IBM02B2CE14ED6299D39559F15E50EA0AC404842F36EBF8F5DD3D0C3C5999C21431Security Bulletin: Vulnerabilities in the GSKit component of IBM HTTP Server (CVE-2016-0201 and CVE-2015-7420)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
68.9%
Summary
Two vulnerabilities have been addressed in the GSKit component of IBM HTTP Server.
Vulnerability Details
CVEID: CVE-2016-0201 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a MD5 collision. An attacker could exploit this vulnerability to obtain authentication credentials.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109310 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2015-7420**
DESCRIPTION:** A vulnerability in GSKit could allow a remote attacker to obtain sensitive information. The GSKit PRNG state is duplicated during a fork() system call operation which results in a period of time where child processes may generate identical PRNG output to the parent.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107694 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
These vulnerabilities affect the following versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.
- Version 8.5.5
- Version 8.5
- Version 8.0
Remediation/Fixes
APAR PI54962 addresses CVE-2016-0201.
APAR PI52395 addresses CVE-2015-7420.
Both of these APARs are included in the interim fix for PI54962. So applying the APAR interim fix will resolve both issues.
The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI54962 for each named product as soon as practical.
**
For affected IBM HTTP Server for WebSphere Application Server:** **
For V8.5.0.0 through 8.5.5.8 Full Profile:**
ยท Apply Interim Fix PI54962
--ORโ
ยท Apply Fix Pack 8.5.5.9 or later.
**
For V8.0.0.0 through 8.0.0.12:**
ยท Apply Interim Fix PI54962
--ORโ
ยท Apply Fix Pack 8.0.0.13 or later.
Workarounds and Mitigations
none
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm http server | eq | 8.5.5 | |
| ibm http server | eq | 8.5 | |
| ibm http server | eq | 8.0 |
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
68.9%