Multiple security vulnerabilities exist in the Tomcat that is shipped with the Rational Insight.
| Subscribe to My Notifications to be notified of important product support alerts like this.
The Jazz Team Server installed with Rational Insight for Data Collection Component (DCC) and Jazz Reporting Service (JRS) is based on the Tomcat server. The May 2014 X-Force Report reported the following security vulnerabilities. Some steps would be required to fix those issues.
CVE-ID: CVE-2014-0075
Description: Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of a malformed chunk size as part of a chucked request. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93365> for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-0095
Description: Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of an AJP request. A remote attacker could exploit this vulnerability to consume a request processing thread and cause a denial of service.
CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93366> for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-0096
Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data by the default server. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93367> for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-0099
Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93369> for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-0119
Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information.
CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93368> for more information *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Rational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4
The recommended solution is to apply the recommended fixes to all affected versions of Rational Insight as soon as practical.
Rational Insight 1.1
Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2
Rational Insight 1.1.1.3
Download the Cognos Business Intelligence 10.2.1 Fix Pack 2.
Review technote 1679283: Install a Cognos Business Intelligence 10.2.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x for the detailed instructions for patch application.
Rational Insight 1.1.1.4
Download the Rational Insight 1.1.1.5 release.
Review the topics related to DCC and JRS in Upgrading Rational Insight for the detailed instructions for upgrading respective components from Rational Insight 1.1.1.4 to 1.1.1.5.
None