Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One - Core (CVE-2016-8745)

Summary

IBM Algo One - Core was potentially vulnerable to a remote attacker’s attempt to obtain sensitive information (Advisory 7416).

Vulnerability Details

CVEID: CVE-2016-8745**
DESCRIPTION:** Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the improper handling of the send file code for the NIO HTTP connector when the Connector code for Tomcat is refactored. An attacker could exploit this vulnerability to obtain the session ID and the response body.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119642 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Algo One - Core versions 5.0.0 and 4.9.0.

Apache Tomcat is not packaged with Algo One - Core 5.1.0.

Remediation/Fixes

Product Name

| iFix Name|Remediation/First Fix
—|—|—
Algo One - Core| 500-362| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-1-Algo-One-AlgoCore-if0362:0&includeSupersedes=0&source=fc&login=true
Algo One - Core| 490-226| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.0.0-1-Algo-One-AlgoCore-if0226:0&includeSupersedes=0&source=fc&login=true