Security Bulletin: Stack Buffer overflow may affect IBM HTTP Server (CVE-2015-4947)

Summary

Stack buffer overflow may affect IBM HTTP Server. The IBM HTTP Server is used by IBM WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2015-4947** **
DESCRIPTION: IBM HTTP Server Administration Server could be vulnerable to a stack buffer overflow, caused by improper handling of user input. An authenticated remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104912 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.

• Version 8.5.5
• Version 8.5
• Version 8.0
• Version 7.0
• Version 6.1

Remediation/Fixes

The recommended solutions is to apply the interim fix, Fix Pack or PTF containing APAR PI44793 for each named product as soon as practical. **
For affected IBM HTTP Server for WebSphere Application Server:** **
For V8.5.0.0 through 8.5.5.6 Full Profile:**

· Upgrade to a minimum of Fix Pack 8.5.5.4 or later then apply Interim Fix PI44793

--OR–
· Apply Fix Pack 8.5.5.7 or later.

**
For V8.0 through 8.0.0.11:**
· Upgrade to a minimum of Fix Pack 8.0.0.9 or later and then apply Interim Fix PI44793

--OR–
· Apply Fix Pack 8.0.0.12 or later.

**
For V7.0.0.0 through 7.0.0.37:**
· Upgrade to a minimum of Fix Pack 7.0.0.33 or later and then apply Interim Fix PI44793

--OR–
· Apply Fix Pack 7.0.0.39 or later.

For V6.1.0.0 through 6.1.0.47:
· Upgrade to Fix Pack 6.1.0.47 and then apply cumulative Interim Fix PI45596, this includes the fix for PI44793

For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.