IBM Support

Security Bulletin: Tivoli Netcool/OMNIbus WebGUI is vulnerable to Apache log4j vulnerability (CVE-2021-44228)

Security Bulletin


Summary

Tivoli Netcool/OMNIbus WebGUI may be impacted by the vulnerability Apache Log4j (CVE-2021-44228) through the use of Log4j-api. Also, Tivoli Netcool/OMNIbus WebGUI uses IBM Jazz for Service Management and Websphere Application Server (WAS) component/product which are affected.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected ProductsVersions
Tivoli Netcool/OMNIbus Web GUI8.1 GA - 8.1.0.25
IBM Jazz for Service Manager1.1.3.0 - 1.1.3.13
Websphere Application Server (WAS)8.5 - 9.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now. 

Based upon current knowledge and analysis Tivoli Netcool/OMNIbus WebGUI does not use Apache log4j-core library which is vulnerable to CVE-2021-44228. It may still be impacted because log4j-api may be used in the application as this library is also part of same Apache Log4j package.  

Please note in the steps below that $JazzSMHOME denotes the home directory where JazzSM is installed.

  1. As per recommendation by Websphere Application Server (WAS), security bulletin Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server (CVE-2021-4104, CVE-2021-45046) supersedes Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228).
  2. As per recommendation by IBM Jazz for Service Manager (JazzSM), security bulletin IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability(CVE-2021-44228).
  3. Upgrade Tivoli Netcool/OMNIbus WebGUI to the appropriate version, that would support the corresponding Websphere Application Server (WAS) fix pack and IBM Jazz for Service Manager (JazzSM) fix pack installed. See table 3, in https://www.ibm.com/docs/en/netcoolomnibus/8.1?topic=upgrade-web-gui-installation-prerequisites
    • If you are running Websphere Application Server 8.5.5.20 and IBM Jazz Service Manager 1.1.3.13, then you must also upgrade to Tivoli Netcool/OMNIbus WebGUI 8.1.0.25.
  4. If you are running Tivoli Netcool/OMNIbus WebGUI 8.1.0.11 (or higher), which contains the log4j-api-2*.jar file:
    1. Stop the JazzSM server, eg. $JazzSMHOME/profile/bin/stopServer.sh server1
    2. Move log4j-api-2*.jar file in the deployed OMNIbusWebGUI.war directoy, to an archive directory outside of $JazzSMHOME
      •  For instance, $JazzSMHOME/profile/installedApps/installedApps/JazzSMNode01Cell/isc.ear/OMNIbusWebGUI.war/WEB-INF/lib/log4j-api-2*.jar
    3. Start the JazzSM server, eg. $JazzSMHOME/profile/bin/startServer.sh server1
  5. If you are running Tivoli Netcool/OMNIbus WebGUI prior to 8.1.0.11, no further action is required.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Change History

17 Dec 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSSHTQ","label":"Tivoli Netcool\/OMNIbus"},"Component":"WebGUI","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 December 2021

Initial Publish date:
17 December 2021

UID

ibm16528410