IBMD406490E70A52CFB0315F27FCD957BFAE7E7B2887A6C73BE83E3F514F1153348Security Bulletin: IBM Tivoli Netcool/OMNIbus Web GUI is vulnerable to multiple Apache Log4j vulnerabilities (CVE-2021-45046,CVE-2021-45105)
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
Summary
IBM Tivoli Netcool/OMNIbus Web GUI is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105). IBM Tivoli Netcool/OMNIbus WebGUI uses IBM Jazz for Service Management and Websphere Application Server (WAS) component/product which are affected. This bulletin addresses the vulnerabilities for the reported CVE-2021-45046 and CVE-2021-45105. The below fix package includes Log4j 2.17.1.
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Tivoli Netcool/OMNIbus Web GUI | 8.1.0.11 - 8.1.0.25 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading.
Please note in the steps below that $JazzSMHOME denotes the home directory where JazzSM is installed.
- The recommended solution is to apply the interim fix, Fix Pack or PTF for Websphere Application Server (WAS), go to Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server (CVE-2021-4104, CVE-2021-45046) for complete details.
- The recommended solution is to apply the interim fix, Fix Pack or PTF for IBM Jazz for Service Manager (JazzSM), go to IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerabilities(CVE-2021-45105, CVE-2021-45046) for complete details.
- Upgrade IBM Tivoli Netcool/OMNIbus WebGUI to the appropriate version that would support the corresponding Websphere Application Server (WAS) fix pack and IBM Jazz for Service Manager (JazzSM) fix pack installed. See table 3, in <https://www.ibm.com/docs/en/netcoolomnibus/8.1?topic=upgrade-web-gui-installation-prerequisites>
* For example, if you are running Websphere Application Server 8.5.5.20 and IBM Jazz Service Manager 1.1.3.13, then you must also upgrade to [IBM Tivoli Netcool/OMNIbus WebGUI 8.1.0.25](<https://www.ibm.com/support/pages/node/6490291> "IBM Tivoli Netcool/OMNIbus WebGUI 8.1.0.25" ).
- If you are running IBM Tivoli Netcool/OMNIbus WebGUI 8.1.0.11 (or higher), which contains the following file $JazzSMHOME/profile/installedApps/installedApps/JazzSMNode01Cell/isc.ear/OMNIbusWebGUI.war/WEB-INF/lib/log4j-api-2.12..jar. You can either, leave this file as is, because these CVEs only vulnerable by log4j-core, not log4j-api*. Or, follow the steps below to remove this file, which may produce ignoreable non-functional error messages in the log file.
1. Stop the JazzSM server, eg. $JazzSMHOME/profile/bin/stopServer.sh server1
2. Move log4j-api-2*.jar file to an archive directory outside of $JazzSMHOME
3. Start the JazzSM server, eg. $JazzSMHOME/profile/bin/startServer.sh server
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| tivoli netcool/omnibus | eq | 8.1.0 |
Related
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%