Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2328
Security Bulletin: IBM Algo One is affected by multiple Open Source Tomcat
security vulnerabilities reported in May 2014 X-Force Report
(CVE-2014-0096, CVE-2014-0099, CVE-2014-0119).
9 December 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Algo One
Publisher: IBM
Operating System: AIX
Linux variants
Solaris
Windows
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0119 CVE-2014-0099 CVE-2014-0096
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21692277
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Algo One is affected by multiple Open Source Tomcat
security vulnerabilities reported in May 2014 X-Force Report (CVE-2014-0096,
CVE-2014-0099, CVE-2014-0119).
Document information
More support for:
Algo One
Algo Core
Software version:
4.7, 4.7.1, 4.8, 4.9, 4.9.1, 5.0
Operating system(s):
AIX, Linux, Solaris, Windows
Reference #:
1692277
Modified date:
2014-12-08
Security Bulletin
Summary
These security vulnerabilities exist in components of IBM Algo One, namely
Counterparty Credit Risk (CCR), Algo Risk Application (ARA), and Algo One
Core. See Vulnerability Details for CVE IDs.
Vulnerability Details
CVE-2014-0096
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93367
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Apache Tomcat could allow a remote attacker to obtain sensitive information,
caused by an XML External Entity Injection (XXE) error when processing XML data
by the default server. By sending specially-crafted XML data, an attacker could
exploit this vulnerability to obtain sensitive information. The attack
requires network access, no authentication and some degree of specialized
knowledge and techniques. An attack may compromise the confidentiality
of information, but does not compromise the availability of the system,
and the integrity of data.
CVE-2014-0099
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93369 CVSS
Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Apache Tomcat could allow a remote attacker to obtain sensitive information,
caused by the failure to check for overflows when parsing content length
headers.
By sending specially-crafted request, an attacker could exploit this
vulnerability to obtain sensitive information. The attack requires network
access, no authentication and some degree of specialized knowledge and
techniques. An attack may compromise the confidentiality of information, but
does not compromise the availability of the system, and the integrity of data.
CVE-2014-0119
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93368 CVSS
Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Apache Tomcat could allow a remote attacker to obtain sensitive information,
caused by the replacement of the XML parsers used to process XSLTs for the
default servlet. An attacker could exploit this vulnerability using a
specially-crafted application to obtain sensitive information. The attack
requires network access, no authentication and some degree of specialized
knowledge and techniques. An attack will not compromise the confidentiality
of information or the availability of the system, but may compromise the
integrity of data.
Affected Products and Versions
CCR v. 5.0.0
Algo One Versions 4.7.0 through 5.0.0
ARA Versions 2.5.8 through 5.0.0
The following versions of the affected products are not being patched
and users currently on one of the versions specified below are advised to
upgrade to a patched version:
ARA 2.4.0.1
ARA 2.4.1
ARA 2.4.2
ARA 2.5.0
ARA 2.5.1
ARA 2.5.2
ARA 2.5.3
ARA 2.5.4
ARA 2.5.5
ARA 2.5.5.2
ARA 2.5.6
ARA 2.5.7.1
ARA 2.5.7.2
CCR 4.9.0
CCR Drop 13.7
CCR Drop 13.5
Remediation/Fixes
A fix has been created for each affected version of the named
product. Download and install the appropriate fix as soon as
practicable. Fixes and installation instructions are provided at the URLs
listed below:
Patch Number Download URL
CCR 500-103
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.5-Algo-OneCCR-if0103:0&includeSupersedes=0&source=fc&login=true
ARA 258-004
(applicable to ARA v 2.5.8)
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=2.5.8.6-Algo-OneARA-if0006:0&includeSupersedes=0&source=fc&login=true
ARA 491-018 (applicable to ARA v 4.9.1.1-10)
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.1-Algo-OneARA-if0018:0&includeSupersedes=0&source=fc&login=true
ARA 491-017 (applicable to ARA v 4.9.1.0-9)
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.0-Algo-OneARA-if0009:0&includeSupersedes=0&source=fc&login=true
ARA 500-078 (applicable to ARA v 5.0.0.3-3)
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.3-Algo-OneARA-if0003:0&includeSupersedes=0&source=fc&login=true
ARA 500-089 (applicable to ARA v 5.0.0.5)
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.5-Algo-OneARA-AIX-fp0005:0&includeSupersedes=0&source=fc&login=true
Algo One Core 500-071
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-if0071:0&includeSupersedes=0&source=fc&login=true
Algo One Core 490-130
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.0.0-Algo-One-if0130:0&includeSupersedes=0&source=fc&login=true
Algo One Core 480-067
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.8.0.0-Algo-One-if0067:0&includeSupersedes=0&source=fc&login=true
Algo One Core 471-306
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.1.0-Algo-One-if0306:0&includeSupersedes=0&source=fc&login=true
Algo One Core 470-298
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.0.0-Algo-One-if0298:0&includeSupersedes=0&source=fc&login=true
Workarounds and Mitigations
None known, apply fixes.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
08 December 2014:Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVIZPvBLndAQH1ShLAQJrMw/+MtnGFbHL0SXlGOCXHi0hxHRlQyiV/Auw
DPL3QTQtqeVoK4kvklOw2+yeZNV+s0gIe8iMq/ua7dtRDitG9x7ZXYJ/j9LZKfrO
SZLnykl4fEc48DACXjpQZJxdztA1XtqAGv9BrRiWyBIe1v5jHMjb7HzJW38ZajRn
x7fZzHoq/vgTJp18iywHttoquuwLh6OdIsDh6wIgyYmxBxp5kGUbIHgDNpQxYPDM
joNVHA3v7OVq6oz6d6nUHLfnVZoJlK/S3KVoFcPZBwNYlQmaW6+Y+u3iozO2kWcv
HkB9GTQ56d82M0kGG0E87kmvkJwXFU981349dBO9JrfiD4Wkzf2sOaejI8NqW1ib
XlCIHBVvTy8QX4ACY+/Ctli2ez3o66bR+OyZobB4X4YZpKXRNnXjP14taPHYvQky
9uH2C+NZYYlFEoSlkTCPX8BtqT+fmL8L1LsBabAajbjub8z0IBrguoGewk+2TRRu
rNActjk5qppgsNfO6Z4oIJIOP0gsguol3DwqRVVBP3YyNEOaC9g7DCzODYiMK2EW
xD1ccQrj54YCi9STmGZW72QctAGNFmYdD/DiLTia6W2m+cPhWZY8LZ2CxvBRESwq
EjY76HFkxpy0z2+QLLfD2GkycVn3pCBDBMOkDpXTL9oQ9W1zMDo5u8S36OoI7F9N
uDhwCW33UFU=
=qrsy
-----END PGP SIGNATURE-----