5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
IBM Security Access Manager for Web is affected by a request smuggling vulnerability in the HTTP server.
CVEID: CVE-2015-3183**
DESCRIPTION:** Apache HTTP Server is vulnerable to HTTP request smuggling, caused by a chunk header parsing flaw in the apr_brigade_flatten() function. By sending a specially-crafted request in a malformed chunked header to the Apache HTTP server, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104844 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
IBM Tivoli Access Manager for e-business 6.0
IBM Tivoli Access Manager for e-business 6.1
IBM Tivoli Access Manager for e-business 6.1.1
IBM Security Access Manager for Web 7.0
The table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch.
Product | VRMF | APAR | Remediation |
---|---|---|---|
IBM Tivoli Access Manager for e-business | 6.0 | - | Upgrade the IBM HTTP Server in your software environment as described in the following WebSphere Application Server security bulletin: “HTTP Request smuggling vulnerability may affect IBM HTTP server.” |
IBM Tivoli Access Manager for e-business | 6.1 | - | |
IBM Tivoli Access Manager for e-business | 6.1.1 | - | |
IBM Security Access Manager for Web | 7.0 - 7.0.0.21 (software installations) | - | |
IBM Security Access Manager for Web | 7.0 - 7.0.0.21 (appliances) | IV81891 | 1. Apply Interim Fix 22: |
7.0.0-ISS-WGA-IF0022 |