HTTP Server is supported by IBM i. IBM i has addressed the applicable CVEs.
CVEID: CVE-2019-9517 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by an Internal Data Buffering attack. By opening the HTTP/2 window so the peer can send without constraint and sending a stream of requests for a large response object, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165183> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-10081 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by a memory corruption on early pushes in the mod_http2 module. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165369> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-10082 DESCRIPTION: Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by a read-after-free in the mod_http2 module during connection shutdown. By sending specially crafted input, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165368> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-10092 DESCRIPTION: Apache HTTP Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the mod_proxy error page. A remote attacker could cause the link on the error page to be malfomed and instead point to a page of their choice. An attacker could use this vulnerability to steal the victim’'s cookie-based authentication credentials.
CVSS Base Score: 4.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165367> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2019-10097 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by a stack-based buffer overflow and a NULL pointer dereference in the mod_remoteip module. By sending a specially crafted PROXY header, a remote attacker could exploit this vulnerability to overflow a buffer and cause a denial of service.
CVSS Base Score: 5.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165365> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2019-10098 DESCRIPTION: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165366> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Releases 7.4, 7.3, and 7.2 of IBM i are affected.
The issue can be fixed by applying a PTF to IBM i.
Releases 7.4, 7.3 and 7.2 of IBM i are supported and will be fixed.
The IBM i PTF numbers are:
| IBM i 7.4 |IBM i 7.3|IBM i 7.2
—|—|—|—
CVE-2019-9517 |SI70961|SI70970|Not affected CVE-2019-10081|SI70961|SI70970|Not affected CVE-2019-10082|SI70961|SI70970|Not affected CVE-2019-10098|SI71097|SI71052|SI71028 CVE-2019-10092|SI71097|SI71052|SI71028 CVE-2019-10097|SI71097|Not affected|Not affected
<https://www-945.ibm.com/support/fixcentral/>
Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
None