Apache Tomcat is vulnerable to HTTP request smuggling. Apache Tomcat is used by IBM UrbanCode Build.
CVE-ID: CVE-2014-0227
Description: Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
**CVSS Base Score:**4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100751> for the current score *CVSS Environmental Score:**Undefined **CVSS Vector: **(AV:N/AC:M/Au:N/C:N/I:P/A:N)
IBM UrbanCode Build 6.1.0 and 6.1.0.1 on all supported platforms.
Upgrade to IBM UrbanCode Build Fix Pack 2 (6.1.0.2) for 6.1.0 as a new version of Apache is now included in the installer.
Note: This mitigation is intended for the servers in “Affected Products and Versions” only. It should not be applied on later releases.
Mitigating HTTP request smuggling through Apache Tomcat
<server_install_dir>/opt/tomcat
.server.xml
and tomcat.keystore
files from the conf
directory.webapps
directory.<server_install_dir>/opt
and delete the tomcat
directory.<server_install_dir>/opt
and rename the directory to tomcat
, if needed.tomcat
directory, remove the webapps
, logs
, and temp
directories. Remove the RELEASE-NOTES
and RUNNING.txt
files as well as they are not needed.server.xml
and tomcat.keystore
files that were backed up earlier into the new conf
directory. Overwrite the existing files, if prompted.webapps
directory that was backed up earlier into the root of the tomcat
directory.