IBM WebSphere Cast Iron Solution & App Connect Professional has addressed the following vulnerabilities reported in Apache Tomcat.
CVEID:CVE-2020-1935
**DESCRIPTION:**Apache Tomcat is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176788 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2019-17569
**DESCRIPTION:**Apache Tomcat is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176784 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
WebSphere Cast Iron v 7.5.0.0, 7.5.0.1, 7.5.1.0
WebSphere Cast Iron v 7.0.0.0, 7.0.0.1, 7.0.0.2
App Connect Professional v 7.5.2.0
App Connect Professional v 7.5.3.0
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
IBM WebSphere Cast Iron | 7.0.0.0 | ||
7.0.0.1 | |||
7.0.0.2 | LI81465 | 7002 Fixcentral Link | |
IBM WebSphere Cast Iron | 7.5.0.0 | ||
7.5.0.1 | |||
7.5.1.0 | LI81465 | 7510 fixcentral Link | |
App Connect Professional | 7.5.2.0 | LI81465 | 7520 Fixcentral link |
App Connect Professional | 7.5.3.0 | LI81465 | 7530 Fixcentral link |
None