Security Bulletin: IBM Cognos TM1 is affected by the following Tomcat vulnerabilities: CVE-2014-0075, CVE-2014-0099

Summary

A vulnerable version of Tomcat is included as part of IBM Cognos TM1.

Vulnerability Details

CVE-ID: CVE-2014-0075 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of a malformed chunk size as part of a chucked request. A remote attacker could exploit this vulnerability to cause a denial of service.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93365&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-0099 DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93369&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Cognos TM1 10.1.1.2
IBM Cognos TM1 10.2.0.2
IBM Cognos TM1 10.2.2

Remediation/Fixes

The recommended solution is to apply the fix for versions listed as soon as practical.

IBM Cognos TM1 10.1.1.2 Interim Fix 2
<http://www-01.ibm.com/support/docview.wss?uid=swg24038887&gt;

IBM Cognos TM1 10.2.0.2 Interim Fix 2
<http://www-01.ibm.com/support/docview.wss?uid=swg24038927&gt;

IBM Cognos TM1 10.2.2 Fix Pack 2
<http://www-01.ibm.com/support/docview.wss?uid=swg24038876&gt;

Workarounds and Mitigations

None