Security Bulletin: IBM Security SiteProtector System is affected by Apache HTTP Server vulnerabilities

Summary

IBM Security SiteProtector System has addressed the following vulnerabilities in Apache HTTP Server.

Vulnerability Details

CVEID:CVE-2019-10092
**DESCRIPTION:**In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165367 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-10098
**DESCRIPTION:**In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165366 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view: UpdateServer_3_1_1_14.pkg

IBM Security SiteProtector System| 3.0.0|

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:

UpdateServer_3_1_1_14.pkg

Workarounds and Mitigations

None