Security Bulletin: Vulnerability in the IBM HTTP Server used by WebSphere Application Server is fixed in 9.0.0.3

Summary

There is a spoofing vulnerability in the IBM HTTP Server used by WebSphere Application Server version 9. This vulnerability has been fixed in IBM HTTP Server version 9.0.0.3.

Vulnerability Details

CVEID:CVE-2020-11985
**DESCRIPTION:**Apache HTTP Server could allow a remote attacker to conduct spoofing attacks, caused by a flaw when using proxying with mod_remoteip and certain mod_rewrite rules. By sending a specially-crafted request, an attacker could exploit this vulnerability to spoof IP address for logging and PHP scripts. Note: This vulnerability was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186403 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following version and release of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.

Remediation/Fixes

For IBM HTTP Server used by WebSphere Application Server:

For V9.0.0.0 through 9.0.0.2:

· Apply Fix Pack 9.0.0.3 or later.

Workarounds and Mitigations

None