5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Apache Tomcat is vulnerable to a denial of service caused by the improper handling of an AJP request. A remote attacker could exploit this vulnerability to consume a request processing thread and cause a denial of service.
CVE ID:CVE-2014-0095****
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93366 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
IBM InfoSphere Metadata Asset Manager 8.7 and 9.1 running on all platforms
Product
| VRMF|APAR|Remediation/First Fix
—|—|—|—
InfoSphere Metadata Asset Manager| 8.7, 9.1| N/A | --Follow instructions listed below
We do not believe that the product is affected by this vulnerability, but as the relevant port used for the exploit is not needed for operation of the product, we are recommending the remedial actions listed below.
Instructions:
Disable the AJP port and AJP connector by following the steps below:
Assuming <ISHOME> is the location of the Information Server installation
1. Stop Metadata Interchange agent by stopping the Windows service named ‘IBM InfoSphere Metadata Integration Bridges’.
2. Open the file <ISHOME>\Clients\MetaBrokersAndBridges\web\conf\server.xml in an editor and search for the string ‘AJP/1.3’.
Delete the line which has the string ‘AJP/1.3’ and save the file.
For example, if the Metadata Asset Manager is configured with default ports, the relevant line would appear as follows…
<Connector port=“19979” protocol=“AJP/1.3” redirectPort=“19443” />
3. Start Metadata Interchange agent by starting the Windows service named ‘IBM InfoSphere Metadata Integration Bridges’.
There is no impact to the users of InfoSphere Metadata Asset Manager by disabling the AJP connector.
None