Security Bulletin: IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233)

Summary

IBM HTTP Server used by IBM WebSphere Application Server is vulnerable to denial of service due to libexpat. This has been addressed.

Vulnerability Details

CVEID:CVE-2022-43680
**DESCRIPTION:**libexpat is vulnerable to a denial of service, caused by a use-after free created by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238951 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2013-0340
**DESCRIPTION:**expat is vulnerable to a denial of service, caused by the improper handling of internal entity expansion. By persuading a victim to open a specially crafted XML document, an attacker could exploit this vulnerability to consume all available resources.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/132738 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID:CVE-2017-9233
**DESCRIPTION:**libexpat is vulnerable to a denial of service, caused by a XML External Entity vulnerability in the parser. By using a specially-crafted XML file, a remote attacker could exploit this vulnerability to cause an infinite loop.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/129459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains APAR PH50316.

For IBM HTTP Server used by IBM WebSphere Application Server:

For V9.0.0.0 through 9.0.5.14:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH50316
--OR–
· Apply Fix Pack 9.0.5.15 or later (targeted availability 2Q2023).

For V8.5.0.0 through 8.5.5.22:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH50316
--OR–
· Apply Fix Pack 8.5.5.23 or later (targeted availability 1Q2023).

For V8.0.0.0 through 8.0.0.15:
· Upgrade to 8.0.0.15 and then apply Interim Fix PH50316

For V7.0.0.0 through 7.0.0.45:
· Upgrade to 7.0.0.45 and then apply Interim Fix PH50316

Additional interim fixes may be available and linked off the interim fix download page.

_IBM HTTP Server V7.0 and V8.0 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will
be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential
risk.

Workarounds and Mitigations

None