Lucene search

K
ibmIBMF75C5F148ED8671128BB7F4AEDF76BD8058438CC2308E3AC55DE47225853F4B0
HistoryAug 31, 2020 - 5:58 p.m.

Security Bulletin: Vulnerability in the IBM HTTP Server used by WebSphere Application Server is fixed in 9.0.0.3

2020-08-3117:58:08
www.ibm.com
8

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

Summary

There is a spoofing vulnerability in the IBM HTTP Server used by WebSphere Application Server version 9. This vulnerability has been fixed in IBM HTTP Server version 9.0.0.3.

Vulnerability Details

CVEID:CVE-2020-11985
**DESCRIPTION:**Apache HTTP Server could allow a remote attacker to conduct spoofing attacks, caused by a flaw when using proxying with mod_remoteip and certain mod_rewrite rules. By sending a specially-crafted request, an attacker could exploit this vulnerability to spoof IP address for logging and PHP scripts. Note: This vulnerability was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186403 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following version and release of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.

Affected Product(s) Version(s)
IBM HTTP Server 9.0

Remediation/Fixes

For IBM HTTP Server used by WebSphere Application Server:

For V9.0.0.0 through 9.0.0.2:

ยท Apply Fix Pack 9.0.0.3 or later.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm http servereq9.0

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

Related for F75C5F148ED8671128BB7F4AEDF76BD8058438CC2308E3AC55DE47225853F4B0