Security Bulletin: Vulnerability in Apache Tomcat affects IBM UrbanCode Deploy (CVE-2014-0227)

Summary

Previous releases of IBM UrbanCode Deploy are affected by a HTTP request smuggling vulnerability in Apache Tomcat.

Vulnerability Details

CVE ID: CVE-2014-0227

Description: Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

CVSS Base Score: 4.3 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/100751&gt;_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM UrbanCode Deploy 6.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.0.1.6, 6.0.1.7, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.4, 6.1.1, 6.1.1.1, and 6.1.1.2 on all supported platforms.

IBM UrbanCode Deploy with Patterns 6.1.0, 6.1.0.1, 6.1.0.2, and 6.1.1 on all supported platforms.

Remediation/Fixes

For affected versions of IBM UrbanCode Deploy 6.1, upgrade to IBM UrbanCode Deploy Fix Pack 3 (6.1.1.3) or later.

For affected versions of IBM UrbanCode Deploy 6.0, upgrade to IBM UrbanCode Deploy Fix Pack 8 (6.0.1.8) or later.

For affected versions of IBM UrbanCode Deploy with Patterns 6.1, upgrade to IBM UrbanCode Deploy with Patterns Fix Pack 1 (6.1.1.1) or later.

Workarounds and Mitigations

None