Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability CVE-2015-5174

Summary

There is a vulnerability CVE-2015-5174 reported in Apache Tomcat v6 that is used by WebSphere Cast Iron Solution. WebSphere Cast Iron has remediated the affected versions.

Vulnerability Details

CVEID: CVE-2015-5174** *DESCRIPTION: Apache Tomcat could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) in the getResource(), getResourceAsStream() and getResourcePaths() ServletContext methods to obtain a directory listing for the directory.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110860 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This vulnerability affects all versions of the product
WebSphere Cast Iron v 7.5,x,
WebSphere Cast Iron v 7.0,0,x,
WebSphere Cast Iron v 6.4.0.x
WebSphere Cast Iron v 6.3.0.x
WebSphere Cast Iron v 6.1.0.x

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
Cast Iron Appliance| 7.5.| LI78991 | iFix7.5.1.0-CUMUIFIX-001
Cast Iron Appliance| 7…0| LI78991 | iFix7.0…0.2-CUMUIFIX-028
Cast Iron Appliance| 6.4.0.x| LI78991 | iFix6.4.0.1-CUMUIFIX-038
Cast Iron Appliance| 6.3.0.x| LI78991 | iFix6.3.0.2-CUMUIFIX-021
Cast Iron Appliance| 6.1.0.x| LI78991 | iFix6.1.0.15-CUMUIFIX-028

Workarounds and Mitigations

NA