Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerabilities (CVE-2018-11784, CVE-2018-8034)

Summary

IBM WebSphere Cast Iron Solution has addressed the following vulnerabilities reported in Apache Tomcat v7.

Vulnerability Details

CVEID: CVE-2018-11784
DESCRIPTION: Apache Tomcat could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the default servlet. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150860&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2018-8034
DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by a missing host name verification when using TLS with the WebSocket client. An attacker could exploit this vulnerability to bypass security constraints to access restricted resources.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147211&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

WebSphere Cast Iron v 7.0.0.0, v 7.0.0.1 and v 7.0.0.2.

WebSphere Cast Iron v 7.5.0.0, v 7.5.0.1 and v 7.5.1.0.

App Connect Professional v7.5.2.0.

Remediation/Fixes

Workarounds and Mitigations

None.