Lucene search

K
ibmIBM527C030C003106EDF08727B98AC10682E8DE0D0F67A43A4BBB5A977ECA249116
HistoryJun 17, 2018 - 4:57 a.m.

Security Bulletin: Rational Directory Server and Rational Directory Administrator can be affected by vulnerabilities (CVE-2014-4263, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099 and CVE-2014-0119)

2018-06-1704:57:15
www.ibm.com
21

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Summary

This security bulletin is a notice of security vulnerabilities in IBM Runtime Environment, Java Technology Edition and Apache Tomcat server which impacts IBM Rational Directory Server 5.2.x, 5.1.1.x and Rational Directory Administrator 6.x.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

  • Follow this link for more information (requires login with your IBM ID)
    —|—

CVEID:CVE-2014-4263
**Description:**An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact.

CVSS Base Score: 4 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94606&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE-ID: CVE-2014-0075 **Description: **Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of a malformed chunk size as part of a chucked request. A remote attacker could exploit this vulnerability to cause a denial of service.

**CVSS Base Score:**5
**CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93365&gt; for more information
*CVSS Environmental Score:**Undefined
CVSS Vector:(AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID:CVE-2014-0096
**Description:**Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data by the default server. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information.

**CVSS Base Score:**4.3
**CVSS Temporal Score:**See<https://exchange.xforce.ibmcloud.com/vulnerabilities/93367&gt; for more information
*CVSS Environmental Score:**Undefined
CVSS Vector:(AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-ID:CVE-2014-0099
**Description:**Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.

**CVSS Base Score:**5
**CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93369&gt; for more information
*CVSS Environmental Score:**Undefined
CVSS Vector:(AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID:CVE-2014-0119
**Description:**Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information.

**CVSS Base Score:**5
**CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93368&gt; for more information
*CVSS Environmental Score:**Undefined
CVSS Vector:(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Product

| Version
—|—
Rational Directory Server (Tivoli) | 5.2 - 5.2.1_iFix003
Rational Directory Server (Apache)| 5.1.1 - 5.1.1.2_iFix004
Rational Directory Administrator| 6.0 and 6.0.0.1

Remediation/Fixes

Upgrade to one of the following releases:

Product Download link
IBM Rational Directory Server 5.2 (Tivoli) RDS 5.2.1 iFix004
IBM Rational Directory Server 5.1.1 (Apache) RDS 5.1.1.2 iFix005
IBM Rational Directory Administrator 6.0 or 6.0.0.1 RDA 6.0.0.1 iFix001

Workarounds and Mitigations

None

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P