Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMC8BE73C4E7057D8E5549AED30F58BE7C02D764368946F222F073AD95FC7463AB
HistoryJun 17, 2018 - 4:56 a.m.

Security Bulletin: Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerablity (CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119)

2018-06-1704:56:14
www.ibm.com
7

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Summary

Apache Tomcat is vulnerable to a number of security issues affecting the Rational Test Control Panel component in IBM Rational Test Workbench and Rational Test Virtualization Server.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

  • Follow this link for more information (requires login with your IBM ID)
    —|—

CVE ID: CVE-2014-0075

Description: Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of a malformed chunk size as part of a chunked request. A remote attacker could exploit this vulnerability to cause a denial of service.

CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93365&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE ID: CVE-2014-0096

Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data by the default server. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93367&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE ID: CVE-2014-0099

Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93369&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE ID: CVE-2014-0119

Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information.

CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93368&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench versions:

  • All 8.0.x
  • All 8.5.0.x

Versions 8.5.1 and later are unaffected as they do not use Apache Tomcat.

Remediation/Fixes

The fixes for the CVEs mentioned above have been incorporated into the 7.0.54 release of Apache Tomcat. You should upgrade your installation by following the instructions below.

  1. Download the fix for your product from Fix Central:

The default installation locations for these files are:

  • Windows: C:\Program Files\IBM\RationalTestControlPanel\conf\
  • AIX, Linux, Solaris: `/opt/IBM/RationalTestControlPanel/conf/

`

  • Copy the contents of the unzipped Tomcat directory (except for the LICENSE file) into the RationalTestControlPanel directory, overwriting the existing files.

  • Copy the two configuration files you saved earlier back into /conf.

  • Start the server.

Notes:

  • When updating an installation to a later version of Rational Test Control Panel, the security fix detailed above will have to be re-applied after the RTCP update
  • When removing an installation that has had the security fix applied, not all the files will be removed by IBM Installation Manager, and some files will have to be removed manually.

Workarounds and Mitigations

None

Related

ibm 32
nessus 47
redhat 20
mageia 1
openvas 27
tomcat 5
oraclelinux 5
threatpost 1
securityvulns 5
kaspersky 2
freebsd 1
ubuntu 2
amazon 2
fedora 1
centos 3
symantec 1
f5 8
ubuntucve 4
prion 4
github 4
osv 6
cve 4
debiancve 4
veracode 2
debian 4
gentoo 1
oracle 3
ibm
ibm
Security Bulletin: Apache Tomcat security vulnerability issues on IBM Storwize V7000 Unified (CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119)
2018-06-18 00:08:28
Security Bulletin: Apache Tomcat security vulnerability issues on IBM SONAS (CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119)
2018-06-18 00:08:32
Security Bulletin: Rational Directory Server and Rational Directory Administrator can be affected by vulnerabilities (CVE-2014-4263, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099 and CVE-2014-0119)
2018-06-17 04:57:15
nessus
nessus
Apache Tomcat 6.0.x < 6.0.40 Multiple Vulnerabilities
2014-05-30 00:00:00
Oracle Solaris Third-Party Patch Update : tomcat (cve_2014_0075_numeric_errors)
2015-01-19 00:00:00
RHEL 5 / 6 : JBoss EAP (RHSA-2014:0843)
2014-07-08 00:00:00
redhat
redhat
(RHSA-2014:0842) Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update
2014-07-07 14:40:34
(RHSA-2014:0843) Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update
2014-07-07 00:00:00
(RHSA-2014:0833) Moderate: Red Hat JBoss Web Server 2.0.1 tomcat6 security update
2014-07-03 16:52:09
mageia
mageia
Updated tomcat and tomcat6 packages fix security vulnerabilities
2014-06-20 00:30:12
openvas
openvas
Mageia: Security Advisory (MGASA-2014-0268)
2022-01-28 00:00:00
Oracle: Security Advisory (ELSA-2014-1034)
2015-10-06 00:00:00
Ubuntu: Security Advisory (USN-2302-1)
2014-08-05 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 6.0.41
2014-05-23 00:00:00
Fixed in Apache Tomcat 7.0.53
2014-03-30 00:00:00
Fixed in Apache Tomcat 8.0.5
2014-03-27 00:00:00
oraclelinux
oraclelinux
tomcat security update
2014-08-07 00:00:00
tomcat security update
2014-07-23 00:00:00
tomcat6 security and bug fix update
2014-07-09 00:00:00
threatpost
threatpost
Apache Patches Bugs in Tomcat
2014-05-30 12:31:25
securityvulns
securityvulns
Apache Tomcat multiple security vulnerabilities
2014-05-29 00:00:00
[SECURITY] CVE-2014-0119 Apache Tomcat information disclosure
2014-05-29 00:00:00
[SECURITY] CVE-2014-0096 Apache Tomcat information disclosure
2014-05-29 00:00:00
kaspersky
kaspersky
KLA10072 Multiple vulnerabilities in Apache Tomcat
2014-03-30 00:00:00
KLA10070 RLF vulnerability in Apache Tomcat
2014-05-31 00:00:00
freebsd
freebsd
tomcat -- multiple vulnerabilities
2014-05-23 00:00:00
ubuntu
ubuntu
Tomcat vulnerabilities
2014-07-30 00:00:00
Tomcat vulnerabilities
2015-06-25 00:00:00
amazon
amazon
Medium: tomcat8
2015-05-14 14:40:00
Medium: tomcat7
2015-05-14 14:38:00
fedora
fedora
[SECURITY] Fedora 21 Update: tomcat-7.0.59-1.fc21
2015-02-23 08:03:06
centos
centos
tomcat6 security update
2014-07-09 16:09:49
tomcat security update
2014-08-07 18:48:52
tomcat6 security update
2014-08-11 18:04:13
symantec
symantec
SA100 : Apache Tomcat Vulnerabilities
2015-07-23 08:00:00
f5
f5
SOL15429 - Apache Tomcat vulnerability CVE-2014-0119
2014-07-17 00:00:00
K15429 : Apache Tomcat vulnerability CVE-2014-0119
2014-10-14 00:00:00
SOL15432 - Apache Tomcat vulnerability CVE-2014-0099
2014-07-17 00:00:00
ubuntucve
ubuntucve
CVE-2014-0119
2014-05-31 00:00:00
CVE-2014-0096
2014-05-31 00:00:00
CVE-2014-0099
2014-05-31 00:00:00
prion
prion
Integer overflow
2014-05-31 11:17:00
Xxe
2014-05-31 11:17:00
Xxe
2014-05-31 11:17:00
github
github
Improper Input Validation in Apache Tomcat
2022-05-14 01:10:18
Missing XML Validation in Apache Tomcat
2022-05-14 01:10:18
Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Tomcat
2022-05-14 01:10:18
osv
osv
Missing XML Validation in Apache Tomcat
2022-05-14 01:10:18
Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Tomcat
2022-05-14 01:10:18
Improper Input Validation in Apache Tomcat
2022-05-14 01:10:18
cve
cve
CVE-2014-0099
2014-05-31 11:17:00
CVE-2014-0119
2014-05-31 11:17:00
CVE-2014-0096
2014-05-31 11:17:00
debiancve
debiancve
CVE-2014-0096
2014-05-31 11:17:00
CVE-2014-0119
2014-05-31 11:17:00
CVE-2014-0099
2014-05-31 11:17:00
veracode
veracode
XML External Entity (XXE)
2017-04-07 03:32:44
Denial Of Service (DoS) Resource Consumption
2019-01-15 08:55:33
debian
debian
[SECURITY] [DSA 3447-1] tomcat7 security update
2016-01-17 15:47:11
[SECURITY] [DSA 3447-1] tomcat7 security update
2016-01-17 15:47:11
[SECURITY] [DSA 3530-1] tomcat6 security update
2016-03-25 18:47:56
gentoo
gentoo
Apache Tomcat: Multiple vulnerabilities
2014-12-15 00:00:00
oracle
oracle
Oracle Critical Patch Update - July 2014
2014-07-15 00:00:00
Oracle Critical Patch Update - October 2014
2014-10-14 00:00:00
Oracle Critical Patch Update - October 2016
2016-10-18 00:00:00

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON
Related for C8BE73C4E7057D8E5549AED30F58BE7C02D764368946F222F073AD95FC7463AB
ibm32nessus47redhat20mageia1openvas27tomcat5oraclelinux5threatpost1securityvulns5kaspersky2freebsd1ubuntu2amazon2fedora1centos3symantec1f58ubuntucve4prion4github4osv6cve4debiancve4veracode2debian4gentoo1oracle3