Security Bulletin: Tornado is vulnerable to 263690 used in IBM Maximo Application Suite - Monitor Component

2023-12-0119:31:02

www.ibm.com

ibm maximo application suite

monitor component

tornado 263690

http request smuggling

vulnerability

8.11

8.10

fixpack

update available

5.9 Medium

AI Score

Confidence

High

JSON

Summary

IBM Maximo Application Suite - Monitor Component uses tornado, which is vulnerable to 263690. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

**IBM X-Force ID:**263690
**DESCRIPTION:**Tornado Web Server is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP Content-Length header. By sending a specially crafted HTTP(S) Content-Length header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263690 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Maximo Application Suite - Monitor Component	8.11
IBM Maximo Application Suite - Monitor Component	8.10

Remediation/Fixes

Affected Product(s)	Fixpack Version(s)
IBM Maximo Application Suite - Monitor Component	8.11.1 or latest (available from the Catalog under Update Available)
IBM Maximo Application Suite - Monitor Component	8.10.6 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmaximo_application_suiteMatch8.11

ibmmaximo_application_suiteMatch8.10

CPENameOperatorVersion
ibm maximo application suiteeq8.11
ibm maximo application suiteeq8.10

CPE	Name	Operator	Version
	ibm maximo application suite	eq	8.11
	ibm maximo application suite	eq	8.10

5.9 Medium

AI Score

Confidence

High

JSON