Security Bulletin: Multiple Vulnerabilities in Apache Tomcat affects IBM UrbanCode Deploy (CVE-2017-7674, CVE-2017-7675)

Summary

Previous releases of IBM UrbanCode Deploy are affected by multiple vulnerabilities in Apache Tomcat.

Vulnerability Details

CVEID: CVE-2017-7674 DESCRIPTION: Apache Tomcat could provide weaker than expected security, caused by the failure to add an HTTP Vary header indicating that the response varies depending on Origin by the CORS Filter. A remote attacker could exploit this vulnerability to conduct client and server side cache poisoning.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130248 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-7675 DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by a flaw in the HTTP/2 implementation. By using a specially-crafted URL, an attacker could exploit this vulnerability to bypass security restraints.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130247 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

All fixpacks of IBM UrbanCode Deploy 6.1 - 6.1.3.6 and 6.2 - 6.2.6.1 are affected.

Remediation/Fixes

For IBM UrbanCode Deploy versions 6.2 to 6.2.6.1, upgrade to IBM UrbanCode Deploy 6.2.7.0 or later.

For IBM UrbanCode Deploy versions 6.1 to 6.1.3.6, upgrade the server to IBM UrbanCode Deploy 6.1.3.7.

Workarounds and Mitigations

None