IBM Support

Security Bulletin: Multiple Security Vulnerabilities in Apache-MINA libraries used by IBM Tivoli Netcool Configuration Manager

Security Bulletin


Summary

Multiple vulnerabilities in the third-party Apache-MINA libraries used by IBM Tivoli Netcool Configuration Manager have been addressed.

Vulnerability Details

CVEID:   CVE-2026-42778
DESCRIPTION:   The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 = 2.1.11, and 2.2.0 = 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 = 2.1.110, and 2.2.0 = 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   security@apache.org
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2026-42779
DESCRIPTION:   The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 = 2.1.11, and 2.2.0 = 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   security@apache.org
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2026-47065
DESCRIPTION:   ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc() is dispatched. JDK then calls the default ObjectInputStream.resolveProxyClass(interfaces) implementation, which performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH interface name and constructs the proxy class — bypassing the accepted classes list . ZDRES-233: Class.forName(name, initialize=true, classLoader) in readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes Assessment: Fully addressed. For ANY class on the allow-list, deserialising a stream that names it triggers the class’s (static initialiser) BEFORE any instance is constructed. This means an attacker who supplies a class name on the allow-list (e.g., the developer wrote accept(“com.myapp.*") , attacker supplies com.myapp.SomeClass ) causes clinit of SomeClass — and many real-world classes have side-effecting static initialisers Both issues have been fixed.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   security@apache.org
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2026-41409
DESCRIPTION:   The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 = 2.0.27, 2.1.0 = 2.1.10, and 2.2.0 = 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   security@apache.org
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2026-41635
DESCRIPTION:   Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName().  Affected versions are Apache MINA 2.0.0 = 2.0.27, 2.1.0 = 2.1.10, and 2.2.0 = 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call  IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   security@apache.org
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

 

Affected Product(s)Core - Version(s)Driver - Version(s)
IBM Tivoli Netcool Configuration Manager6.4.2 GA through to 6.4.2.24Drivers 24 through Drivers 30

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

The following remediation steps apply to both the ITNCM Core and Drivers components and must be completed to update the Apache MINA libraries to the required versions.

ITNCM Core Remediation/Fixes :

Note:
a. If ITNCM is running on a fix pack older than FP24, then it must first be upgraded to FP24, as this patch is intended to be applied only on top of ITNCM FP24.
b. This patch needs to be applied on all presentation and standalone/linked worker servers.
c. Please use the users with which ncm is installed for applying this patch.

* Replace $INSTALL_DIR with the directory where ITNCM is installed
on your system (e.g /opt/IBM/tivoli/netcool/ncm).
* Replace $JAZZ_PATH in the instructions below with the Jazz Path
directory for your installation (e.g. /opt/IBM/JazzSM).

1. Download the new library versions from maven repository:


2. Back up the existing libraries by copying them to a safe location:
 
cp $INSTALL_DIR/lib/mina-core-2.2.4.jar <backup_location>/
cp $INSTALL_DIR/lib/sshd-core-2.12.1.jar <backup_location>/
cp $INSTALL_DIR/lib/sshd-common-2.12.1.jar <backup_location>/
cp $INSTALL_DIR/autodiscovery/lib/sshd-core-2.13.2.jar <backup_location>/
cp $INSTALL_DIR/autodiscovery/lib/sshd-common-2.13.2.jar <backup_location>/

3. Stop all running ITNCM processes by using the "itncm.sh stop" command:
 
$INSTALL_DIR/bin/itncm.sh stop

4. Copy the new mina-core-2.2.7.jar to the following locations:
 
cp mina-core-2.2.7.jar $INSTALL_DIR/lib/
cp mina-core-2.2.7.jar $INSTALL_DIR/autodiscovery/lib/
cp mina-core-2.2.7.jar $JAZZ_PATH/profile/installedApps/JazzSMNode01Cell/IMC.ear/webstart.war/

5. Copy the new sshd-core-2.17.1.jar to the following locations:
 
cp sshd-core-2.17.1.jar $INSTALL_DIR/lib/
cp sshd-core-2.17.1.jar $INSTALL_DIR/autodiscovery/lib/
cp sshd-core-2.17.1.jar $JAZZ_PATH/profile/installedApps/JazzSMNode01Cell/IMC.ear/webstart.war/

6. Copy the new sshd-common-2.17.1.jar to the following locations:
 
cp sshd-common-2.17.1.jar $INSTALL_DIR/lib/
cp sshd-common-2.17.1.jar $INSTALL_DIR/autodiscovery/lib/
cp sshd-common-2.17.1.jar $JAZZ_PATH/profile/installedApps/JazzSMNode01Cell/IMC.ear/webstart.war/

7. Update the classpath configuration files:
- Edit $INSTALL_DIR/bin/classpath and change:
- mina-core-2.2.4.jar to mina-core-2.2.7.jar
- sshd-core-2.12.1.jar to sshd-core-2.17.1.jar
- sshd-common-2.12.1.jar to sshd-common-2.17.1.jar
- Edit $INSTALL_DIR/bin/classpath-core and change:
- mina-core-2.2.4.jar to mina-core-2.2.7.jar
- sshd-core-2.12.1.jar to sshd-core-2.17.1.jar
- sshd-common-2.12.1.jar to sshd-common-2.17.1.jar

8. Remove the old mina-core-2.2.4.jar from all locations:
 
rm -rf $INSTALL_DIR/lib/mina-core-2.2.4.jar
rm -rf $INSTALL_DIR/autodiscovery/lib/mina-core-2.2.4.jar
rm -rf $JAZZ_PATH/profile/installedApps/JazzSMNode01Cell/IMC.ear/webstart.war/mina-core-2.2.4.jar

9. Remove the old sshd-core 2.12.1 and 2.13.2 jars from all locations:
 
rm -rf $INSTALL_DIR/lib/sshd-core-2.12.1.jar
rm -rf $INSTALL_DIR/autodiscovery/lib/sshd-core-2.13.2.jar
rm -rf $JAZZ_PATH/profile/installedApps/JazzSMNode01Cell/IMC.ear/webstart.war/sshd-core-2.12.1.jar

10. Remove the old sshd-common 2.12.1 and 2.13.2 jars from all locations:
 
rm -rf $INSTALL_DIR/lib/sshd-common-2.12.1.jar
rm -rf $INSTALL_DIR/autodiscovery/lib/sshd-common-2.13.2.jar
rm -rf $JAZZ_PATH/profile/installedApps/JazzSMNode01Cell/IMC.ear/webstart.war/sshd-common-2.12.1.jar

11. Restart ITNCM by using the "itncm.sh start" command:
 
$INSTALL_DIR/bin/itncm.sh start

To roll back to the previous versions of jars, please stop ITNCM as mentioned in step 3 and restore the backups that you made in step 2 to all the locations mentioned in steps 4, 5, and 6, revert the classpath changes made in step 7, remove the newer version of libraries which were earlier copied in steps 4,5 and 6, then perform step 11 to start ITNCM again.
 


ITNCM Drivers Remediation/Fixes :

Note:
a. If ITNCM is running on a fix pack older than FP24, then it must first be upgraded to FP24, and all drivers must be on the drivers30 release, as this patch is intended to be applied only on top of ITNCM FP24 with drivers30.
b. This patch needs to be applied on all presentation and standalone/linked worker servers.
c. Please use the users with which ncm is installed for applying this patch.

* Replace $INSTALL_DIR with the directory where ITNCM is installed
on your system (e.g /opt/IBM/tivoli/netcool/ncm).

1. Download the new library versions from maven repository:


2. Back up the existing libraries by copying them to the patch directory:
 
cp $INSTALL_DIR/drivers/lib_legacy/mina-core-2.2.4.jar <backup_location>/
cp $INSTALL_DIR/drivers/lib_legacy/sshd-core-2.13.2.jar <backup_location>/
cp $INSTALL_DIR/drivers/lib_legacy/sshd-common-2.13.2.jar <backup_location>/

3. Stop all running ITNCM processes by using the "itncm.sh stop" command:
 
$INSTALL_DIR/bin/itncm.sh stop

4. Copy the new mina-core-2.2.7.jar to the following locations:
 
cp mina-core-2.2.7.jar $INSTALL_DIR/drivers/lib_legacy/mina-core-2.2.7.jar
cp mina-core-2.2.7.jar $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_GUI_SERVER/mina-core-2.2.7.jar
cp mina-core-2.2.7.jar $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_WORKER/mina-core-2.2.7.jar
cp mina-core-2.2.7.jar $INSTALL_DIR/drivers/lib_legacy_cache/mina-core-2.2.7.jar

5. Copy the new sshd-core-2.17.1.jar to the following locations:
 
cp sshd-core-2.17.1.jar $INSTALL_DIR/drivers/lib_legacy/sshd-core-2.17.1.jar
cp sshd-core-2.17.1.jar $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_GUI_SERVER/sshd-core-2.17.1.jar
cp sshd-core-2.17.1.jar $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_WORKER/sshd-core-2.17.1.jar
cp sshd-core-2.17.1.jar $INSTALL_DIR/drivers/lib_legacy_cache/sshd-core-2.17.1.jar

6. Copy the new sshd-common-2.17.1.jar to the following locations:
 
cp sshd-common-2.17.1.jar $INSTALL_DIR/drivers/lib_legacy/sshd-common-2.17.1.jar
cp sshd-common-2.17.1.jar $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_GUI_SERVER/sshd-common-2.17.1.jar
cp sshd-common-2.17.1.jar $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_WORKER/sshd-common-2.17.1.jar
cp sshd-common-2.17.1.jar $INSTALL_DIR/drivers/lib_legacy_cache/sshd-common-2.17.1.jar

7. Remove the old mina-core-2.2.4.jar from all locations:
 
rm -rf $INSTALL_DIR/drivers/lib_legacy/mina-core-2.2.4.jar
rm -rf $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_GUI_SERVER/mina-core-2.2.4.jar
rm -rf $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_WORKER/mina-core-2.2.4.jar
rm -rf $INSTALL_DIR/drivers/lib_legacy_cache/mina-core-2.2.4.jar

8. Remove the old sshd-core-2.13.2.jar from all locations:
 
rm -rf $INSTALL_DIR/drivers/lib_legacy/sshd-core-2.13.2.jar
rm -rf $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_GUI_SERVER/sshd-core-2.13.2.jar
rm -rf $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_WORKER/sshd-core-2.13.2.jar
rm -rf $INSTALL_DIR/drivers/lib_legacy_cache/sshd-core-2.13.2.jar

9. Remove the old sshd-common-2.13.2.jar from all locations:
 
rm -rf $INSTALL_DIR/drivers/lib_legacy/sshd-common-2.13.2.jar
rm -rf $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_GUI_SERVER/sshd-common-2.13.2.jar
rm -rf $INSTALL_DIR/drivers/lib_legacy_cache_Worker1_WORKER/sshd-common-2.13.2.jar
rm -rf $INSTALL_DIR/drivers/lib_legacy_cache/sshd-common-2.13.2.jar

10. Restart ITNCM by using the "itncm.sh start" command:
 
$INSTALL_DIR/bin/itncm.sh start

To roll back to the previous versions of jars, please stop ITNCM as mentioned in step 3 and restore the backups that you made in step 2 to all the locations mentioned in steps 4, 5, and 6, remove the newer version of libraries which were earlier copied in steps 4, 5 and 6, then perform step 10 to start ITNCM again.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Change History

02 Jul 2026: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS7UH9","label":"Tivoli Netcool Configuration Manager"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"}],"Version":"6.4.2","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Document Information

Modified date:
02 July 2026

Initial Publish date:
02 July 2026

UID

ibm17278851