IBM Support

Vulnerability in Apache Tomcat affects IBM uBuild (CVE-2014-0227)

Created by Brian Young on
Published URL:
https://www.ibm.com/support/pages/node/256839
256839

Security Bulletin


Summary

Apache Tomcat is vulnerable to HTTP request smuggling. Apache Tomcat is used by IBM uBuild.

Vulnerability Details

CVE-ID: CVE-2014-0227

Description: Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100751 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM uBuild 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, and 5.0.1.5 on all supported platforms.

Remediation/Fixes

Upgrade to IBM uBuild Fix Pack 6 (5.0.1.6) for 5.0.1 as a new version of Apache is now included in the installer.

Workarounds and Mitigations

    Note: This mitigation is intended for the servers in "Affected Products and Versions" only. It should not be applied on later releases.

    Mitigating HTTP request smuggling through Apache Tomcat
    1. Navigate to <server_install_dir>/opt/tomcat.
    2. Back up server.xml and tomcat.keystore files from the conf directory.
    3. Back up the webapps directory.
    4. Go up a directory to <server_install_dir>/opt and delete the tomcat directory.
    5. Extract Apache Tomcat 6.0.43 or later into <server_install_dir>/opt and rename the directory to tomcat, if needed.
    6. In the new tomcat directory, remove the webappslogs, and temp directories. Remove the RELEASE-NOTES and RUNNING.txt files as well as they are not needed.
    7. Drop the server.xml and tomcat.keystore files that were backed up earlier into the new conf directory. Overwrite the existing files, if prompted.
    8. Drop the webapps directory that was backed up earlier into the root of the tomcat directory.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

* 13 March 2015: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PSIRT # 2818 Record # 50214

Attachments

All source code and/or binaries attached to this document are referred to here as "the Program". IBM is not providing program services of any kind for the Program. IBM is providing the Program on an "AS IS" basis without warranty of any kind. IBM WILL NOT BE LIABLE FOR ANY ACTUAL, DIRECT, SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), EVEN IF IBM, OR ITS RESELLER, HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.




[{"Product":{"code":"SS4JLT","label":"IBM uBuild"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"5.0;5.0.1;5.0.1.1;5.0.1.2;5.0.1.3;5.0.1.4;5.0.1.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21698472