There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server.
CVEID: CVE-2018-1301 DESCRIPTION: Apache HTTPD is vulnerable to a denial of service, caused by an out-of-bounds access error after a header size limit has been reached reading the HTTP header. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to cause the service to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140852 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-15715 DESCRIPTION: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the < FilesMatch > expression matching ‘$’ to a newline character in a malicious filename instead of the end of the filename. By matching the trailing portion of the filename, an attacker could exploit to bypass security controls that use the < FilesMatch > directive.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140857 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2017-15710 DESCRIPTION: Apache HTTPD is vulnerable to a denial of service, caused by an out-of-bounds memory write error. By sending a specially crafted Accept-Language header value, an attacker could exploit this vulnerability to cause the service to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140858 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
These vulnerabilities affect the following versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.
For V9.0.0.0 through 9.0.0.7:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI95670
--OR–
· Apply Fix Pack 9.0.0.8 or later.
For V8.5.0.0 through 8.5.5.13:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI95670
--OR–
· Apply Fix Pack 8.5.5.14.
For V8.0.0.0 through 8.0.0.14:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI95670
For V7.0.0.0 through 7.0.0.43:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI95670