Lucene search

K
ibmIBMB74CD0E032A2F502E02350CD15C565326CCE611FAD0E1D69A75336BC48781CB6
HistoryMar 29, 2023 - 3:05 a.m.

Security Bulletin: IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is affected by vulnerability in Apache Kafka (CVE-2023-25194)

2023-03-2903:05:44
www.ibm.com
24
ibm tivoli netcool
omnibus
transport module
common integration library
apache kafka
vulnerability
cve-2023-25194
update
common-transportmodule-37_0

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.968

Percentile

99.7%

Summary

Apache Kafka is used by IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library as part of the Kafka integration. The latest patch includes Apache Kafka 3.4.0 to fix the vulnerability. (CVE-2023-25194)

Vulnerability Details

**CVEID:**CVE-2023-25194 DESCRIPTION: Apache Kafka could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configuring the connector via the Kafka Connect REST API. By sending specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Tivoli Netcool/OMNIbus Integration - Transport Module Common Integration Library common-transportmodule-18_0 up to and including common-transportmodule-36_0

Remediation/Fixes

Updated Product(s) Version(s) Remediation/Fix/Instructions
IBM Tivoli Netcool/OMNIbus Integration - Transport Module Common Integration Library common-transportmodule-37_0 Refer to release notice for the part number of the new package and instructions for the upgrade

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmnetcool_operations_insightMatch1.6
OR
ibmwebsphere_automation_for_ibm_cloud_pak_for_watson_aiopsMatch3.6
OR
ibmtivoli_netcool\/omnibusMatch8.1.0
VendorProductVersionCPE
ibmnetcool_operations_insight1.6cpe:2.3:a:ibm:netcool_operations_insight:1.6:*:*:*:*:*:*:*
ibmwebsphere_automation_for_ibm_cloud_pak_for_watson_aiops3.6cpe:2.3:a:ibm:websphere_automation_for_ibm_cloud_pak_for_watson_aiops:3.6:*:*:*:*:*:*:*
ibmtivoli_netcool\/omnibus8.1.0cpe:2.3:a:ibm:tivoli_netcool\/omnibus:8.1.0:*:*:*:*:*:*:*

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.968

Percentile

99.7%