Security Bulletin: Security vulnerabilities have been identified in IBM HTTP Server shipped with IBM Rational ClearQuest (CVE-2015-1283, CVE-2015-4947, CVE-2015-3183)

Summary

IBM HTTP Server is shipped as a component of IBM Rational ClearQuest. Information about security vulnerabilities affecting IBM HTTP Server have been published in several security bulletins.

Vulnerability Details

Please consult these security bulletins:

• Security Bulletin: Denial of service may affect IBM HTTP Server (CVE-2015-1283)
• Security Bulletin: Stack Buffer overflow may affect IBM HTTP Server (CVE-2015-4947)
• Security Bulletin: HTTP Request smuggling vulnerability may affect IBM HTTP Server (CVE-2015-3183)

for vulnerability details and information about fixes.

Affected Products and Versions

• ClearQuest Web 7.1 and above.

Remediation/Fixes

Follow instructions for updating your version of WebSphere Application Server to a version that includes the fixes.

For ClearQuest 8.x
These releases use an installation of HTTP Server separately installed and maintained from the ClearQuest installation. Determine the version of HTTP Server that your deployment is using and follow the instructions in the security bulletins given in Vulnerability Details to update your version of HTTP Server.

For ClearQuest 7.1.x

These releases ship with, install and configure HTTP Server version 6.1.0.25. Download the appropriate fix or fixes from from the security bulletins given above, but for installation instructions, follow technote 1390803: How to update the IBM WebSphere Application Server components in Rational ClearCase and Rational ClearQuest 7.1.