SB2015042105 - Multiple vulnerabilities in IBM SAN Volume Controller and Storwize Family 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2015042105

SB2015042105 - Multiple vulnerabilities in IBM SAN Volume Controller and Storwize Family

Published: April 21, 2015 Updated: July 18, 2023

Security Bulletin ID SB2015042105
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2014-0227)

The vulnerability allows a remote attacker to perform a HTTP request smuggling attack.

The vulnerability exists due to java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat does not properly handle attempts to continue reading data after an error has occurred. A remote attacker can conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.


2) Resource management error (CVE-ID: CVE-2014-0230)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Apache Tomcat does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body. A remote attacker can cause a denial of service (thread consumption) via a series of aborted upload attempts.


Remediation

Install update from vendor's website.

References