Security Bulletin
Summary
Some version of Tivoli Netcool/OMNIbus WebGUI uses Apache log4j-api library which has multiple vulnerabilities to CVE-2021-4104 and CVE-2021-45046, recommendation is to remove it if exists. Also, Tivoli Netcool/OMNIbus WebGUI uses IBM Jazz for Service Management and Websphere Application Server (WAS) component/product which are affected. Information about this security vulnerability affecting IBM Jazz for Service Management and Websphere Application Server (WAS) has been published in different security bulletins
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Affected Product(s) | Version(s) |
| Tivoli Netcool/OMNIbus Web GUI | 8.1 GA - 8.1.0.25 |
| IBM Jazz for Service Manager (JazzSM) | 1.1.3.0 - 1.1.3.13 |
| Websphere Application Server (WAS) | 8.5 - 9.0 |
Remediation/Fixes
Please note in the steps below that $JazzSMHOME denotes the home directory where JazzSM is installed.
- As per recommendation by Websphere Application Server (WAS), security bulletin Multiple vulnerabilities in Apache log4j affect the IBM WebSphere Application Server (CVE-2021-4104, CVE-2021-45046) The recommended solution is to install interim fix PH42762.
- As per recommendation by IBM Jazz for Service Manager (JazzSM), security bulletin IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability(CVE-2021-44228).
- If you are running IBM Jazz for Service Manager 1.1.3.10 to 1.1.3.13, along with WebSphere Application Server 8.5.5.18 to 8.5.5.20 or 9.0.5.6 to 9.0.5.9, the interim fix JazzSM 1.1.3.13 iFix01 can be applied.
- If you are running IBM Jazz for Service Manager 1.1.3 to 1.1.3.9, along with WebSphere Application Server 8.5.5.9 to 8.5.5.18 or 9.0.5.3, IBM Jazz for Service Manager must be upgraded prior to applying the interim fix JazzSM 1.1.3.13 iFix01
- For if you have upgraded to WebSphere Application Server 8.5.5.20 with interim fix PH42762. Then you should also upgrade to JazzSM 1.1.3.13, then apply the interim fix JazzSM 1.1.3.13 iFix01
- Upgrade Tivoli Netcool/OMNIbus WebGUI to the appropriate version, that would support the corresponding Websphere Application Server (WAS) fix pack and IBM Jazz for Service Manager (JazzSM) fix pack installed. See table 3, in https://www.ibm.com/docs/en/netcoolomnibus/8.1?topic=upgrade-web-gui-installation-prerequisites
- If you are running Websphere Application Server 8.5.5.20 and IBM Jazz Service Manager 1.1.3.13, then you must also upgrade to Tivoli Netcool/OMNIbus WebGUI 8.1.0.25.
- If you are running Tivoli Netcool/OMNIbus WebGUI 8.1.0.11 (or higher), which contains the log4j-api-2*.jar file:
- Stop the JazzSM server, eg. $JazzSMHOME/profile/bin/stopServer.sh server1
- Move log4j-api-2*.jar file in the deployed OMNIbusWebGUI.war directoy, to an archive directory outside of $JazzSMHOME
- For instance, $JazzSMHOME/profile/installedApps/installedApps/JazzSMNode01Cell/isc.ear/OMNIbusWebGUI.war/WEB-INF/lib/log4j-api-2*.jar
- Start the JazzSM server, eg. $JazzSMHOME/profile/bin/startServer.sh server1
- If you are running Tivoli Netcool/OMNIbus WebGUI prior to 8.1.0.11, no further action is required.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
17 Dec 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
22 December 2021
Initial Publish date:
17 December 2021
UID
ibm16528426