Lucene search

IBMAC8068AC70CA463D38F6AE4AE7E9F81068854020FC00D5F3DAAF7E5D998B20A2

HistoryJun 02, 2023 - 1:18 p.m.

Security Bulletin: A vulnerability exists in the IBM® SDK, Java™ Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2022-3676).

2023-06-0213:18:31

www.ibm.com

ibm sdk java technology edition

cve-2022-3676

ibm tivoli network configuration manager

v6.4.2

update

java runtime environment

linux

aix

zlinux

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

48.5%

JSON

Summary

A vulnerability (CVE-2022-3676) exists in IBM® SDK Java™ Technology Edition, Version 8, which is used by IBM Tivoli Network Configuration Manager IP Edition v6.4.2.

Vulnerability Details

CVEID:CVE-2022-3676
**DESCRIPTION:**Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by improper runtime type check by the interface calls. By sending a specially-crafted request using bytecode, an attacker could exploit this vulnerability to access or modify memory.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239608 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
ITNCM	6.4.2

Remediation/Fixes

Note that only standalone worker servers and compliance servers (i.e. those which are not co-located on the same machine as a presentation server) need to have their JRE updated. To update the Java Runtime Environment (JRE), complete the following steps.

1. Locate the appropriate IBM JRE for your operating system on the IBM Fix Central website.

AIX: IBM Java 8.0.8.0 for AIX

Linux: IBMJava 8.0.8.0 for 64-bit Linux

zLinux: IBM Java 8.0.8.0 for Linux for z/OS

2. Download version 8.0.8.0 in archive, rather than binary, form and install it.

3. Back up the directory $NCMHOME/jre.

4. Stop all running processes of the compliance or worker server by using the “itncm.sh stop” command.

5. Delete the contents of the $NCMHOME/jre/bin and $NCMHOME/jre/lib directory.

6. Copy the contents of the bin and lib directories from the JRE that you installed in step 2 to $NCMHOME/jre/bin and $NCHOME/jre/lib, respectively.

7. Restart the compliance or worker server by using the “itncm.sh start” command.

To roll back to the previous Netcool Configuration Manager compliance or worker server JRE, restore the backup that you made in step 3. Perform the rollback, then perform steps 4 to 7 again.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmtivoli_netcool_security_managerMatch6.4.1

ibmtivoli_netcool_security_managerMatch6.4.2

CPENameOperatorVersion
tivoli netcool configuration managereq6.4.1
tivoli netcool configuration managereq6.4.2

CPE	Name	Operator	Version
	tivoli netcool configuration manager	eq	6.4.1
	tivoli netcool configuration manager	eq	6.4.2

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

48.5%

JSON

Related for AC8068AC70CA463D38F6AE4AE7E9F81068854020FC00D5F3DAAF7E5D998B20A2