Security Bulletin: Multiple vulnerabilities exist in IMS Enterprise Suite SOAP Gateway (CVE-2014-4263, CVE-2014-0075)

Summary

The IMS™ Enterprise Suite SOAP Gateway is affected by multiple vulnerabilities in IBM® SDK, Java™ Technology Edition (July Update) and Apache Tomcat.

Vulnerability Details

CVE ID: CVE-2014-4263

DESCRIPTION: An unspecified vulnerability related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact.

CVSS:
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/94606 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVE ID: CVE-2013-0075

DESCRIPTION:
Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of a malformed chunk size as part of a chunked request. A remote attacker could exploit this vulnerability to cause a denial of service.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93365 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

The SOAP Gateway component of the IMS Enterprise Suite versions 2.1, 2.2, and 3.1.

Remediation/Fixes

The recommended solution is to apply the fix as soon as practical. See below for information on the fixes available.

Product

|

VRMF

|

APAR

| Download URL
—|—|—|—

IMS Enterprise Suite SOAP Gateway V3.1

|

3.1.0.3

|

N/A

| https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite

IMS Enterprise Suite SOAP Gateway V2.2

|

2.2.0.5

|

N/A

| https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite

IMS Enterprise Suite SOAP Gateway V2.1

|

2.1.0.8

|

N/A

| https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-imsentersuite

Workarounds and Mitigations

None known