Security Bulletin: Vulnerabilities in tomcat affect IBM SmartCloud Provisioning 2.1 for Software Virtual Appliance (CVE-2013-4590, CVE-2014-0119)

Summary

Vulnerabilities in tomcat6 packages affect IBM SmartCloud Provisioning 2.1 for Provided Software Virtual Appliance (CVE-2013-4590, CVE-2014-0119).

Vulnerability Details

CVEID: CVE-2013-4590**
DESCRIPTION:** Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when running untrusted web applications. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/91424&gt;_ for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-0119**
DESCRIPTION:** Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93368&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM SmartCloud Provisioning 2.1 for Software Virtual Appliance

Remediation/Fixes

The recommended solution is download SmartCloud Provisioning 2.1 Fix Pack 5 for IBM Provided Software Virtual Appliance Interim Fix 3 from Fix Central and apply it as soon as practical.

Workarounds and Mitigations

None