Security Bulletin: Security Vulnerability in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Configuration Manager(CVE-2015-3183)

Summary

There are vulnerabilities reported in IBM Websphere 7.0.0.37. IBM Tivoli Netcool Configuration Manager is affected by the following. Request smuggling vulnerability may affect the IBM HTTP Server used by IBM WebSphere Application Server

Vulnerability Details

CVEID: CVE-2015-3183 DESCRIPTION: Apache HTTP Server is vulnerable to HTTP request smuggling, caused by a chunk header parsing flaw in the apr_brigade_flatten() function. By sending a specially-crafted request in a malformed chunked header to the Apache HTTP server, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104844 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Product version

ITNCM 6.4.1.3 and earlier
ITNCM 6.3.0.6 and earlier

Remediation/Fixes

<Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
ITNCM| 6.4.1.3 IF001| None| http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/TivoliNetcoolConfigurationManager&release=6.4.1.3&platform=All&function=fixId&fixids=ITNCM_6.4.1.3_IF001&includeRequisites=1&includeSupersedes=0&downloadMethod=http
ITNCM| 6.3.0.6 IF004| None| http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=6.3.0.6&platform=All&function=fixId&fixids=ITNCM_6.3.0.6-IF004&includeRequisites=1&includeSupersedes=0&downloadMethod=http

Workarounds and Mitigations

None