IBM916D4B841A8B0DE3D0A5F2B439D18C6BEA4DF5E660343A205D456A1F9FAD0DE2Security Bulletin: Vulnerabilities CVE-2019-0196, CVE-2019-0197, and CVE-2019-0220 in the IBM i HTTP Server affect IBM i.
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
HTTP Server is supported by IBM i. IBM i has addressed the applicable CVEs.
This security bulletin has been updated, on August 8, 2019, as superseding IBM i PTFs are available for CVE-2019-0220 for IBM i 7.2, 7.3, and 7.4.
This security bulletin has been updated, on June 21, 2019, as additional IBM i PTFs are available for IBM i 7.4.
Vulnerability Details
CVEID: CVE-2019-0220 DESCRIPTION: Apache HTTP Server could provide weaker than expected security, caused by URL normalization inconsistencies. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158948> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2019-0196 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by a use-after-free on a string compare in the mod_http2 module. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158963> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-0197 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by a flaw when HTTP/2 or H2Upgrade was enabled for http/https host in the mod_http2 module. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158964> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
Releases 7.2, 7.3, and 7.4 of IBM i are affected.
Remediation/Fixes
The issue can be fixed by applying a PTF to IBM i.
Releases 7.2, 7.3 and 7.4 of IBM i are supported and will be fixed.
The IBM i PTF numbers are:
| CVE-2019-0196 |CVE-2019-0197|CVE-2019-0220
—|—|—|—
IBM i 7.2 |Not affected|Not affected|SI70724 IBM i 7.3|SI69828|SI69828|SI70629 IBM i 7.4|SI69189|SI69189|SI70725
<https://www-945.ibm.com/support/fixcentral/>
Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
Workarounds and Mitigations
None
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P