages to any topic in the cluster or produce messages to the topic level policies topic for other tenants and influence topic settings.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260296 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-30429
**DESCRIPTION:**Apache Pulsar could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper authorization validation for Function Worker when using mTLS Authentication through Pulsar Proxy. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260295 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-37579
**DESCRIPTION:**Apache Pulsar could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation in the Function Worker. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain Sink/Source Credentials information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260292 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-31007
**DESCRIPTION:**Apache Pulsar could allow a remote attacker to bypass security restrictions, caused by a flaw with broker does not always disconnect client when authentication data expires. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260294 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Transport Module Common Integration Library

|

common-transportmodule-29_0 up to and including common-transportmodule-37_0

Remediation/Fixes

Product(s)

|

Version(s)

|

Remediation / First Fix

—|—|—

Transport Module Common Integration Library

|

common-transportmodule-38_0

|

Refer to release notice for the part number of the new package and instructions for the upgrade

Workarounds and Mitigations

None