Lucene search

K
ibmIBMFF237A2B8A96DCF9E25EBCBDDC887465982EFD610C8FCD6C7136B8E43763F1D4
HistoryJun 15, 2018 - 10:49 p.m.

Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One - Algo Risk Application (CVE-2016-8745)

2018-06-1522:49:25
www.ibm.com
11

EPSS

0.006

Percentile

79.4%

Summary

IBM Algo One - Algo Risk Application could allow a remote attacker to obtain sensitive information, caused by the improper handling of the send file code for the NIO HTTP connector when the Connector code for Tomcat is refactored. An attacker could exploit this vulnerability to obtain the session ID and the response body.
(Advisory 7416)

Vulnerability Details

CVEID: CVE-2016-8745**
DESCRIPTION:** Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the improper handling of the send file code for the NIO HTTP connector when the Connector code for Tomcat is refactored. An attacker could exploit this vulnerability to obtain the session ID and the response body.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119642 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Algo One - Algo Risk Application (ARA) versions 5.1.0, 5.0.0, 4.9.1.

Apache Tomcat is not packaged with Algo One - Algo Risk Application 5.1.0.

Remediation/Fixes

Product Name

| iFix Name|Remediation/First Fix
—|—|—
Algo One - ARA| 5.1.0 (no ARA ifix)| If you are using Algo One - Algo Risk Application 5.1.0, update to Apache Tomcat 7.0.75 or greater to address and remediate this vulnerability.
Algo One - ARA| 5.0.0.6-18| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.6-18-Algo-One-ARA-if0355:0&includeSupersedes=0&source=fc&login=true
Algo One - ARA| 4.9.1.1-23| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.1-23-Algo-One-ARA-if0050:0&includeSupersedes=0&source=fc&login=true
Algo One - ARA| 4.9.1.0-18| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.0-18-Algo-One-ARA-if0051:0&includeSupersedes=0&source=fc&login=true

CPENameOperatorVersion
algo oneeq5.1.0
algo oneeq5.0
algo oneeq4.9.1