7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
Low
0.01 Low
EPSS
Percentile
83.8%
IBM HTTP Server (powered by Apache) used by IBM i is vulnerable to an attacker uploading arbitrary files due to improper validation (CVE-2023-45802) and obtaining sensitive information due to an out of bounds read flaw (CVE-2023-31122) as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section.
CVEID:CVE-2023-45802
**DESCRIPTION:**Apache StreamPark could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allow the attacker to execute arbitrary code on the vulnerable system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253372 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-31122
**DESCRIPTION:**Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the mod_macro module. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269041 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM i | 7.5 |
IBM i | 7.4 |
IBM i | 7.3 |
IBM i | 7.2 |
The issues can be addressed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.
The IBM i 5770-DG1 PTF numbers resolve the vulnerabilities.
IBM i Release| 5770-DG1
PTF Number| PTF Download Link
—|—|—
7.5| SI85712
SI85830|
<https://www.ibm.com/support/pages/ptf/SI85712>
<https://www.ibm.com/support/pages/ptf/SI85830>
7.4| SI85713
SI85828| <https://www.ibm.com/support/pages/ptf/SI85713>
<https://www.ibm.com/support/pages/ptf/SI85828>
7.3| SI85714
SI85827| <https://www.ibm.com/support/pages/ptf/SI85714>
<https://www.ibm.com/support/pages/ptf/SI85827>
7.2| SI85833| <https://www.ibm.com/support/pages/ptf/SI85833>
None.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
Low
0.01 Low
EPSS
Percentile
83.8%