logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient

Description

## Summary Apache HttpClient used by IBM Tivoli Application Dependency Discovery Manager and is vulnerable to CVE-2011-1498, CVE-2012-5783, CVE-2012-6153, CVE-2014-3577,CVE-2015-5262 ## Vulnerability Details ** CVEID: **[CVE-2011-1498](<https://vulners.com/cve/CVE-2011-1498>) ** DESCRIPTION: **Apache HttpComponents could allow a remote attacker to obtain sensitive information, caused by an unspecified error in HttpClient. An attacker could exploit this vulnerability to send the Proxy-Authorization header to the host and disclose the user's password. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/66241](<https://exchange.xforce.ibmcloud.com/vulnerabilities/66241>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** CVEID: **[CVE-2012-5783](<https://vulners.com/cve/CVE-2012-5783>) ** DESCRIPTION: **Apache Commons HttpClient, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79984>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2012-6153](<https://vulners.com/cve/CVE-2012-6153>) ** DESCRIPTION: **Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by an incomplete fix related to the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/95328](<https://exchange.xforce.ibmcloud.com/vulnerabilities/95328>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2014-3577](<https://vulners.com/cve/CVE-2014-3577>) ** DESCRIPTION: **Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/95327](<https://exchange.xforce.ibmcloud.com/vulnerabilities/95327>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2015-5262](<https://vulners.com/cve/CVE-2015-5262>) ** DESCRIPTION: **Apache Commons is vulnerable to a denial of service, caused by the failure to apply a configured connection during the initial handshake of an HTTPS connection by the HttpClient component. An attacker could exploit this vulnerability to accumulate multiple connections and exhaust all available resources. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106932](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106932>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ## Affected Products and Versions Affected Product(s)| Version(s) ---|--- IBM Tivoli Application Dependency Discovery Manager| 7.3.0.0 -7.3.0.10 ## Remediation/Fixes In order to fix these vulnerabilities, Please follow below steps: **For TADDM 7.3.0.0-7.3.0.9, **Please upgrade your TADDM environment to 7.3.0.10 and then download the e-fix given in Table-1 and apply the e-fix. **For TADDM 7.3.0.10, **Please download the e-fix given in Table-1 and apply the e-fix. **Table-1** Fix| **VRMF ** | **APAR**| **How to acquire fix** ---|---|---|--- efix_apache_https_4.5.14_FP10221123.zip| 7.3.0.10 | None| [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=CrKx6xuLnRjwkBcN8fiM8j0iluMzaH8ScFLWt3npfgM> "Download eFix" ) **Note:** Above e-fix is a custom e-fix, if there is no e-fix applied on your TADDM server, please applied it directly else please raise a case to TADDM Support team to get Custom e-fix. Please refer to the table below to download TADDM FixPack 7.3.0.10. **Fix**| **How to acquire fix** ---|--- 7.3-TIV-ITADDM-FP00010| [Download FixPack](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Application+Dependency+Discovery+Manager&fixids=7.3-TIV-ITADDM-FP00010&source=SAR> "Download FixPack" ) Please refer to the URL for TADDM FixPack 7.3.0.10 Release Notes containing more information about the update. <https://www.ibm.com/docs/en/taddm/7.3.0?topic=release-notes#relnotes__fp10> ## Workarounds and Mitigations None ##


Affected Software


CPE Name Name Version
tivoli application dependency discovery manager 7.3.0.0
tivoli application dependency discovery manager 7.3.0.9

Related