7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.1 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
75.5%
IBM HTTP Server (powered by Apache) used by IBM i is vulnerable to a denial of service attack due to no limit of continuation fames in HTTP/2 protocol as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section.
CVEID:CVE-2024-27316
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by the failure to check or limit the use of HTTP/2 CONTINUATION frames that can be sent within a single stream. By sending a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, a remote attacker could exploit this vulnerability to cause an out of memory (OOM) crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286950 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM i | 7.5 |
IBM i | 7.4 |
IBM i | 7.3 |
The issue can be addressed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, and 7.3 will be fixed.
The IBM i PTF number for 5770-DG1 contains the fix to resolve the vulnerability.
IBM i Release| 5770-DG1
PTF Number| PTF Download Link
—|—|—
7.5| SJ01169| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01169>
7.4| SJ01168| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01168>
7.3| SJ01156| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01156>
https://www.ibm.com/support/fixcentral
_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
None.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.1 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
75.5%