There is a vulnerability (CVE-2016-5388) reported in Apache Tomcat v6 that is used by WebSphere Cast Iron Solution. WebSphere Cast Iron has remediated the affected versions.
CVEID: CVE-2016-5388
DESCRIPTION: Apache Tomcat could allow a remote attacker to redirect HTTP traffic of CGI application, caused by the failure to protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable. By using a specially-crafted Proxy header in a HTTP request, an attacker could exploit this vulnerability to redirect outbound HTTP traffic to arbitrary proxy server. This is also known as the “HTTPOXY” vulnerability.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/115091> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
This vulnerability affects all versions of the product
WebSphere Cast Iron v 7.5.x
WebSphere Cast Iron v 7.0.0.x
WebSphere Cast Iron v 6.4.0.x
WebSphere Cast Iron v 6.3.0.x
WebSphere Cast Iron v 6.1.0.x
Product
| VRMF| APAR| Remediation/First Fix
—|—|—|—
Cast Iron Appliance| 7.5.*| LI79259| 7.5.1.0-CUMUIFIX-005
Cast Iron Appliance| 7.0.0.x| LI79259| 7.0.0.2-CUMUIFIX-033
Cast Iron Appliance| 6.4.0.x| LI79259| 6.4.0.1-CUMUIFIX-042
Cast Iron Appliance| 6.3.0.x| LI79259| 6.3.0.2-CUMUIFIX-023
Customers on Cast Iron v6.1.0.x should contact IBM Support for migrating to one of the remediated releases as Cast Iron v6.1.0.x EOS was September 2016.