Security Advisories

January 10, 2012 - Multiple Tomcat vulnerabilities in IntelligenceCenter

Security Advisories ID:    SA66
Version:    2.0
Status:    Published
Published date:    11/30/2011
Updated:    01/17/2012
 

Advisory Status

Final

Advisory Severity

Medium, CVSS v2 base score: 4.8 (AV:A/AC:L/Au:N/C:P/I:N/A:P)

CVE Number

CVE-2008-5515 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:P/I:N/A:N)
CVE-2009-0783 - CVSS base score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVE-2010-1157 - CVSS base score: 1.8 (AV:A/AC:H/Au:N/C:P/I:N/A:N)
CVE-2010-2227 - CVSS base score: 4.8 (AV:A/AC:L/Au:N/C:P/I:N/A:P)
CVE-2010-3718 - CVSS base score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)
CVE-2010-4172 - CVSS base score: 2.9 (AV:A/AC:M/Au:N/C:N/I:P/A:N)
CVE-2011-0013 - CVSS base score: 2.9 (AV:A/AC:M/Au:N/C:N/I:P/A:N)
CVE-2011-1184 - CVSS base score:  not yet assigned
CVE-2011-2204 - CVSS base score: 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
CVE-2011-2729 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:P/I:N/A:N)

Summary

IntelligenceCenter uses a version of Tomcat that has several publicly documented vulnerabilities. The most severe vulnerability allows an attacker to mount a denial of service attack or to obtain sensitive information by using a specially crafted header.

Affected Products

All versions of IntelligenceCenter prior to version 3.2.2.1 are vulnerable.

Details

IntelligenceCenter prior to version 3.2.2.1 use Tomcat version 6.0.18. This version of Tomcat has several publicly documented vulnerabilities.  

The most severe vulnerability allows an attacker to read data that Tomcat is authorized to access allowing the attacker to view specific configuration data and data sent to and from IntelligenceCenter.  The attacker can also mount a denial of service attack using a specially crafted header rendering IntelligenceCenter partially unresponsive for administrative control as well as data transmission.

When IntelligenceCenter is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack. The CVSS base scores included in this advisory are based on this deployment scenario.

If IntelligenceCenter is deployed outside of the firewall. the CVSS base score for all CVEs listed would be higher. The CVSS base score for this security advisory would be a 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P).

IntelligenceCenter 3.2.2.1 contains an upgrade to Tomcat 6.0.33 fixing the CVEs documented in this security advisory.  Other Tomcat vulnerabilities are fixed by this upgrade, but are not listed in this Security Advisory.  The Tomcat installation is specifically designed and installed for the exclusive use of IntelligenceCenter.  Vulnerabilities not listed in this Security Advisory are not applicable to IntelligenceCenter's use of Tomcat.

Workarounds

Blue Coat recommends that IntelligenceCenter be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to IntelligenceCenter will greatly limit the ability to attack an IntelligenceCenter installation.

Patches

IntelligenceCenter 3.2 - a fix is available in 3.2.2.1. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/33.

ItnelligenceCenter 3.1 and earlier - please upgrade to a later version.

Advisory History

2012-01-17 Changed status to final
2012-01-10 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question