Security Bulletin: Rational Build Forge Security Advisory (CVE-2014-0075, CVE-2014-0099)

Summary

Apache Tomcat has security vulnerabilities that can lead to a denial of service (DOS) attack or obtain sensitive information. To avoid this issue in IBM Rational Build Forge, you should use the latest version Apache Tomcat Server which contains the fix for these problems

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE-ID:CVE-2014-0075

Description: Apache Tomcat is vulnerable to a denial of service, caused by the improper handling of a malformed chunk size as part of a chucked request. A remote attacker could exploit this vulnerability to cause a denial of service.

CVSS Base Score: 5**
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93365&gt; for the current score.
CVSS Environmental Score*:** Undefined**
CVSS Vector:**(AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID:CVE-2014-0099

Description: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5**
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93369&gt; for the current score.
CVSS Environmental Score*:** Undefined**
CVSS Vector: **(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Rational Build Forge versions 7.1.2.

Remediation/Fixes

Apply the correct fix pack or iFix for your version of Build Forge:

Note: If you need 7.1.2.3 iFix2, contact IBM support

Workarounds and Mitigations

Upgrade Tomcat (which is in Build Forge installation directory).

or

Upgrade to 4037483: Rational Build Forge Fix Pack 2 (8.0.0.2) for 8.0.