IBM Tivoli Netcool/Impact V7.1.0 interim fix 10 (7.1.0-TIV-NCI-IF0010)

Download

Downloadable File

File link	File size	File description

Abstract

IBM Tivoli Netcool/Impact 7.1.0 Interim Fix 10 addresses multiple vulnerabilities (CVE-2021-44228, CVE-2021-45105, CVE-2021-45046 and CVE-2021-44832) reported against Apache Log4j2. The Log4j2 library is included in IBM Tivoli Netcool Impact 7.1 FP18 to FP24 and is used to provide logging functionality.

Download Description

Note: This interim fix supersedes interim fix 9 that previously addressed CVE-2021-44228 and CVE-2021-45046.

The following Netcool/Impact APARs are delivered with interim fix 10:

IJ36516: SECURITY APAR FOR CVE-2021-44228 - UPGRADE LOG4JV2 IN IMPACT 710
IJ36885: SECURITY APAR FOR CVE-2021-45105, CVE-2021-45046 - UPGRADE LOG4 JV2 IN IMPACT 710
IJ36910: SECURITY APAR FOR CVE-2021-44832 - UPGRADE LOG4 JV2 IN IMPACT 710

IBM Tivoli Netcool/Impact 7.1.0 interim fix 10 updates Log4J to v2.17.1

Impact versions 7.1.0.17 and earlier shipped with Log4J V1 so are not affected by CVE-2021-44228. Log4J V2 is only available from 7.1.0.18 onwards. However, Log4J V1 is vulnerable to CVE-2021-4104. IBM recommends upgrading to 7.1.0.18 or higher then immediately applying interim fix 10.

Prerequisites

- The current Impact level must be at any one of the following levels:

   7.1.0 Fix Pack 18
   7.1.0 Fix Pack 18 IF9
   7.1.0 Fix Pack 19
   7.1.0 Fix Pack 19 IF7
   7.1.0 Fix Pack 19 IF9
   7.1.0 Fix Pack 20
   7.1.0 Fix Pack 20 IF8
   7.1.0 Fix Pack 20 IF9
   7.1.0 Fix Pack 21
   7.1.0 Fix Pack 21 IF9
   7.1.0 Fix Pack 22
   7.1.0 Fix Pack 22 IF9
   7.1.0 Fix Pack 23
   7.1.0 Fix Pack 23 IF9
   7.1.0 Fix Pack 24
   7.1.0 Fix Pack 24 IF9

- Impact server must be shut down.
- Impact GUI must be shut down.
- There is no specific installation order required however, this interim fix needs to be applied to both the Impact Server and GUI Servers.

The installer makes changes to the following directories which must exist before installing the interim fix:
<IMPACT_HOME>/lib3p/
<IMPACT_HOME>/wlp/usr/servers/ImpactUI/apps/ImpactUI.ear/lib/
<IMPACT_HOME>/dsa/XmlDsa/bin/

Installation Instructions

The interim fix installation process will automatically back up the interim fix affected files.
pack backup directory and use that location to back up the interim fix
affected files. If a backup directory is not found, the uninstall_IF script will exit and provide directions to define the backup directory.

After the interim fix installation completes, the Impact server and/or GUI will not be automatically started.
Start the Impact server with the --clean option, this will remove temporary files from the workarea.
export JAVA_HOME=$IMPACT_HOME/sdk/jre/
$IMPACT_HOME/wlp/bin/server start <SERVER> --clean (where SERVER is the name of the impact instance e.g. NCI)

The interim fix installer will also point to the location where the interim fix uninstaller can be run from, to uninstall the interim fix:

<backup_directory>/install_IF/7.1.0_IF0010/uninstall_IF.sh

<backup_directory>\install_IF\7.1.0_IF0010\uninstall_IF.bat

For example:

/opt/IBM/tivoli/impact/backup/install_IF/7.1.0_IF0010/uninstall_IF.sh

C:\Program Files\IBM\Tivoli\impact\backup\install_IF\7.1.0_IF0010\uninstall_IF.bat

The Interim Fix installer will verify that the following property is not set to false in jvm.options.
-Dlog4j2.formatMsgNoLookups=false
This property must be removed or changes to a different value to continue the installation.
Remove the line from <IMPACT_HOME>/wlp/usr/servers/<SERVER>/jvm.options to restart the installation.
It will attempt to detect the previously defined fix
If another fix pack is applied or the current fix pack is rolled back, then the interim fix must be re-applied. Run the installation of the interim fix. It isn't necessary to uninstall the interim fix.
Interim fix 10 can be installed on top of interim fix 9. There is no requirement to uninstall interim fix 9 before installing interim fix 10.
Interim fix 9 is not a prerequisite for interim fix 10. There is no requirement to install interim fix 9 before installing interim fix 10.
If interim fix 10 is installed on top of interim fix 9, interim fix 9 should not be uninstalled as this would also revert interim fix 10.
Interim fix 9 should not be installed on top of interim fix 10.
After installation the previous versions of Log4j will be moved to a backup location for rollback purposes. These versions are not actively used by the product however security scans may continue to flag the backup copy. If the files must be removed but the rollback capability is still required, an archive of the backup location should be created before deleting the log4j files.

How critical is this fix?

IBM strongly recommends applying the interim fix now.

          [{"DNLabel":"7.1.0-TIV-NCI-IF0010.zip","DNDate":"05 Jan 2022","DNLang":"English","DNSize":"1959893 B","DNPlat":{"label":"Platform Independent","code":"PF025"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Netcool+Impact&fixids=7.1.0-TIV-NCI-IF0010&source=SAR","DNURL_FTP":"","DDURL":null}]
          

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSSHYH","label":"Tivoli Netcool\/Impact"},"ARM Category":[{"code":"a8m0z000000bqcVAAQ","label":"Impact"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1.0"}]

Problems (APARS) fixed
IJ36516;IJ36885;IJ36910

Was this topic helpful?

Document Information

Modified date:
07 February 2022

UID

ibm16536702

Tips