Security Bulletin: Rational Insight - Open Source Tomcat reported in May 2014 X-Force Report

Summary

Multiple security vulnerabilities exist in the Tomcat that is shipped with the Rational Insight.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

The Jazz Team Server installed with Rational Insight for Data Collection Component (DCC) and Jazz Reporting Service (JRS) is based on the Tomcat server. The May 2014 X-Force Report reported the following security vulnerabilities. Some steps would be required to fix those issues.

CVE-ID: CVE-2014-0075

Description: Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of a malformed chunk size as part of a chucked request. A remote attacker could exploit this vulnerability to cause a denial of service.

CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93365&gt; for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-0095

Description: Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of an AJP request. A remote attacker could exploit this vulnerability to consume a request processing thread and cause a denial of service.

CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93366&gt; for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-0096

Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data by the default server. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93367&gt; for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-0099

Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93369&gt; for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-0119

Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information.

CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93368&gt; for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Rational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4

Remediation/Fixes

The recommended solution is to apply the recommended fixes to all affected versions of Rational Insight as soon as practical.

Rational Insight 1.1

• Download the IBM Cognos Business Intelligence 10.1.1 Interim Fix 8.
  Review technote 1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1 for detailed instructions.

Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2

• Download the IBM Cognos Business Intelligence 10.1.1 Interim Fix 8.
  Read technote 1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x for the detailed instructions for patch application.

Rational Insight 1.1.1.3

• Download the Cognos Business Intelligence 10.2.1 Fix Pack 2.
  Review technote 1679283: Install a Cognos Business Intelligence 10.2.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x for the detailed instructions for patch application.
  
  Rational Insight 1.1.1.4

• Download the Rational Insight 1.1.1.5 release.
  Review the topics related to DCC and JRS in Upgrading Rational Insight for the detailed instructions for upgrading respective components from Rational Insight 1.1.1.4 to 1.1.1.5.

Workarounds and Mitigations

None