Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability (CVE-2016-5388)

Summary

There is a vulnerability (CVE-2016-5388) reported in Apache Tomcat v6 that is used by WebSphere Cast Iron Solution. WebSphere Cast Iron has remediated the affected versions.

Vulnerability Details

CVEID: CVE-2016-5388
DESCRIPTION: Apache Tomcat could allow a remote attacker to redirect HTTP traffic of CGI application, caused by the failure to protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable. By using a specially-crafted Proxy header in a HTTP request, an attacker could exploit this vulnerability to redirect outbound HTTP traffic to arbitrary proxy server. This is also known as the “HTTPOXY” vulnerability.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/115091&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

This vulnerability affects all versions of the product

WebSphere Cast Iron v 7.5.x
WebSphere Cast Iron v 7.0.0.x
WebSphere Cast Iron v 6.4.0.x
WebSphere Cast Iron v 6.3.0.x
WebSphere Cast Iron v 6.1.0.x

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
Cast Iron Appliance| 7.5.*| LI79259| 7.5.1.0-CUMUIFIX-005
Cast Iron Appliance| 7.0.0.x| LI79259| 7.0.0.2-CUMUIFIX-033
Cast Iron Appliance| 6.4.0.x| LI79259| 6.4.0.1-CUMUIFIX-042
Cast Iron Appliance| 6.3.0.x| LI79259| 6.3.0.2-CUMUIFIX-023

Workarounds and Mitigations

Customers on Cast Iron v6.1.0.x should contact IBM Support for migrating to one of the remediated releases as Cast Iron v6.1.0.x EOS was September 2016.