IBM Support

Security Bulletin: Apache Tomcat security vulnerability issues on IBM SONAS (CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119)

Created by Ana Gabriela I… on
Published URL:
https://www.ibm.com/support/pages/node/689933
689933

Security Bulletin


Summary

IBM SONAS is shipped with Apache Tomcat, for which fixes are available for five security vulnerabilities.

Vulnerability Details

CVEID:
CVE-2014-0075
CVE-2014-0096
CVE-2014-0099
CVE-2014-0119

DESCRIPTION:
Apache Tomcat is used in IBM SONAS for providing graphical user interface for the purpose of administering the system.

Apache Tomcat is vulnerable to a denial of service. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93365 for the current score


Apache Tomcat could allow a remote attacker to obtain sensitive information. This could result from a flaw in processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93367 for the current score


Apache Tomcat could allow a remote attacker to obtain sensitive information. This could result from a flaw in parsing HTTP requests. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93369 for the current score


Apache Tomcat could allow a remote attacker to obtain sensitive information. This could result from a flaw in transforming data from XML format to other formats. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information.
CVSS Base Score: 5
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93368 for the current score

Affected Products and Versions

IBM SONAS
The product is affected when running a code releases 1.3.0.0 to 1.4.3.3

Remediation/Fixes

A fix for these issues is in version 1.4.3.4 of IBM SONAS. Customers running an affected version of IBM SONAS should upgrade to 1.4.3.4 or a later version, so that the fix gets applied.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

17 July 2014: First draft

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"STAV45","label":"Network Attached Storage (NAS)->Scale Out Network Attached Storage"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"1.4.3","Platform":[{"code":"PF016","label":"Linux"}],"Version":"1.4.3.4","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 June 2018

UID

ssg1S1004849

Page Feedback