IBM Support

Security Bulletin: Apache Log4j Vulnerabilities Affect IBM Sterling B2B Integrator

Security Bulletin


Summary

IBM Sterling B2B Integrator has integrated multiple security vulnerability fixes from Apache Log4j, please see list of CVEs for vulnerability details

Vulnerability Details

CVEID:   CVE-2017-5645
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an error when using the TCP socket server or UDP socket server to receive serialized log events from another application. By deserializing a specially crafted binary payload, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/127479 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2020-9488
DESCRIPTION:   Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180824 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2019-17571
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization of untrusted data in SocketServer. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173314 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2010-1157
DESCRIPTION:   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error related to the generation of a realm name when one isn't specified for a web.xml application. A remote attacker could exploit this vulnerability using the WWW-Authenticate header to obtain the IP address or local hostname of the system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/58055 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:   CVE-2010-2227
DESCRIPTION:   Apache Tomcat is vulnerable to a denial of service, caused by multiple flaws when handling Transfer-Encoding headers that prevents a buffer from recycling. By sending a specially-crafted request in a Transfer-Encoding header, a remote attacker could exploit this vulnerability to trigger the failure of subsequent requests or information leaks between the requests.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/60264 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVEID:   CVE-2010-4172
DESCRIPTION:   Apache Tomcat is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the sessionsList.jsp script. A remote attacker could exploit this vulnerability using the sort or orderby parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/63422 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2010-4312
DESCRIPTION:   Apache Tomcat could allow a remote attacker to hijack a valid user's session, caused by a missing HttpOnly mechanism flag in a Set-Cookie header. By persuading a victim to visit a specially-crafted link and log into the application, a remote attacker could exploit this vulnerability to hijack another user's account and possibly launch further attacks on the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/63477 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2010-3718
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the ServletContect attribute being improperly restricted to read-only setting. An attacker could exploit this vulnerability to gain unauthorized read and write access to the system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/65159 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2011-0534
DESCRIPTION:   Apache Tomcat is vulnerable to a denial of service, caused by an error in the NIO connector when processing a request line. By sending a specially-crafted request, a remote attacker could exploit the vulnerability to cause an OutOfMemory error and crash the server.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/65162 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:   CVE-2011-0013
DESCRIPTION:   Apache Tomcat is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by when displaying web application data. A remote attacker could exploit this vulnerability using the HTML Manager interface to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/65160 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2011-2526
DESCRIPTION:   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the improper validation of request attributes by sendfile. A remote attacker could exploit this vulnerability to obtain sensitive information and cause the JVM to crash.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/68541 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVEID:   CVE-2011-3190
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the improper handling of messages by the AJP protocol. A remote attacker could exploit this vulnerability to inject arbitrary AJP messages to bypass the authentication process and possibly obtain sensitive information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/69472 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2011-4858
DESCRIPTION:   Apache Tomcat is vulnerable to a denial of service, caused by insufficient randomization of hash data structures. By sending multiple specially-crafted HTTP POST requests to an affected application containing conflicting hash key values, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72016 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:   CVE-2011-1184
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by multiple errors related to the implementation of HTTP DIGEST authentication. A remote attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/70052 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2011-5063
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the failure to check realm values by the HTTP Digest Access Authentication implementation. A remote attacker could exploit this vulnerability to bypass security restrictions.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72437 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2012-2733
DESCRIPTION:   Apache Tomcat is vulnerable to a denial of service, caused by the improper verification of the request headers by the parseHeaders() function. A remote attacker could exploit this vulnerability using specially-crafted headers to cause an out-of-memory exception.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/79806 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:   CVE-2011-5064
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the use of Catalina as the hard-coded private key by DigestAuthenticator.java within the HTTP Digest Access Authentication implementation. A remote attacker could exploit this vulnerability to bypass cryptographic protection mechanisms.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72438 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2012-0022
DESCRIPTION:   Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of an overly large number of parameter and parameter values. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to consume an overly large amount of CPU resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72425 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:   CVE-2011-5062
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the failure to check qop values by the HTTP Digest Access Authentication implementation. A remote attacker could exploit this vulnerability to bypass intended integrity-protection requirements.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72436 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:   CVE-2012-5885
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the tracking of cnonce values instead of nonce and nc values by the replay-countermeasure functionality in the HTTP Digest Access Authentication implementation. By sniffing the network, a remote attacker could exploit this vulnerability to bypass security restrictions.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/80408 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2012-5886
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the caching of information about the authenticated user within the session state by the HTTP Digest Access Authentication implementation. A remote attacker could exploit this vulnerability to bypass security restrictions.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/80407 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2012-5887
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the failure to properly check server nonces by the DIGEST authentication mechanism. A remote attacker could exploit this vulnerability to gain unauthorized access to the system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/79809 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2012-3546
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error in the FormAuthenticator component during FORM authentication. By leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI, an attacker could exploit his vulnerability to bypass the authentication mechanism and gain unauthorized access to the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/80517 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2012-4431
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error in the doFilter() method. By sending a specially-crafted request to a protected source without a session identifier present in the request, an attacker could exploit this vulnerability to bypass the CSRF prevention filter and gain unauthorized access to the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/80518 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2012-4534
DESCRIPTION:   Apache Tomcat is vulnerable to a denial of service, caused by an error when using the NIO connector with sendfile and HTTPS enabled. A remote attacker could exploit this vulnerability to cause the application to enter an infinite loop and consume all available CPU resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/80516 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:   CVE-2012-3544
DESCRIPTION:   Apache Tomcat is vulnerable to a denial of service, caused by the failure to properly handle chunk extensions in chunked transfer coding. By streaming data, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84952 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:   CVE-2013-2067
DESCRIPTION:   Apache Tomcat could allow a remote attacker to hijack a valid user's session, caused by the improper validation of session cookies by the FormAuthenticator module. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to hijack another user's session and possibly launch further attacks on the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/84154 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2013-2185
DESCRIPTION:   Red Hat JBoss Enterprise Application Platform could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions by the implementation of the DiskFileItem class. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability using serialized instance of the DiskFileItem class to upload a file containing a NULL byte, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.
CVSS Base score: 6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/87273 for the current score.
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)

CVEID:   CVE-2013-4286
DESCRIPTION:   Apache Tomcat is vulnerable to HTTP request smuggling, caused by an incomplete fix related to the handling of malicious request. By sending a specially-crafted request in a Transfer-Encoding: chunked header and a Content-length header to the Apache HTTP server that will be reassembled with the original Content-Length header value, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/91426 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2013-4322
DESCRIPTION:   Apache Tomcat is vulnerable to a denial of service, caused by an incomplete fix related to the processing of chunked transfer coding without properly handling a large total amount of chunked data or whitespace characters in an HTTP header value. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/91625 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:   CVE-2013-4590
DESCRIPTION:   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when running untrusted web applications. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/91424 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:   CVE-2014-0075
DESCRIPTION:   Apache Tomcat is vulnerable to a denial of service, caused by an integer overflow in the parseChunkHeader function. A remote attacker could exploit this vulnerability using a malformed chunk size as part of a chunked request to consume all available resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/93365 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:   CVE-2014-0096
DESCRIPTION:   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data by the default server. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/93367 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:   CVE-2014-0099
DESCRIPTION:   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/93369 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:   CVE-2014-0119
DESCRIPTION:   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/93368 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:   CVE-2013-4444
DESCRIPTION:   Apache Tomcat could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions by the File Upload feature. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious JSP, which could allow the attacker to execute arbitrary JSP code on the vulnerable system.
CVSS Base score: 6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95876 for the current score.
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)

CVEID:   CVE-2014-0227
DESCRIPTION:   Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/100751 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2014-0230
DESCRIPTION:   Apache Tomcat is vulnerable to a denial of service, caused by an error when an HTTP response is returned before the entire request body is fully read. An attacker could exploit this vulnerability using a series of aborted upload attempts to cause a denial of service.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/102131 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:   CVE-2014-7810
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the use of expression language. An attacker could exploit this vulnerability to bypass the protections of a Security Manager.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/103155 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID:   CVE-2015-5174
DESCRIPTION:   Apache Tomcat could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) in the getResource(), getResourceAsStream() and getResourcePaths() ServletContext methods to obtain a directory listing for the directory.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/110860 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2015-5345
DESCRIPTION:   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error when accessing a protected directory. By redirecting to the URL, an attacker could exploit this vulnerability to determine the presence of a directory.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/110857 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2016-0706
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the loading of the StatusManagerServlet during the configuration of a security manager. An attacker could exploit this vulnerability to obtain deployed applications and other sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/110855 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2016-0714
DESCRIPTION:   Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error in multiple session persistence mechanisms. By placing a malicious object into a session, an attacker could exploit this vulnerability to bypass a security manager and possibly execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/110856 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2016-6816
DESCRIPTION:   Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/119158 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2017-5647
DESCRIPTION:   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error in the processing of pipelined requests in send file. An attacker could exploit this vulnerability to obtain sensitive information from the wrong response.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/124400 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2016-0762
DESCRIPTION:   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to process the user supplied password if the specified user name does not exist by the Realm implementation. An attacker could exploit this vulnerability to conduct a timing attack and determine valid usernames on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/118407 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2016-5018
DESCRIPTION:   Apache Tomcat could allow a local attacker to bypass security restrictions. An attacker could exploit this vulnerability using a Tomcat utility method to bypass a configured SecurityManager.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/118406 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2016-6794
DESCRIPTION:   Apache Tomcat could allow a local attacker to obtain sensitive information, caused by an error in the system property replacement feature. An attacker could exploit this vulnerability to bypass the SecurityManager and read system properties.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/118405 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2016-6796
DESCRIPTION:   Apache Tomcat could allow a local attacker to bypass security restrictions. By modifying configuration parameters for the JSP Servlet, an attacker could exploit this vulnerability to bypass a configured SecurityManager.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/118404 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2020-8022
DESCRIPTION:   tomcat package for openSUSE could allow a local authenticated attacker to gain elevated privileges on the system, caused by an incorrect default permission flaw. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184110 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)APAR(s)Version(s)
IBM Sterling B2B IntegratorIT378485.2.0.0 - 6.0.3.4
IBM Sterling B2B IntegratorIT378486.1.0.0 - 6.1.0.3

Remediation/Fixes

Product & VersionRemediation & Fix
5.2.0.0 - 6.0.3.4Apply IBM Sterling B2B Integrator version 6.0.3.5 or 6.1.1.0 on Fix Central
6.1.0.0 - 6.1.0.3Apply IBM Sterling B2B Integrator version  6.1.1.0 on Fix Central

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

1st Oct 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document Location

Worldwide

[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SS3JSW","label":"Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF027","label":"Solaris"},{"code":"PF012","label":"IBM i"}],"Version":"5.2.0.0 - 6.1.1.0","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

Document Information

Modified date:
06 October 2021

UID

ibm16496741