SB2026052768 - Multiple vulnerabilities in IBM Tivoli Netcool/OMNIbus_GUI
Published: May 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 vulnerabilities.
1) Improper Certificate Validation (CVE-ID: CVE-2026-34477)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a man-in-the-middle attack.
The vulnerability exists due to improper certificate validation in the TLS hostname verification handling of the verifyHostName attribute in Log4j Core SSL configuration when establishing TLS connections for SMTP, Socket, or Syslog appenders. A remote attacker can present a certificate issued by a trusted certificate authority to perform a man-in-the-middle attack.
The issue occurs only when TLS is configured via a nested SSL configuration element, and it does not affect the HTTP appender.
2) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-41988)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a local user to modify data on the system.
The vulnerability exists due to uuid can make unexpected writes when external output buffers are used. A local user can gain unauthorized access to modify data on the system.
3) Prototype pollution (CVE-ID: CVE-2026-29063)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify object prototype attributes in affected JavaScript objects.
The vulnerability exists due to improper input validation in the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() functions when processing user-supplied input containing __proto__ properties. A remote attacker can send a specially crafted object input to pollute the prototype of base objects, leading to unauthorized property injection and potential privilege escalation.
Prototype pollution occurs without affecting the global Object.prototype, but injected properties can still be accessed through object property lookups even if not visible via Object.keys().
4) Resource exhaustion (CVE-ID: CVE-2016-5004)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
5) Prototype pollution (CVE-ID: CVE-2026-2950)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify object prototype attributes.
The vulnerability exists due to improper control of object prototype modification in _.unset and _.omit when processing array-wrapped path segments. A remote attacker can pass crafted path segments to modify object prototype attributes.
The bypass affects checks that only guard against string key members. The issue permits deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype, but does not allow overwriting their original behavior.
6) Prototype pollution (CVE-ID: CVE-2025-13465)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to alter application's behavior.
The vulnerability exists due to improper input validation within the in the _.unset and _.omit functions. A remote attacker can pass specially crafted input to the application and delete methods from global prototypes.
7) Code Injection (CVE-ID: CVE-2026-4800)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of code generation in _.template when processing untrusted options.imports key names. A remote attacker can supply crafted imports key names to execute arbitrary code.
Code execution occurs at template compilation time. If Object.prototype has been polluted by another vector, inherited polluted keys can also be copied into the imports object and passed to Function().
8) Out-of-bounds write (CVE-ID: CVE-2026-41907)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to accepting external output buffers, but not rejecting out-of-range writes (small buf or large offset). A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
9) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-68161)
CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the "verifyHostName" configuration attribute or the "log4j2.sslVerifyHostName" system property is set to true. A remote attacker can perform MitM attack and intercept or redirect the log traffic.
10) Improper Output Neutralization for Logs (CVE-ID: CVE-2026-34478)
CWE-ID: CWE-117 - Improper Output Neutralization for Logs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary log entries.
The vulnerability exists due to improper neutralization of CRLF sequences in Rfc5424Layout when processing logged data with direct Rfc5424Layout configuration using TCP framing. A remote attacker can supply specially crafted input containing CRLF sequences to inject arbitrary log entries.
Only users of stream-based syslog services who configure Rfc5424Layout directly are affected. Users of the SyslogAppender are not affected.
11) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-34480)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause log event loss.
The vulnerability exists due to improper output neutralization in XmlLayout when processing log messages or MDC values containing XML 1.0 forbidden characters. A remote attacker can supply crafted input containing forbidden characters to cause log event loss.
The impact depends on the StAX implementation in use: built-in JRE StAX may produce malformed XML that downstream parsers reject, while alternative implementations may throw an exception during the logging call so the event is delivered only to Log4j's internal status logger.
12) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-34479)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause downstream log processing systems to drop or fail to index affected records.
The vulnerability exists due to improper output neutralization in Log4j1XmlLayout when producing XML log output containing characters forbidden by the XML 1.0 standard. A remote attacker can cause such characters to be included in logged data to cause downstream log processing systems to drop or fail to index affected records.
The issue affects configurations using Log4j1XmlLayout directly in a Log4j Core 2 configuration file or through the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.
Remediation
Install update from vendor's website.