Lucene search

IBMC4CCB581E9554A8FC81404481350AD55F2B3AFAFAEDE521E7CBB6249AE97DBA8

HistoryJun 16, 2018 - 9:42 p.m.

Security Bulletin: Multiple vulnerabilities in ApacheTomcat affect IBM Security SiteProtector System (CVE-2015-5174, CVE-2015-5345, CVE-2016-0706 and CVE-2016-0714)

2018-06-1621:42:20

www.ibm.com

EPSS

0.008

Percentile

81.8%

JSON

Summary

There are multiple vulnerabilities in Apache Tomcat that is used by IBM Security SiteProtector System.

Vulnerability Details

CVEID: CVE-2015-5174 **
DESCRIPTION:** Apache Tomcat could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) in the getResource(), getResourceAsStream() and getResourcePaths() ServletContext methods to obtain a directory listing for the directory.

CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110860 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2015-5345 **
DESCRIPTION:** Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error when accessing a protected directory. By redirecting to the URL, an attacker could exploit this vulnerability to determine the presence of a directory.

CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110857 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-0706 **
DESCRIPTION:** Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the loading of the StatusManagerServlet during the configuration of a security manager. An attacker could exploit this vulnerability to obtain deployed applications and other sensitive information.

CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110855 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-0714 **
DESCRIPTION:** Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error in multiple session persistence mechanisms. By placing a malicious object into a session, an attacker could exploit this vulnerability to bypass a security manager and possibly execute arbitrary code on the system.

CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110856 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM Security SiteProtector System 3.0 and 3.1.1

Remediation/Fixes

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:

For SiteProtector 3.0:

SiteProtector Core Component

ServicePack3_0_0_12.xpu

—|—

For SiteProtector 3.1.1:

SiteProtector Core Component

ServicePack3_1_1_7.xpu

—|—

Alternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL:
<https://ibmss.flexnetoperations.com/service/ibms/login>

Workarounds and Mitigations

None

EPSS

0.008

Percentile

81.8%

JSON

Related for C4CCB581E9554A8FC81404481350AD55F2B3AFAFAEDE521E7CBB6249AE97DBA8