Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect Algo One - Core

Summary

Apache Tomcat could allow a remote attacker to obtain sensitive information, or allow a remote attacker to bypass security restrictions.

Vulnerability Details

CVE-ID: CVE-2017-5647
Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error in the processing of pipelined requests in send file. An attacker could exploit this vulnerability to obtain sensitive information from the wrong response.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/124400 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2017-5648
Description: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the failure to use the appropriate facade object by certain application listener calls. An attacker could exploit this vulnerability to access and modify data on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/124399 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Algo One Core 4.9, 5.0

Remediation/Fixes

Product Name

| iFix Name|Remediation/First Fix
—|—|—
Algo One Core| 490-232| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.0.0-Algo-One-AlgoCore-if0232:0&includeSupersedes=0&source=fc&login=true
Algo One Core| 500-378| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-AlgoCore-if0378:0&includeSupersedes=0&source=fc&login=true