Security Bulletin: TADDM affected by multiple vulnerabilities due to JRuby and Hyperic HQ

Summary

IBM Tivoli Application Dependency Discovery Manager is vulnerable to denial of service due to use of JRuby (CVE-2011-4838) and cross site scripting due to use of Hyperic HQ (CVE-2009-2907, CVE-2009-2899)

Vulnerability Details

CVEID:CVE-2009-2907
**DESCRIPTION:**Hyperic HQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the description and other various fields to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/57121 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2009-2899
**DESCRIPTION:**SpringSource Hyperic HQ could allow a local attacker to obtain sensitive information, caused by an error in the monitor perl script in the Sybase database plug-in. By listing the process, an attacker could exploit this vulnerability to obtain the database password and other sensitive information.
CVSS Base score: 2.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/80569 for the current score.
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVEID:CVE-2011-4838
**DESCRIPTION:**JRuby is vulnerable to a denial of service, caused by insufficient randomization of hash data structures. By sending multiple specially-crafted HTTP POST requests to an affected application containing conflicting hash key values, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/72019 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Remediation/Fixes

TADDM FixPack 7.3.0.10 has been released, Please upgrade to 7.3.0.10 to resolve known vulnerabilities at the date of release.

Please refer to below URL to download TADDM FixPack 7.3.0.10.

Please refer to below URL for TADDM FixPack 7.3.0.10 for more information.

<https://www.ibm.com/docs/en/taddm/7.3.0?topic=release-notes#relnotes__fp10&gt;

Workarounds and Mitigations

None