Security Bulletin: Open Source Apache CXF Vulnerablities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2017-12624)

Summary

Vulnerabilities in Open Source Apache CXF affect IBM Tivoli Application Dependency Discovery Manager

Vulnerability Details

CVE-ID:CVE-2017-12624
DESCRIPTION: Apache CXF is vulnerable to a denial of service. By using a specially crafted message attachment header, a remote attacker could exploit this vulnerability to cause the AX-WS and JAX-RS services stop responding.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/135095 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

TADDM 7.3.0.2 - 7.3.0.4

Remediation/Fixes

There is an eFix prepared on top of the latest released FixPack for TADDM 7.3.0.

Please get familiar with eFix readme in etc/<efix_name>_readme.txt

Workarounds and Mitigations

The only solution is to apply eFix prepared to specific TADDM version (7.3.0.4). This fix is only tested for TADDM versions 7.3.0.4 and should not be applied at other maintenance levels. Upgrade to the latest maintenance level to apply this fix.