IBM Support

Security Bulletin: IBM InfoSphere Metadata Asset Manager is subject to a denial of service vulnerability from its use of Apache Tomcat (CVE-2014-0095)

Created by Clyde Mendonca on
Published URL:
https://www.ibm.com/support/pages/node/515371
515371

Security Bulletin


Summary

Apache Tomcat is vulnerable to a denial of service caused by the improper handling of an AJP request. A remote attacker could exploit this vulnerability to consume a request processing thread and cause a denial of service.

Vulnerability Details

CVE ID: CVE-2014-0095

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93366 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM InfoSphere Metadata Asset Manager 8.7 and 9.1 running on all platforms

Remediation/Fixes

Product

VRMFAPARRemediation/First Fix
InfoSphere Metadata Asset Manager8.7, 9.1N/A --Follow instructions listed below

We do not believe that the product is affected by this vulnerability, but as the relevant port used for the exploit is not needed for operation of the product, we are recommending the remedial actions listed below.

Instructions:
Disable the AJP port and AJP connector by following the steps below:
Assuming <ISHOME> is the location of the Information Server installation

1. Stop Metadata Interchange agent by stopping the Windows service named 'IBM InfoSphere Metadata Integration Bridges'.

2. Open the file <ISHOME>\Clients\MetaBrokersAndBridges\web\conf\server.xml in an editor and search for the string 'AJP/1.3'.
Delete the line which has the string 'AJP/1.3' and save the file.

For example, if the Metadata Asset Manager is configured with default ports, the relevant line would appear as follows...
<Connector port="19979" protocol="AJP/1.3" redirectPort="19443" />

3. Start Metadata Interchange agent by starting the Windows service named 'IBM InfoSphere Metadata Integration Bridges'.

There is no impact to the users of InfoSphere Metadata Asset Manager by disabling the AJP connector.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

2 July 2014: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PSIRT 39538

[{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM InfoSphere Metadata Asset Manager","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.1;8.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM InfoSphere Metadata Asset Manager","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.1;8.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21677720