Security Bulletin: Information disclosure in IBM HTTP Server (CVE-2017-12613)

Summary

There is a potential information disclosure in IBM HTTP Server used by WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2017-12613 DESCRIPTION: Apache Portable Runtime APR could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds array dereference in apr_time_exp*() functions. By using an invalid month field value, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 9.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134049 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.

• Version 9.0
• Version 8.5
• Version 8.0
• Version 7.0

Remediation/Fixes

For V9.0.0.0 through 9.0.0.6:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI90598

--OR–
· Apply Fix Pack 9.0.0.7 or later.

For V8.5.0.0 through 8.5.5.13:

· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI90598

--OR–
· Apply Fix Pack 8.5.5.14 or later.

For V8.0.0.0 through 8.0.0.14:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI90598

--OR–
· Apply Fix Pack 8.0.0.15 or later.

For V7.0.0.0 through 7.0.0.43:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI90598

--OR–
· Apply Fix Pack 7.0.0.45 or later.