Security Bulletin: IBM InfoSphere Metadata Asset Manager is subject to a denial of service vulnerability from its use of Apache Tomcat (CVE-2014-0095)

Summary

Apache Tomcat is vulnerable to a denial of service caused by the improper handling of an AJP request. A remote attacker could exploit this vulnerability to consume a request processing thread and cause a denial of service.

Vulnerability Details

CVE ID:CVE-2014-0095****

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93366 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM InfoSphere Metadata Asset Manager 8.7 and 9.1 running on all platforms

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
InfoSphere Metadata Asset Manager| 8.7, 9.1| N/A | --Follow instructions listed below

We do not believe that the product is affected by this vulnerability, but as the relevant port used for the exploit is not needed for operation of the product, we are recommending the remedial actions listed below.

Instructions:
Disable the AJP port and AJP connector by following the steps below:
Assuming <ISHOME> is the location of the Information Server installation

1. Stop Metadata Interchange agent by stopping the Windows service named ‘IBM InfoSphere Metadata Integration Bridges’.

2. Open the file <ISHOME>\Clients\MetaBrokersAndBridges\web\conf\server.xml in an editor and search for the string ‘AJP/1.3’.
Delete the line which has the string ‘AJP/1.3’ and save the file.

For example, if the Metadata Asset Manager is configured with default ports, the relevant line would appear as follows…
<Connector port=“19979” protocol=“AJP/1.3” redirectPort=“19443” />

3. Start Metadata Interchange agent by starting the Windows service named ‘IBM InfoSphere Metadata Integration Bridges’.

There is no impact to the users of InfoSphere Metadata Asset Manager by disabling the AJP connector.

Workarounds and Mitigations

None