Lucene search

IBM3B84340ACAE91EA4A3C750A0E388280F7BB2EAF8644535622CB562DD808073C2

HistoryJun 15, 2018 - 7:08 a.m.

Security Bulletin: Open Source Apache HTTP Server Vulnerabilities which is used by IBM PureApplication Systems (CVE-2017-7668)

2018-06-1507:08:07

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Summary

A vulnerability in Open Source Apache HTTP Server affects the PureSystems® Managers used by IBM PureApplication System.

Vulnerability Details

CVEID: CVE-2017-7668**
DESCRIPTION:** Apache HTTPD is vulnerable to a denial of service, caused by a buffer overread in the ap_find_token() function. By sending a specially crafted sequence of request headers, a remote attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127419 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM PureApplication System V2.1.0.0
IBM PureApplication System V2.1.0.1
IBM PureApplication System V2.1.0.2
IBM PureApplication System V2.1.0.0
IBM PureApplication System V2.1.1.0
IBM PureApplication System V2.1.2.0
IBM PureApplication System V2.1.2.1
IBM PureApplication System V2.1.2.2
IBM PureApplication System V2.1.2.3
IBM PureApplication System V2.1.2.4
IBM PureApplication System V2.2.0.0
IBM PureApplication System V2.2.1.0
IBM PureApplication System V2.2.2.0
IBM PureApplication System V2.2.2.1
IBM PureApplication System V2.2.2.2
IBM PureApplication System V2.2.3.0
IBM PureApplication System V2.2.3.1
IBM PureApplication System V2.2.3.2

Remediation/Fixes

The PureSystems® Managers. on IBM PureApplication System is affected. The solution is to upgrade the IBM PureApplication System to the following fix level:

IBM PureApplication System V2.2.0.0, V2.2.1.0, V2.2.2.0, V2.2.2.1, V2.2.2.2, V2.2.3.0, V2.2.3.1, V2.2.3.2

Upgrade to IBM PureApplication System V2.2.4.0. Contact IBM for assistance

IBM PureApplication System V2.1.0.0, V2.1.0.1, V2.1.0.2, V2.1.0.0, V2.1.1.0, V2.1.2.0, V2.1.2.1, V2.1.2.2, V2.1.2.3, V2.1.2.4:

IBM recommends upgrading to a fixed version of the product. Contact IBM for assistance

Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159>

Bluemix Local System is the evolution of the IBM PureApplication® System Intel™ based offerings.

Workarounds and Mitigations

None

CPENameOperatorVersion
pureapplication systemeq2.2.3.2
pureapplication systemeq2.2.3.1
pureapplication systemeq2.2.3.0
pureapplication systemeq2.2.2.2
pureapplication systemeq2.2.2.1
pureapplication systemeq2.2.2.0
pureapplication systemeq2.2.1.0
pureapplication systemeq2.2.0.0
pureapplication systemeq2.1.2.4
pureapplication systemeq2.1.2.3

Name	Operator	Version
pureapplication system	eq	2.2.3.2
pureapplication system	eq	2.2.3.1
pureapplication system	eq	2.2.3.0
pureapplication system	eq	2.2.2.2
pureapplication system	eq	2.2.2.1
pureapplication system	eq	2.2.2.0
pureapplication system	eq	2.2.1.0
pureapplication system	eq	2.2.0.0
pureapplication system	eq	2.1.2.4
pureapplication system	eq	2.1.2.3