Security Bulletin: IBM Operational Decision Manager, WebSphere ILOG JRules and WebSphere Business Events: CVE-2014-0050

Summary

This Security Bulletin address the security vulnerability CVE-2014-0050 in IBM Operational Decision Manager formerly known as WebSphere ILOG JRules and WebSphere Business Events.

Vulnerability Details

CVE ID: CVE-2014-0050

DESCRIPTION:
IBM Operational Decision Management uses the library commons-fileupload.jar in the Web Application to transfer files. This library allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90987&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

• IBM WebSphere Business Events 7.0
• IBM WebSphere ILOG JRules v7.0
• IBM WebSphere ILOG JRules v7.1
• IBM WebSphere Operational Decision Management v7.5
• IBM Operational Decision Manager v8.0
• IBM Operational Decision Manager v8.5

Remediation/Fixes

IBM WebSphere ILOG JRules V7.0:
Interim fix 2 for APAR RS01613 is available from IBM Fix Central: 7.0.3.0-WS-BRMS-IF002

IBM WebSphere ILOG JRules V7.1:
Interim fix 38 for APAR RS01613 is available from IBM Fix Central: 7.1.1.5-WS-BRMS-IF038

IBM WebSphere Business Event 7.0:
Interim fix 18 for APAR RS01613 is available from IBM Fix Central: 7.0.1.1-WS-BE-NON_ZOS-TP18

IBM WebSphere Operational Decision Management v7.5:
Interim fix 38 for APAR RS01613 is available from IBM Fix Central: 7.5.0.3-WS-BRMS-IF038

IBM Operational Decision Manager v8.0

Interim fix 30 for APAR RS01613 is available from IBM Fix Central: 8.0.1.2-WS-BRMS-IF030

IBM Operational Decision Manager v8.5

Interim fix 27 for APAR RS01613 is available from IBM Fix Central: 8.5.1.0-WS-BRMS-IF027

Workarounds and Mitigations

none known. Apply fix