Lucene search

IBM6D501DD7BF9949108CC6141A352F6997ABB3CF20DA850084ABB1D6CB49CC2E4A

HistoryNov 11, 2021 - 7:48 p.m.

Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server

2021-11-1119:48:54

www.ibm.com

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.973 High

EPSS

Percentile

99.8%

JSON

Summary

There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server. This has been addressed.

Vulnerability Details

CVEID:CVE-2021-34798
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference in httpd core. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209518 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-40438
**DESCRIPTION:**Apache HTTP Server is vulnerable to server-side request forgery, caused by an error in mod_proxy. By sending a specially crafted request uri-path, a remote attacker could exploit this vulnerability to forward the request to an origin server chosen by the remote user.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209526 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

This vulnerability affects the following version and release of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.

Affected Product(s)	Version(s)
IBM HTTP Server	9.0

Remediation/Fixes

For IBM HTTP Server used by WebSphere Application Server:

For V9.0.0.0 through 9.0.5.9:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH40343
--OR–
· Apply Fix Pack 9.0.5.10 or later (targeted availability 4Q2021).

Additional interim fixes may be available and linked off the interim fix download page.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will
be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential
risk.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm http servereq9.0

CPE	Name	Operator	Version
	ibm http server	eq	9.0

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.973 High

EPSS

Percentile

99.8%

JSON

Related for 6D501DD7BF9949108CC6141A352F6997ABB3CF20DA850084ABB1D6CB49CC2E4A