IBM HTTP Server (powered by Apache) for IBM i is vulnerable to HTTP response splitting attacks due to improper input validation and flaws in multiple modules as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section.
CVEID:CVE-2023-38709
**DESCRIPTION:**Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by improper input validation in the core. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286938 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2024-24795
**DESCRIPTION:**Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by a flaw in multiple modules. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286940 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM i | 7.5 |
IBM i | 7.4 |
IBM i | 7.3 |
IBM i | 7.2 |
The issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.
The IBM i PTF numbers contain the fixes for the vulnerabilities.
IBM i Release| 5770-DG1
PTF Number| PTF Download Link
—|—|—
7.5| SJ01350
SJ01401| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01350>
<https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01401>
7.4| SJ01349
SJ01400| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01349>
<https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01400>
7.3| SJ01348
SJ01398| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01348>
<https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01398>
7.2| SJ01347
SJ01395| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01347>
<https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01395>
<https://www.ibm.com/support/fixcentral>
_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | i | 7.5.0 | cpe:2.3:o:ibm:i:7.5.0:*:*:*:*:*:*:* |
ibm | i | 7.4.0 | cpe:2.3:o:ibm:i:7.4.0:*:*:*:*:*:*:* |
ibm | i | 7.3.0 | cpe:2.3:o:ibm:i:7.3.0:*:*:*:*:*:*:* |
ibm | i | 7.2.0 | cpe:2.3:o:ibm:i:7.2.0:*:*:*:*:*:*:* |
ibm | planning_analytics | 7.4.0 | cpe:2.3:a:ibm:planning_analytics:7.4.0:*:*:*:*:*:*:* |
ibm | ibm_i_7.5_preventative_service_planning | 7.5.0 | cpe:2.3:a:ibm:ibm_i_7.5_preventative_service_planning:7.5.0:*:*:*:*:*:*:* |
ibm | planning_analytics | 7.2.0 | cpe:2.3:a:ibm:planning_analytics:7.2.0:*:*:*:*:*:*:* |
ibm | planning_analytics | 7.3.0 | cpe:2.3:a:ibm:planning_analytics:7.3.0:*:*:*:*:*:*:* |