SAP Knowledge Base Article - Preview

2188351 - How to overcome cve-2014-0230 and cve-2014-7810 vulnerabilities affecting Apache Tomcat installed with SAP BusinessObjects Business Intelligence Platform (BI) 4.0/4.1

Symptom

  • Apache Tomcat prior to 6.0.44, 7.0.55, 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (memory consumption) via a series of aborted upload attempts.
  • The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
  • Successfully exploiting these vulnerabilities might allow a remote attacker to bypass security restrictions.
  • Multiple vulnerabilities affecting Apache Tomcat have been reported:
    - Denial of Service Vulnerability (CVE-2014-0230).
    - Security Manager bypass Vulnerability (CVE-2014-7810).


Read more...

Environment

  • SAP BusinessObjects Business Intelligence Platform (BI) 4.0/4.1.
  • All supported OS.
  • Tomcat (6, 7, 8) (Below the minor versions which are mentioned in symptoms)

Product

SAP BusinessObjects Business Intelligence platform 4.0 ; SAP BusinessObjects Business Intelligence platform 4.1

Keywords

Tomcat, BI, 4.x, 4.0, 4.1, multiple, vulnerabilities, Apache, security, cve-2014-0230, cve-2014-7810, cve, 7, 8, 6, , KBA , BI-BIP-INS , Installation, Updates, Upgrade, Patching , BI-BIP-DEP , Webapp Deployment, Networking, Vulnerabilities, Webservices , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.