IBM Support

Security Bulletin: Vulnerabilities in tomcat affect IBM SmartCloud Provisioning 2.1 for Software Virtual Appliance (CVE-2013-4590, CVE-2014-0119)

Created by Shyamala Rajagopalan on
Published URL:
https://www.ibm.com/support/pages/node/520681
520681

Security Bulletin


Summary

Vulnerabilities in tomcat6 packages affect IBM SmartCloud Provisioning 2.1 for Provided Software Virtual Appliance (CVE-2013-4590, CVE-2014-0119).

Vulnerability Details

    CVEID: CVE-2013-4590
    DESCRIPTION:     Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when running untrusted web applications. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information.
    CVSS Base Score: 4.3
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91424 for more information
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

    CVEID: CVE-2014-0119
    DESCRIPTION:     Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information.
    CVSS Base Score: 5
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93368 for more information
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)



Affected Products and Versions

IBM SmartCloud Provisioning 2.1 for Software Virtual Appliance

Remediation/Fixes

The recommended solution is download SmartCloud Provisioning 2.1 Fix Pack 5 for IBM Provided Software Virtual Appliance Interim Fix 3 from Fix Central and apply it as soon as practical.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

February 10, 2015: Original Version Published
April 21, 2015: updated References

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSZH3R","label":"IBM Service Agility Accelerator for Cloud"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.1;2.1.0.1;2.1.0.2;2.1.0.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21691579

Page Feedback