Apache HTTP Server has security vulnerabilities that allows a remote attacker to exploit the application. Respective security vulnerabilities are discussed in detail in the subsequent sections.
This section includes the vulnerability details that affects the Rational Build Forge.
CVEID: CVE-2019-0190 **DESCRIPTION:*Apache HTTP Server is vulnerable to a denial of service, caused by the improper handling of client negotiations by mod_ssl. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/156005 for the current score. CVSS Environmental Score: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-17189
DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service. By sending request bodies in a slow loris way to plain resources, a remote attacker could exploit this vulnerability to cause a denial of service for HTTP/2 connections. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/156007 for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-17199
DESCRIPTION: Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by checking the session expiry time before decoding the session by mod_session. An attacker could exploit this vulnerability to ignore session expiry time and gain access to the application. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/156006 for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
IBM Rational Build Forge from 8.0.0.10.
You must download the Fix pack specified in the following table and apply it.
Affected Supporting Product
|
Remediation/Fix
—|—
IBM Rational Build Forge 8.0.0.10
| Rational Build Forge 8.0.0.11 Download .
None.