Security Bulletin: SmartCloud Provisioning - Django vulnerabilities reported in May 2014 X-Force Report

Summary

SmartCloud Provisioning - Django vulnerabilities reported in May 2014 X-Force Report (CVE-2014-1418, CVE-2014-3730).

Vulnerability Details

SmartCloud Provisioning 2.3 is shipped with Open Source Django. Securities vulnerabilities have been discovered in Django, which affect SmartCloud Provisioning. Django has released patch updates, which contain vulnerability fixes and SmartCloud Provisioning Django has been updated to include those fixes.

CVE-ID: CVE-2014-1418
Description: Django Vary and Cache-Control headers information disclosure. Django could allow a remote attacker to obtain sensitive information, which are caused by the failure to properly remove Vary and Cache-Control headers from HTTP responses. An attacker might exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93179&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVE-ID: CVE-2014-3730
Description: Django malformed URL security bypass. Django might allow a remote attacker to bypass security restrictions, which are caused by the improper validation of malformed URLs. An attacker could exploit this vulnerability to gain unauthorized access to the system.

CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93158&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

SmartCloud Provisioning 2.3 Fix Pack 1, 2.3 Fix Pack 1 from IFix1 to IFix3

Remediation/Fixes

The recommended solution is to apply the appropriate fix from Fix Central as soon as practical. **
Fix:**
Upgrade to IBM SmartCloud Provisioning 2.3 Fix Pack 1, iFix 4

Workarounds and Mitigations

None