Lucene search

K
ibmIBM322B7BB496E764F1B85DD25B946F26F5FF0AF85A4FAC3A7BC95B8C5E4E7B08C5
HistoryMar 02, 2021 - 5:19 a.m.

Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2021-24122)

2021-03-0205:19:19
www.ibm.com
14

EPSS

0.002

Percentile

61.5%

Summary

Multiple vulnerabilities in Open Source Apache Tomcat reported by The Apache Software Foundation affect IBM Tivoli Application Dependency Discovery Manager (TADDM)

Vulnerability Details

CVEID:CVE-2021-24122
**DESCRIPTION:**Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when serving resources from a network location using the NTFS file system. By sending a specially-crafted request, an attacker could exploit this vulnerability to view the source code for JSPs in some configurations, and use this information to launch further attacks against the affected system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194894 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Tivoli Application Dependency Discovery Manager 7.3.0.0

Remediation/Fixes

Below eFix is prepared on top of 7.3.0.0 (7.3.0.1 - 7.3.0.8 not affected) Fix VRMF APAR How to acquire fix
efix_tomcat70107_201411291020.zip 7.3.0.0 None Download eFix

Please get familiar with eFix readme in etc/<efix_name>_readme.txt
Note that the eFix requires manual deletion of the external/apache-tomcat directory.

Workarounds and Mitigations

The above eFix is applicable only to 7.3.0.0 and can be downloaded and applied directly.

Note: TADDM 7.3.0.1 - 7.3.0.8 are not affected as they use WebSphere Liberty Profile.