IBM Support

Security Bulletin: SmartCloud Provisioning - Django vulnerabilities reported in May 2014 X-Force Report

Created by Shyamala Rajagopalan on
Published URL:
https://www.ibm.com/support/pages/node/249821
249821

Security Bulletin


Summary

SmartCloud Provisioning - Django vulnerabilities reported in May 2014 X-Force Report (CVE-2014-1418, CVE-2014-3730).

Vulnerability Details

SmartCloud Provisioning 2.3 is shipped with Open Source Django. Securities vulnerabilities have been discovered in Django, which affect SmartCloud Provisioning. Django has released patch updates, which contain vulnerability fixes and SmartCloud Provisioning Django has been updated to include those fixes.



CVE-ID: CVE-2014-1418
Description: Django Vary and Cache-Control headers information disclosure. Django could allow a remote attacker to obtain sensitive information, which are caused by the failure to properly remove Vary and Cache-Control headers from HTTP responses. An attacker might exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93179 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)


CVE-ID: CVE-2014-3730
Description: Django malformed URL security bypass. Django might allow a remote attacker to bypass security restrictions, which are caused by the improper validation of malformed URLs. An attacker could exploit this vulnerability to gain unauthorized access to the system.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93158 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

SmartCloud Provisioning 2.3 Fix Pack 1, 2.3 Fix Pack 1 from IFix1 to IFix3

Remediation/Fixes

The recommended solution is to apply the appropriate fix from Fix Central as soon as practical.
Fix:

Upgrade to IBM SmartCloud Provisioning 2.3 Fix Pack 1, iFix 4

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

September 12, 2014, first version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSZH3R","label":"IBM Service Agility Accelerator for Cloud"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21683587