Security Bulletin: Tivoli Common Reporting iFixes for multiple Security Vulnerabilities (CVE-2014-3566,CVE-2014-6145,CVE-2014-1568,CVE-2014-4263,CVE-2014-3513,CVE-2014-3567,CVE-2014-3568,CVE-2014-0107,CVE-2014-0075,CVE-2014-0096,CVE-2014-0099,CVE-2014-011

Summary

Tivoli Common Reporting (TCR) interim fixes addresses Security Vulnerability and Exposure - CVE-2014-3566, CVE-2014-6145, CVE-2014-1568, CVE-2014-4263, CVE-2014-3513, CVE-2014-3567, CVE-2014-3568, CVE-2014-0107, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0878 and CVE-2014-0460

Vulnerability Details

CVEID:CVE-2014-3513**
DESCRIPTION:OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server. **
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97035&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

**
CVEID: CVE-2014-3567
DESCRIPTION:OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server. **
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97036&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

**
CVEID: CVE-2014-3568
DESCRIPTION**: OpenSSL could allow a remote attacker bypass security restrictions. When configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.** **
CVSS Base Score: 2.6
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97037&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

**
CVEID: CVE-2014-3566
DESCRIPTION:IBM Cognos Business Intelligence could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and calculate the plaintext of secure connections. **
CVSS Base Score: 4.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

**
CVEID: CVE-2014-6145
DESCRIPTION:IBM Cognos Business Intelligence is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. **
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96915&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
**
CVEID: CVE-2014-4263
DESCRIPTION**: An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact and no availability impact.**
**
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94606&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
**
CVEID: CVE-2014-1568
DESCRIPTION: Mozilla Network Security Services (NSS) could allow a remote attacker to bypass security restrictions, caused by the failure to properly parse ASN.1 values in a digital signature. An attacker could exploit this vulnerability using a Bleichenbacher attack variant against the RSA algorithm to forge RSA certificates and gain unauthorized access to secure data. Note: This vulnerability also affects Google Chrome. **
CVSS Base Score: 8.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/96194&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:N)

CVEID: CVE-2014-0107

DESCRIPTION: Apache Xalan-Java could allow a remote attacker to bypass security restrictions, caused by the improper handling of output properties. An attacker could exploit this vulnerability to bypass the secure processing feature to load arbitrary restricted classes. **
*CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92023&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

**
CVEID**: CVE-2014-0224 DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic. **
*CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93586&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

**
CVEID**: CVE-2014-0075 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of a malformed chunk size as part of a chucked request. A remote attacker could exploit this vulnerability to cause a denial of service. **
*CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93365&gt; for more information
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

**
CVEID**: CVE-2014-0095 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of an AJP request. A remote attacker could exploit this vulnerability to consume a request processing thread and cause a denial of service. **
*CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93366&gt; for more information
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

**
CVEID**: CVE-2014-0096 DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data by the default server. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information. **
*CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93367&gt; for more information
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

**
CVEID**: CVE-2014-0099 DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93369&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

**
CVEID**: CVE-2014-0119 DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information. **
*CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/93368&gt;_ for more information
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

**
CVEID**: CVE-2014-0878 DESCRIPTION: A vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers potentially allows an attacker to predict the output of the random number generator under certain circumstances. Please refer to the Workarounds & Mitigation section below for additional information. **
*CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/91084&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

**
CVEID**: CVE-2014-0460 DESCRIPTION: An unspecified vulnerability related to the JNDI component has partial confidentiality impact, partial integrity impact, and no availability impact. **
*CVSS Base Score: 5.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/92482&gt;_ for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Affected Products and Versions

Tivoli Common Reporting 2.1

Tivoli Common Reporting 2.1.1

Tivoli Common Reporting 2.1.1.2

Tivoli Common Reporting 3.1

Tivoli Common Reporting 3.1.0.1

Tivoli Common Reporting 3.1.0.2

Remediation/Fixes

In order to address the security vulnerability, TCR Customers are advised to apply the relevant interim fixes on all their TCR environments. The table below provides the interim fix details for different releases of TCR along with the FixCentral links for download.

TCR Version| Interim Fix (IF) Name| Download Options
What is Fix Central (FC) ?
—|—|—
TCR 2.1| 2.1.0.0-TIV-TCR-<OS>-IF10| FC
TCR 2.1.1| 2.1.1.0-TIV-TCR-<OS>-IF18| FC
TCR 2.1.1.2| 2.1.1.2-TIV-TCR-<OS>-IF5| FC
TCR 3.1.0.0| 1.1.0.0-Tivoli-JazzSM-TCR-<OS>-IF0003| FC
TCR 3.1.0.1| 1.1.0.0-Tivoli-JazzSM-TCR-<OS>-IF0003| FC
TCR 3.1.0.2| 1.1.0.0-Tivoli-JazzSM-TCR-<OS>-IF0003| FC