Security Bulletin: IBM API Connect is affected by an Apache HTTP Server vulnerability (CVE-2017-12613)

Summary

IBM API Connect has addressed the following vulnerability.

Apache Portable Runtime (APR) could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds array dereference in apr_time_exp*() functions. By using an invalid month field value, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.

Vulnerability Details

CVEID:CVE-2017-12613**
DESCRIPTION: Apache Portable Runtime (APR) could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds array dereference in apr_time_exp() functions. By using an invalid month field value, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 9.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134049 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

Affected Products and Versions

Affected API Connect

|

Affected Versions

—|—
IBM API Connect| 5.0.0.0-5.0.8.3

Remediation/Fixes

Affected Product

| Addressed in VRMF|APAR|Remediation/First Fix
—|—|—|—
IBM API Connect
| 5.0.8.3 iFix| LI80170| Addressed in IBM API Connect V5.0.8.3 iFix.

Follow this link and find the “APIConnect_Management” package dated on or after 2018/06/12.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.3&platform=All&function=fixId&fixids=APIConnect_Management_5.0.8.3iFix_20180612-1732_18b5addcde91_e3c49d6.ova%3A67094276418854,APIConnect_Management_5.0.8.3iFix_20180612-1732_18b5addcde91_e3c49d6.vcrypt2%3A%3A67094276418854&includeSupersedes=0&source=fc

Workarounds and Mitigations

None