Security Bulletin: IBM Tivoli Netcool Configuration Manager (ITNCM) is vulnerable to Open Source Apache Batik vulnerability (CVE-2015-0250)

Summary

Apache Batik could in theory allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information.

Vulnerability Details

CVEID:CVE-2015-0250_ _

DESCRIPTION:

Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information.

CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101614&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Affected Products and Versions

ITNCM: 6.3.0.6 and earlier

ITNCM: 6.4.1.2 and earlier

Remediation/Fixes

Product

| Version | Link | Remediation/First Fix
—|—|—|—
ITNCM | 6.4.x | http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FTivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=All&platform=All&function=fixId&fixids=6.4.1-TIV-ITNCM-LINUX-FP003&includeRequisites=1&includeSupersedes=0&downloadMethod=http

Search for 6.4.1-TIV-ITNCM-LINUX-FP003 on Fix Central.

| Apply 6.4.1.3 which has been supplied with an upgraded version of Apache Batik.
ITNCM | 6.3.x | http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=6.3.0.6&platform=All&function=all

Search 6.3.0-TIV-ITNCM-FP003 on Fix Central.

| Apply 6.3.0.6 interim fix ITNCM_6.3.0.6-IF003 which has been supplied with an upgraded version of Apache Batik.

Workarounds and Mitigations

None