IBM1B6B6F798AFCB29081D407FF7387CA748CFEEF00BC950E79BD8FDF3533DED480Security Bulletin: Security vulnerabilities in Apache Tomcat for WebSphere Application Server Community Edition 2.1.1.6 and 3.0.0.4(CVE-2014-0075, CVE-2014-0096 and CVE-2014-0119)
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
Security vulnerabilities exist in Apache Tomcat May 2014 X-Force Report that is shipped with IBM WebSphere Application Server Community Edition 2.1.1.6 and 3.0.0.4
Vulnerability Details
CVE ID:CVE-2014-0075
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of a malformed chunk size as part of a chunked request. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93365> for the current score
CVSS Environmental Score:* Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE ID:CVE-2014-0096
DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data by the default server. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93367> for the current score
CVSS Environmental Score:* Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE ID:CVE-2014-0119
DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93368> for the current score
CVSS Environmental Score:* Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
WebSphere Application Server Community Edition 2.1.1.6
WebSphere Application Server Community Edition 3.0.0.4
Remediation/Fixes
Please follow the instruction below.
WASCE 2.1.1.6
1.Please download the patch file.
patchFor2.1.1.6.zip
2.Unzip the attached file into the WebSphere Application Server Community Edition installation directory, and ensure the files listed in the zip file replace the ones in the server installation directory.
3.Start WASCE 2.1.1.6 server.
WASCE 3.0.0.4
1.Please download the patch file.
patchFor3.0.0.4.zip
2.Unzip the attached file into the WebSphere Application Server Community Edition installation directory, and ensure the files listed in the zip file replace the ones in the server installation directory.
3.Start WASCE 3.0.0.4 server with the cache cleaned, for example,
Window
<WAS_CE_HOME>\bin\startup -c
Unix/Linux
<WAS_CE_HOME>/bin/startup.sh -c
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P