Security Bulletin: Vulnerabilities in Eclipse Jetty affect the IBM InfoSphere Information Server installers

Summary

Vulnerabilities in Eclipse Jetty was addressed by IBM InfoSphere Information Server.

Vulnerability Details

CVEID: CVE-2017-7658 DESCRIPTION: Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw when handling more than one Content-Length headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145522&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2018-12536 DESCRIPTION: Eclipse Jetty could allow a remote attacker to obtain sensitive information. An attacker could send a specially-crafted URL request to the java.nio.file.InvalidPathException function using an invalid parameter to cause an error message to be returned containing the full installation path. An attacker could use this information to launch further attacks against the affected system.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145523&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-7656 DESCRIPTION: Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw in the HTTP/1.x Parser. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145520&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2017-7657 DESCRIPTION: Eclipse Jetty is vulnerable to HTTP request smuggling, caused by improper handling of Chunked Transfer-Encoding chunk size. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145521&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

The following products, running on all supported platforms, are affected:

IBM InfoSphere Information Server: versions 9.1, 11.3, 11.5, and 11.7

IBM InfoSphere Information Server on Cloud: versions 11.5 and 11.7

Remediation/Fixes

Product

|

VRMF

|

APAR

|

Remediation/First Fix

—|—|—|—

InfoSphere Information Server, Information Server on Cloud

|

11.7

|

JR59721

|

--Update to the latest Updater for 11.7

InfoSphere Information Server, Information Server on Cloud

|

11.5

|

JR59721

|

--Update to the latest Updater for 11.5

--For new installations, use the latest 11.7 release.

InfoSphere Information Server

|

11.3

|

JR59721

|

--Update to the latest Updater for 11.3
--For new installations, use the latest 11.7 release.

InfoSphere Information Server

|

9.1

|

JR59721

|

--Upgrade to a new release
--For new installations, use the latest 11.7 release.

Workarounds and Mitigations

None