Security Bulletin: Multiple Apache Tomcat vulnerabilities in IBM Algo Audit and Compliance (CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033)

Summary

IBM Algo Audit and Compliance uses Apache Tomcat and is affected by multiple vulnerabilities identified in it, which could permit an attacker to compromise the web cache, bypass web application firewall protection and conduct XSS attacks, to cause a denial of service, to obtain sensitive information and to hijack a user’s session

Vulnerability Details

CVE ID:
CVE-2013-4286

Description:
An HTTP request smuggling vulnerability has been identified in Apache Tomcat that could allow a remote attacker to compromise the web cache, bypass web application firewall protection, and conduct XSS attacks. This vulnerability is caused by an error in the handling of a malicious request. The attack requires network access, no authentication and a medium degree of specialized knowledge and technique. An attack may partially impact the integrity of data but not the confidentiality of information or the availability of the system.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91426 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2013-4322

Description:
A denial of service vulnerability has been identified in Apache Tomcat that could allow a remote attacker to cause a denial of service attack, caused by an error in the handling of a malicious request. The attack requires network access, no authentication and a low degree of specialized knowledge and technique. An attack may partially impact availability of the system but not the confidentiality of information or the integrity of data.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91625 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2013-4590

Description:
An information disclosure vulnerability has been identified in Apache Tomcat that could allow a remote attacker to obtain sensitive information, caused by an error when running untrusted web applications. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information. The attack requires network access, no authentication and a medium degree of specialized knowledge and technique. An attack may partially impact the confidentiality of information but not the integrity of data or the availability of the system.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91424 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2014-0033

Description:
A vulnerability has been identified in Apache Tomcat that could allow a remote attacker to hijack a valid user’s session, caused by an error even when disableURLRewriting is enabled. An attacker could exploit this vulnerability to hijack another user’s account and possibly launch further attacks on the system. The attack requires network access, no authentication and a medium degree of specialized knowledge and technique. An attack may partially impact the integrity of data but not the confidentiality of information or the availability of the system.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91423 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Algo Audit and Compliance versions 2.1 - 2.1.0.2

Remediation/Fixes

Download and install IBM Algo Audit and Compliance version 2.1.0.2 interim fix 1 from Fix Central, details available at http://www-01.ibm.com/support/docview.wss?uid=swg24037884

Workarounds and Mitigations

None known