Lucene search

K
ibmIBMFF237A2B8A96DCF9E25EBCBDDC887465982EFD610C8FCD6C7136B8E43763F1D4
HistoryJun 15, 2018 - 10:49 p.m.

Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One - Algo Risk Application (CVE-2016-8745)

2018-06-1522:49:25
www.ibm.com
7

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Summary

IBM Algo One - Algo Risk Application could allow a remote attacker to obtain sensitive information, caused by the improper handling of the send file code for the NIO HTTP connector when the Connector code for Tomcat is refactored. An attacker could exploit this vulnerability to obtain the session ID and the response body.
(Advisory 7416)

Vulnerability Details

CVEID: CVE-2016-8745**
DESCRIPTION:** Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the improper handling of the send file code for the NIO HTTP connector when the Connector code for Tomcat is refactored. An attacker could exploit this vulnerability to obtain the session ID and the response body.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119642 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Algo One - Algo Risk Application (ARA) versions 5.1.0, 5.0.0, 4.9.1.

Apache Tomcat is not packaged with Algo One - Algo Risk Application 5.1.0.

Remediation/Fixes

Product Name

| iFix Name|Remediation/First Fix
—|—|—
Algo One - ARA| 5.1.0 (no ARA ifix)| If you are using Algo One - Algo Risk Application 5.1.0, update to Apache Tomcat 7.0.75 or greater to address and remediate this vulnerability.
Algo One - ARA| 5.0.0.6-18| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.6-18-Algo-One-ARA-if0355:0&includeSupersedes=0&source=fc&login=true
Algo One - ARA| 4.9.1.1-23| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.1-23-Algo-One-ARA-if0050:0&includeSupersedes=0&source=fc&login=true
Algo One - ARA| 4.9.1.0-18| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.0-18-Algo-One-ARA-if0051:0&includeSupersedes=0&source=fc&login=true

CPENameOperatorVersion
algo oneeq5.1.0
algo oneeq5.0
algo oneeq4.9.1

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Related for FF237A2B8A96DCF9E25EBCBDDC887465982EFD610C8FCD6C7136B8E43763F1D4