IBM Security Access Manager for Web is affected by a denial of service vulnerability in the HTTP server.
CVEID: CVE-2015-1283**
DESCRIPTION:** Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104964 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
IBM Tivoli Access Manager for e-business 6.0
IBM Tivoli Access Manager for e-business 6.1
IBM Tivoli Access Manager for e-business 6.1.1
IBM Security Access Manager for Web 7.0
The table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch.
Product | VRMF | APAR | Remediation |
---|---|---|---|
IBM Tivoli Access Manager for e-business | 6.0 | - | Upgrade the IBM HTTP Server in your software environment as described in the following WebSphere Application Server security bulletin: “Denial of service may affect IBM HTTP Server”. |
IBM Tivoli Access Manager for e-business | 6.1 | - | |
IBM Tivoli Access Manager for e-business | 6.1.1 | - | |
IBM Security Access Manager for Web | 7.0 - 7.0.0.21 (software installations) | - | |
IBM Security Access Manager for Web | 7.0 - 7.0.0.21 (appliances) | IV81890 | 1. Apply Interim Fix 22: |
7.0.0-ISS-WGA-IF0022 |