Security Bulletin: Vulnerabilities in Apache Tomcat affect IBM SDN VE (CVE- 2011-4905, CVE-2013-0248,CVE-2014-0050,CVE-2014-3577,CVE-2014-0054,CVE- 2013-7315,CVE-2013-6429,CVE-2014-0119,CVE-2014-0099,CVE-2014-1904)

Summary

Security vulnerabilities have been discovered in Apache Tomcat.

Vulnerability Details

CVEID:CVE-2011-4905
**DESCRIPTION:**Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial of service (file-descriptor exhaustion and broker crash or hang) by sending many openwire failover:tcp:// connection requests.
CVSS Base Score: 5.0
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2013-0248
**DESCRIPTION:**The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
CVSS Base Score: 3.3
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P)

CVEID:CVE-2014-0050

**DESCRIPTION:**MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions.
CVSS Base Score: 5
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2014-3577

**DESCRIPTION:**org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a “CN=” string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
CVSS Base Score: 5.8
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVEID:CVE-2014-0054
**DESCRIPTION:**The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.
NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE- 2013-7315, and CVE-2013-6429.
CVSS Base Score: 6.8
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-7315

**DESCRIPTION:**The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.
NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions. CVSS Base Score: 6.8
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID:CVE-2013-6429

**DESCRIPTION:**The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
CVSS Base Score: 6.8
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID:CVE-2014-1904

**DESCRIPTION:**Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before
3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
CVSS Base Score: 4.3
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2014-0099

**DESCRIPTION:*Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93369_ _for the current score CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID:CVE-2014-0119
**DESCRIPTION:*Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93368_ _for the current score CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM SDN VE, Unified Controller, VMware Edition: 1.2.1 and earlier
IBM SDN VE, Unified Controller, KVM Edition: 1.2.1 and earlier
IBM SDN VE, Unified Controller, OpenFlow Edition: 1.2.1 and earlier
IBM SDN VE, Dove Management Console, VMware Edition: 1.0.0

Remediation/Fixes

IBM recommends updating affected IBM SDN VE, Unified Controllers to the
latest versions of IBM SDN VE for which IBM is providing a fix, which are
identified below:

IBM SDN VE, Unified Controller, VMware Edition: version 1.2.2 or later
IBM SDN VE, Unified Controller, KVM Edition: version 1.2.2 or later
IBM SDN VE, Unified Controller, OpenFlow Edition: version 1.2.2 or later

These versions are available via Passport Advantage.

Workarounds and Mitigations

None known