Security Bulletin: Multiple vulnerabilities have been identified in FasterXML Jackson library shipped with IBM Tivoli Netcool/OMNIbus Common Integration Libraries (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-1000873)

Summary

FasterXML Jackson library is shipped as a component of IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library and Transformer for Message Bus Integration. Information about security vulnerabilities affecting FasterXML Jackson library has been published.

The Netcool/OMNIbus Common Integration Libraries are dependencies of the following Netcool/OMNIbus Integrations:
- Gateway for Message Bus
- Probe for Message Bus
- Generic Probe for Multi-Technology Operations Systems Interface (MTOSI)
- Probe for HPE Operations Manager i
- Probe for Cisco APIC
- Probe for Juniper Contrail
- Probe for Huawei U2000 (JMS)

Vulnerability Details

CVEID:CVE-2018-19360
DESCRIPTION: An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/155091&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2018-19361
DESCRIPTION: An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/155092&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2018-19362
DESCRIPTION: An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/155093&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2018-1000873
DESCRIPTION: FasterXML jackson-databind is vulnerable to a denial of service, caused by improper input validation by the nanoseconds time value field. By persuading a victim to deserialize specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/154804&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected component

| Version
—|—
IBM Tivoli Netcool/OMNIbus Integration - Transport Module Common Integration Library | common-transportmodule-15_0 up to and including common-transportmodule-19_0
IBM Tivoli Netcool/OMNIbus Integration - Transformer for Message Bus Integration | common-transformer-8_0

Remediation/Fixes

Updated component

| Version
—|—
IBM Tivoli Netcool/OMNIbus Integration - Transport Module Common Integration Library | common-transportmodule-20_0
IBM Tivoli Netcool/OMNIbus Integration - Transformer for Message Bus Integration | common-transformer-9_0

Workarounds and Mitigations

None