@prb112 prb112 released this Feb 21, 2015 · 222 commits to master since this release

Assets 4

There are two security updates in the latest release:
Changed the Dojo Version to IBM Dojo Toolkit 1.8.9, and updated the builds to work with the new version
Due to the Dojo Security Advisory http://dojotoolkit.org/blog/dojo-security-advisory-2014-12-08
You can read more about it at
CVE-ID: CVE-2014-8917
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8917
Description: Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media Analytics 1.3 before IF11 and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Replaced Apache Tomcat with latest build for Apache Tomcat 7.0.59, and updated the builds to work with the new version
You can read more about it at
CVE-ID: CVE-2014-0227 - Apache Tomcat request smuggling
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227
Description: Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Also, we have fixed:
fixed issues with test cases not providing right data
fixed the pom.xml for com.ibm.sbt.web to build with latestdojo
fixes the missing {connection} missing url part
changed the maven dependencies for the opensocial explorer project to use the default maven copy plugin
fixed the ActivityStreamService.js to use the proper url path

The Business Support Services Provisioning sample is not in the current build/release, and is to be included in a future build.

The current branch is 1.1.4-SNAPSHOT
The Maven Central sonatype version is 1.1.3.20150220-1200

As always, please use GitHub issues and StackOverflow for any release issues.

Details on Security
Title: Security Bulletin: IBM Social Business Toolkit - Apache Tomcat request smuggling (CVE-2014-0227)
Summary
The IBM Social Business Toolkit includes Apache Tomcat which is vulnerable to HTTP Request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Vulnerability Details
Title: Security Bulletin: IBM Social Business Toolkit - Apache Tomcat request smuggling (CVE-2014-0227)

Summary

The IBM Social Business Toolkit includes Apache Tomcat which is vulnerable to HTTP Request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Vulnerability Details

CVE ID: [CVE-2014-0227](http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2014-0227)

DESCRIPTION: Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

CVSS Base Score: 4.300
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/100751 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

  • IBM Social Business Toolkit 1.0.0 through 1.1.2

Remediation/Fixes

Workarounds and Mitigations

Reference

Related Information

IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

20 Feb 2015: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.