Security Bulletin: Multiple vulnerabilities in React, webpack and Node.js modules affect Tivoli Netcool/OMNIbus WebGUI
Discription

## Summary

Fix is available for vulnerabilities in React, webpack and Node.js modules affecting Tivoli Netcool/OMNIbus WebGUI. The modules are used by Tivoli Netcool/OMNIbus WebGUI as part of its web client components. The fix updates the modules to the fixed versions.

## Vulnerability Details

** CVEID: **[CVE-2017-16028]()
** DESCRIPTION: **Node.js randomatic module could provide weaker than expected security, caused by the use of a weak psuedo-random number generator for the oauth Random Token. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/145663]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

** CVEID: **[CVE-2021-37712]()
** DESCRIPTION: **Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208450]() for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

** CVEID: **[CVE-2021-32804]()
** DESCRIPTION: **Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient absolute path sanitization. An attacker could use a specially-crafted tar file containing “dot dot” sequences (/../) to create or overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206719]() for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

** CVEID: **[CVE-2021-37701]()
** DESCRIPTION: **Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208442]() for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

** CVEID: **[CVE-2021-32803]()
** DESCRIPTION: **Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient symlink protection. An attacker could use a specially-crafted tar file containing “dot dot” sequences (/../) to create or overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/206717]() for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

** CVEID: **[CVE-2021-37713]()
** DESCRIPTION: **Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target. An attacker could exploit this vulnerability to create or overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208451]() for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

** CVEID: **[CVE-2018-3745]()
** DESCRIPTION: **Node.js atob module could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/144130]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

** CVEID: **[CVE-2019-10746]()
** DESCRIPTION: **Node.js mixin-deep module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to inject properties onto Object.prototype to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167420]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

** CVEID: **[CVE-2018-3719]()
** DESCRIPTION: **Node.js mixin-deep module could allow a remote attacker to bypass security restrictions, caused by a flaw in the Utilities function. By modifing the prototype of Object, an attacker could exploit this vulnerability to add or modify existing property that will exist on all objects.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/144601]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

** CVEID: **[CVE-2020-7788]()
** DESCRIPTION: **Node.js ini module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192931]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

** CVEID: **[CVE-2019-10747]()
** DESCRIPTION: **Node.js set-value module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to inject properties onto Object.prototype to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167421]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

** CVEID: **[CVE-2022-0235]()
** DESCRIPTION: **Node.js node-fetch could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when fetching a remote url with Cookie. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217758]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

** CVEID: **[CVE-2020-15168]()
** DESCRIPTION: **Node.js node-fetch module is vulnerable to a denial of service, caused by the failure to honor the size option after following a redirect. By using a specially-crafted file, a remote attacker could exploit this vulnerability to consume excessive resource on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188155]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2020-7774]()
** DESCRIPTION: **Node.js y18n module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191999]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

** CVEID: **[CVE-2022-25758]()
** DESCRIPTION: **Node.js scss-tokenizer module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) vulnerability in the loadAnnotation() function. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/230259]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

** CVEID: **[CVE-2018-6341]()
** DESCRIPTION: **React is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the ReactDOMServer API. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155181]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

** CVEID: **[CVE-2021-27292]()
** DESCRIPTION: **UAParser.js is vulnerable to a denial of service. By sending a specially crafted User-Agent header, a remote attacker could exploit this vulnerability to cause the application to process the file for an extended time.
CVSS Base score: 4.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198307]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

** CVEID: **[CVE-2020-7793]()
** DESCRIPTION: **ua-parser-js is vulnerable to a denial of service, caused by regular expression denial of service (ReDoS) in multiple regexes. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192997]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2020-7733]()
** DESCRIPTION: **ua-parser-js is vulnerable to a denial of service. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a regular expression denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188397]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2021-23362]()
** DESCRIPTION: **Node.js hosted-git-info module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the fromUrl function in index.js. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198792]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2021-42740]()
** DESCRIPTION: **Node.js shell-quote module could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw with windows drive letter regex. By sending a specially-crafted shell metacharacters, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211858]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

** CVEID: **[CVE-2021-25949]()
** DESCRIPTION: **set-getter could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution vulnerability. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
CVSS Base score: 9.8
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203875]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

** CVEID: **[CVE-2022-25858]()
** DESCRIPTION: **Node.js terser module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/231377]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

** CVEID: **[CVE-2021-23440]()
** DESCRIPTION: **Nodejs set-value module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209431]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

## Affected Products and Versions

**Affected Product(s)**| **Version(s)**
—|—
IBM Tivoli Netcool/OMNIbus_GUI| 8.1.0 FP27 and earlier

## Remediation/Fixes

**Product**| **VRMF**| **APAR**| **Remediation/First Fix**
—|—|—|—
Tivoli Netcool/OMNIbus WebGUI| 8.1.0| IJ41359| Apply [WebGUI 8.1.0 Fix Pack 28]( “WebGUI 8.1.0 Fix Pack 28” )

## Workarounds and Mitigations

None

## Get Notified about Future Security Bulletins

Subscribe to [My Notifications]() to be notified of important product support alerts like this.

### References

[Complete CVSS v3 Guide]( “Link resides outside of ibm.com” )
[On-line Calculator v3]( “Link resides outside of ibm.com” )

Off

## Related Information

[IBM Secure Engineering Web Portal]()
[IBM Product Security Incident Response Blog]()

## Change History

09 Sep 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

## Disclaimer

Review the [IBM security bulletin disclaimer and definitions]() regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

## Document Location

Worldwide

[{“Business Unit”:{“code”:”BU059″,”label”:”IBM Software w/o TPS”},”Product”:{“code”:”SSSHTQ”,”label”:”Tivoli Netcool/OMNIbus”},”Component”:”WebGUI”,”Platform”:[{“code”:”PF002″,”label”:”AIX”},{“code”:”PF016″,”label”:”Linux”},{“code”:”PF033″,”label”:”Windows”}],”Version”:”8.1.0″,”Edition”:””,”Line of Business”:{“code”:”LOB45″,”label”:”Automation”}}]Read More

Back to Main

Subscribe for the latest news: