Security Bulletin
Summary
Tivoli Netcool/OMNIbus WebGUI is shipped as a component of Tivoli Business Service Manager. Information about a security vulnerability affecting Tivoli Netcool/OMNIbus WebGUI has been published in a security bulletin.
Vulnerability Details
Please consult the security bulletin Security Bulletin: Vulnerability in Apache Struts affect Tivoli Netcool/OMNIbus WebGUI (CVE-2015-0899) for vulnerability details and information about fixes.
Affected Products and Versions
Tivoli Business Service Manager v6.1.0
Tivoli Business Service Manager v6.1.1
Remediation/Fixes
|
Product | VRMF | Remediation/Fix |
| Tivoli Business Service Manager | 6.1.0 | TBSM v6.1.0 bundles Tivoli Netcool/OMNIbus WebGUI v7. As per bulletin above, Tivoli Netcool/OMNIbus WebGUI v8 portlets should be used to avoid vulnerability CVE-2015-0899. However, there is no supported interface between Tivoli Business Service Manager v6.1.0 and WebGUI v8. TBSM v6.1.0 customers must first upgrade to v6.1.1 and then follow advice below for v6.1.1. |
| Tivoli Business Service Manager | 6.1.1 | TBSM v6.1.1 bundles Tivoli Netcool/OMNIbus WebGUI v7. As per bulletin above, Tivoli Netcool/OMNIbus WebGUI v8 portlets should be used to avoid vulnerability CVE-2015-0899. WebGUI v8 is DASH based. TBSM 6.1.1 is TIP based. To use WebGUI v8 portlets with TBSM v 6.1.1 configuration is required. Documentation is available here (see "TBSM Data + WebGUI Widgets" and "TBSM: How To Get Event Viewer onWebGUI 8.1.0 For AEL Replacement"): https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Business%20Service%20Manager1/page/Advanced%20Topics The mechanics of launching from a TBSM menu item to a DASH page are in this document (see 6.1 - Navigating to an External DASH page.): https://www.ibm.com/developerworks/community/groups/service/html/communityview?communityUuid=7d5ebce8-2dd8-449c-a58e-4676134e3eb8#fullpageWidgetId=Wea1cb2531f10_4ccd_99d7_6ab0334cb21f&file=519bead5-8dad-4af5-8aa1-745c5c9f74f6 |
Get Notified about Future Security Bulletins
References
Change History
Created by Geraldine McCormack - 14th Nov
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
Customer = THE TORONTO-DOMINION BANK
WebGUI 7.4.0 is on Struts 1.8.3. The fix require Struts upgrade to Struts v2 which have big architectural change. Struts2 upgrade work for WebGUI 8.1.0 had consumed
9 person months effort to release with major changes on existing code pages. WebGUI 7.4.0 have been announced to EOS on 31 Dec 2018.
Customer numnber=47 for webGUI.
The CVE-2015-0899 vulnerability was scored as CVSS Score 5.0 with no confidentiality impact but with partial integrity impact. With this vulnerability, the attacker may deceive the struts validator to skip the
validation of the submitted form fields value by manipulating the page parameter. As result, the attacker may submit invalid value of the form fields. The fields that the attacker may manipulate are limited to the
fields defined in the form. For WebGUI, the pages that apply multi-pages form are Filter builder, View builder and Tool Editor. Thus, the impacted fields are limited to the WebGUI Filter configuration, View
configuration and Tool configuration. They are impacted in the way that invalid data/configuration may be set by the attacker. The attacker can not have retrieve any data. Most of the fields of these areas are validated by WebGUI internal code instead of relying on the struts framework. The reason is because the fields are related to WebGUI configuration and we have to validate them according to WebGUI term and definition. Overall I would say WebGUI impact to this vulnerability is low.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg22010588