Lucene search

IBMEBBA69401956060B98C4FDDE1CDAAA10D09B28A527F8C5C2F8D2998B16B675C4

HistoryDec 15, 2020 - 1:01 p.m.

Security Bulletin: Multiple vulnerabilities in Apache Batik affect Tivoli Netcool/OMNIbus WebGUI (CVE-2017-5662, CVE-2018-8013, CVE-2015-0250, CVE-2019-17566)

2020-12-1513:01:33

www.ibm.com

0.043 Low

EPSS

Percentile

92.4%

JSON

Summary

Fix is available for vulnerabilities in Apache Batik affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2017-5662, CVE-2018-8013, CVE-2015-0250, CVE-2019-17566).

Vulnerability Details

CVEID:CVE-2019-17566
**DESCRIPTION:**Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the “xlink:href” attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183402 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2017-5662
**DESCRIPTION:**Apache Batik could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By using a specially-crafted SVG file, a remote attacker could exploit this vulnerability to obtain sensitive information or possibly cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/125198 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID:CVE-2018-8013
**DESCRIPTION:**Apache Batik could allow a remote attacker to obtain sensitive information, caused by an error when deserializing subclass of AbstractDocument. An attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/143678 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2015-0250
**DESCRIPTION:**Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/101614 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Tivoli Netcool/OMNIbus_GUI	8.1.x

Remediation/Fixes

Product	VRMF	APAR	Remediation/First Fix
Tivoli Netcool/OMNIbus WebGUI	8.1.0	IJ29150	Apply Fix Pack 21
(Fix Pack for WebGUI 8.1.0 Fix Pack 21)

Workarounds and Mitigations

None

CPENameOperatorVersion
tivoli netcool/omnibuseq8.1.0

CPE	Name	Operator	Version
	tivoli netcool/omnibus	eq	8.1.0

0.043 Low

EPSS

Percentile

92.4%

JSON

Related for EBBA69401956060B98C4FDDE1CDAAA10D09B28A527F8C5C2F8D2998B16B675C4