IBM HTTP Server 8.5.0.0 < 8.5.5.24 / 9.0.0.0 < 9.0.5.16 Request Splitting Attacks (6963650)

🗓️ 26 Feb 2024 00:00:00Reported by TenableType

IBM HTTP Server 8.5.0.0 < 8.5.5.24 / 9.0.0.0 < 9.0.5.16 Request Splitting Attack vulnerabilit

Reporter	Title	Published	Views	Family All 274
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2023-25690)	21 Mar 202310:02	–	ibm
IBM Security Bulletins	Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to HTTP request splitting attacks due to an error using mod_proxy (CVE-2023-25690).	29 Aug 202321:19	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server	31 Aug 202319:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690)	4 Apr 202316:02	–	ibm
IBM Security Bulletins	Security Bulletin: A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-25690]	28 Mar 202307:48	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities	7 Jun 202316:53	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities have been identified in OpenSSL, Apache HTTP Server and other system libraries shipped with the DS8000 Hardware Management Console (HMC)	12 Jul 202311:03	–	ibm
IBM Security Bulletins	Security Bulletin: Cloud Pak System is vulnerable to HTTP request splitting attack.	1 Oct 202419:35	–	ibm
IBM Security Bulletins	Security Bulletin: IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On uses IBM HTTP Server that is vulnerable to HTTP request splitting (CVE-2023-25690)	29 Mar 202304:38	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2023	28 Apr 202314:09	–	ibm

Source	Link
ibm	www.ibm.com/support/pages/node/6963650
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(191005);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/27");

  script_cve_id("CVE-2023-25690");

  script_name(english:"IBM HTTP Server 8.5.0.0 < 8.5.5.24 / 9.0.0.0 < 9.0.5.16 Request Splitting Attacks (6963650)");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a information disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of IBM HTTP Server running on the remote host is affected by an request splitting attack vulnerability due 
to an error when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch. A remote attacker could 
exploit this vulnerability to bypass access controls in the proxy server, proxying unintended URLs to existing origin 
servers, and cache poisoning.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/node/6963650");
  script_set_attribute(attribute:"solution", value:
"Upgrade to IBM HTTP Server version 8.5.5.24, 9.0.5.16, or later. Alternatively, upgrade to the minimal fix pack levels
 required by the interim fix and then apply Interim Fix PH53014.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-25690");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/04/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/04/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:http_server");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ibm_http_server_nix_installed.nbin");
  script_require_keys("installed_sw/IBM HTTP Server (IHS)");

  exit(0);
}

include('vcf.inc');

var app = 'IBM HTTP Server (IHS)';
var fix = 'Interim Fix PH53014';

var app_info = vcf::get_app_info(app:app);
vcf::check_granularity(app_info:app_info, sig_segments:4);

if ('PH53014' >< app_info['Fixes'])
  audit(AUDIT_INST_VER_NOT_VULN, app);

var constraints = [
 { 'min_version' : '8.5.0.0', 'max_version' : '8.5.5.23', 'fixed_display' : '8.5.5.24 or ' + fix },
 { 'min_version' : '9.0.0.0', 'max_version' : '9.0.5.15', 'fixed_display' : '9.0.5.16 or ' + fix }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

27 Feb 2024 00:00Current

7High risk

Vulners AI Score7

CVSS 3.19.8

EPSS0.67011

SSVC