10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
99.9%
Some version of Tivoli Netcool/OMNIbus WebGUI uses Apache log4j-api library which has multiple vulnerabilities to CVE-2021-4104 and CVE-2021-45046, recommendation is to remove it if exists. Also, Tivoli Netcool/OMNIbus WebGUI uses IBM Jazz for Service Management and Websphere Application Server (WAS) component/product which are affected. Information about this security vulnerability affecting IBM Jazz for Service Management and Websphere Application Server (WAS) has been published in different security bulletins
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
Tivoli Netcool/OMNIbus Web GUI | 8.1 GA - 8.1.0.25 |
IBM Jazz for Service Manager (JazzSM) | 1.1.3.0 - 1.1.3.13 |
Websphere Application Server (WAS) | 8.5 - 9.0 |
Please note in the steps below that $JazzSMHOME denotes the home directory where JazzSM is installed.
* If you are running WebSphere Application Server 8.5.5.11 to 8.5.5.20 or 9.0.5.3 or above, the interim fix [PH42762 ](<https://www.ibm.com/support/pages/node/6526686>)can be applied.
* If you are running WebSphere Application Server prior to 8.5.5.11, WebSphere Application Server must be upgraded prior to applying the interim fix [PH42762](<https://www.ibm.com/support/pages/node/6526686>)
* If you are running IBM Jazz for Service Manager 1.1.3.10 to 1.1.3.13, along with WebSphere Application Server 8.5.5.18 to 8.5.5.20 or 9.0.5.6 to 9.0.5.9, the interim fix [JazzSM 1.1.3.13 iFix01](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> "JazzSM 1.1.3.13 iFix01" ) can be applied.
* If you are running IBM Jazz for Service Manager 1.1.3 to 1.1.3.9, along with WebSphere Application Server 8.5.5.9 to 8.5.5.18 or 9.0.5.3, IBM Jazz for Service Manager must be upgraded prior to applying the interim fix [JazzSM 1.1.3.13 iFix01](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> "JazzSM 1.1.3.13 iFix01" )
* For if you have upgraded to WebSphere Application Server 8.5.5.20 with interim fix [PH42762](<https://www.ibm.com/support/pages/node/6526686>). Then you should also upgrade to JazzSM 1.1.3.13, then apply the interim fix [JazzSM 1.1.3.13 iFix01](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> "JazzSM 1.1.3.13 iFix01" )
* If you are running Websphere Application Server 8.5.5.20 and IBM Jazz Service Manager 1.1.3.13, then you must also upgrade to Tivoli Netcool/OMNIbus WebGUI 8.1.0.25.
1. Stop the JazzSM server, eg. $JazzSMHOME/profile/bin/stopServer.sh server1
2. Move log4j-api-2*.jar file in the deployed OMNIbusWebGUI.war directoy, to an archive directory outside of $JazzSMHOME
* For instance, $JazzSMHOME/profile/installedApps/installedApps/JazzSMNode01Cell/isc.ear/OMNIbusWebGUI.war/WEB-INF/lib/log4j-api-2*.jar
3. Start the JazzSM server, eg. $JazzSMHOME/profile/bin/startServer.sh server1
None
CPE | Name | Operator | Version |
---|---|---|---|
tivoli netcool/omnibus | eq | 8.1.0 |
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
99.9%