Security Bulletin
Summary
There are vulnerabilities in Apache Tomcat to which the IBM® FlashSystem™ 840 and IBM FlashSystem 900 are susceptible. An exploit of these vulnerabilities could allow a remote attacker to expose sensitive information, execute arbitrary code, perform cross-site scripting, and/or cause a denial of service. ( CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763 )
Vulnerability Details
CVEID: CVE-2015-5345
DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error when accessing a protected directory. By redirecting to the URL, an attacker could exploit this vulnerability to determine the presence of a directory.
CVSS Base Score: 5.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/110857 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2015-5346
DESCRIPTION: Apache Tomcat could allow a remote attacker to hijack a valid user's session, caused by the failure to recycle the requestedSessionSSL field when recycling the Request object to use for a new request. By persuading a victim to visit a specially-crafted link and log into the application, a remote attacker could exploit this vulnerability to hijack another user's account and possibly launch further attacks on the system.
CVSS Base Score: 4.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/110854 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2015-5351
DESCRIPTION: Apache Tomcat is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the index page. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 8.800
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/110859 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2015-5174
DESCRIPTION: Apache Tomcat could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) in the getResource(), getResourceAsStream() and getResourcePaths() ServletContext methods to obtain a directory listing for the directory.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110860 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-0706
DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the loading of the StatusManagerServlet during the configuration of a security manager. An attacker could exploit this vulnerability to obtain deployed applications and other sensitive information.
CVSS Base Score: 5.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/110855 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-0714
DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error in multiple session persistence mechanisms. By placing a malicious object into a session, an attacker could exploit this vulnerability to bypass a security manager and possibly execute arbitrary code on the system.
CVSS Base Score: 7.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/110856 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2016-0763
DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error in the ResourceLinkFactory.setGlobalContext() method. By injecting malicious content, an attacker could exploit this vulnerability to read and write arbitrary data.
CVSS Base Score: 6.500
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/110858 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
FlashSystem 840 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE1 and 9843-AE1.
FlashSystem 900 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE2 and 9843-AE2.
Remediation/Fixes
|
MTMs | VRMF | APAR | Remediation/First Fix |
| FlashSystem 840 MTM: 9840-AE1 & 9843-AE1 FlashSystem 900 MTMs: 9840-AE2 & 9843-AE2 | Code fixes are now available, the minimum VRMF containing the fix depends on the code stream: Fixed code VRMF . 1.4 stream: 1.4.3.0 (or later) 1.3 stream: 1.3.0.6 (or later) | N/A | No workarounds or mitigations, other than applying this code fix, are known for this vulnerability |
FlashSystem 840 fixes and FlashSystem 900 fixes are available @ IBM’s Fix Central
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
15 July 2016 Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 February 2023
UID
ssg1S1008121