IBM Support

Security Bulletin: Rational Build Forge Security Advisory for Apache Tomcat (CVE-2018-1304 and CVE-2018-1305)

Created by Anonymous (not verified) on
Published URL:
https://www.ibm.com/support/pages/node/711845
711845

Security Bulletin


Summary

Apache Tomcat has security vulnerabilities that allows a remote attacker to exploit the application. Respective security vulnerabilities are discussed in detail in the subsequent sections.

Vulnerability Details


  • This section includes the vulnerability details that affects the Rational Build Forge.

    CVEID: CVE-2018-1304
    DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the failure to properly enforce security constraint definitions that contain a URL pattern of "" (the empty string) that exactly maps to the context root. An attacker could exploit this vulnerability to bypass security constraints to access restricted resources.
    CVSS Base Score: 7.5
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139476 for the current score.
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

    CVEID: CVE-2018-1305
    DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the failure to properly enforce security constraints that are defined by annotations of Servlets in certain cases. An attacker could exploit this vulnerability to bypass security constraints to access restricted resources.
    CVSS Base Score: 7.5
    CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139475 for the current score.
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Rational Build Forge from 8.0.0.7.

Remediation/Fixes

You must download the Fix pack specified in the following table and apply it.

  • Affected Supporting Product
  • Remediation/Fix
  • IBM Rational Build Forge 8.0.0.7
 Rational Build Forge 8.0.0.8 Download.

 

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

* 29 JUNE 2018: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

None.

[{"Product":{"code":"SSB2MV","label":"Rational Build Forge"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Console","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.0.0.6;8.0.0.7","Edition":"Enterprise;Enterprise Plus;Express;Standard","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
20 April 2020

UID

swg22016124

Page Feedback