Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMA284C19A15C8F994FF5D2792B1F9852750CA1B28FFC3B6248211A71DB598F67F
HistoryDec 18, 2019 - 2:26 p.m.

Security Bulletin: CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668 and CVE-2017-7679 in IBM i HTTP Server

2019-12-1814:26:38
www.ibm.com
25

0.668 Medium

EPSS

Percentile

98.0%

JSON

Summary

HTTP Server is supported by IBM i. IBM i has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2017-7679 DESCRIPTION: Apache HTTPD could allow a remote attacker to obtain sensitive information, caused by a buffer overread in mod_mime. By sending a specially crafted Content-Type response header, a remote attacker could exploit this vulnerability to read one byte past the end of a buffer.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127420 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-7668 DESCRIPTION: Apache HTTPD is vulnerable to a denial of service, caused by a buffer overread in the ap_find_token() function. By sending a specially crafted sequence of request headers, a remote attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127419 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-7659 DESCRIPTION: Apache HTTPD is vulnerable to a denial of service, caused by a NULL pointer dereference in the mod_http2 component. By sending a specially crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause the server process to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127418 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3169 DESCRIPTION: Apache HTTPD is vulnerable to a denial of service, caused by a NULL pointer dereference in mod_ssl. By sending a specially crafted HTTP request to an HTTPS port, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127417 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3167 DESCRIPTION: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the use of the ap_get_basic_auth_pw() function by third-party modules outside of the authentication phase. A remote attacker could exploit this vulnerability to bypass authentication requirements.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127416 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Releases 7.1, 7.2 and 7.3 of IBM i are affected.

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i.

Releases 7.1, 7.2 and 7.3 of IBM i are supported and will be fixed.

http://www-933.ibm.com/support/fixcentral/

The IBM i PTF numbers are:

Release 7.1 – SI65281 and SI65282 Release 7.2 – SI65279 and SI65280 Release 7.3 – SI65194 and SI65201

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm ieq7.1.0

Related

nessus 51
openvas 27
fedora 3
debian 3
archlinux 1
freebsd 1
slackware 1
symantec 1
ubuntu 2
osv 7
amazon 2
redhat 9
ibm 21
centos 2
oraclelinux 3
gentoo 1
mageia 1
ubuntucve 5
cvelist 5
f5 5
httpd 9
cve 5
veracode 5
checkpoint_advisories 3
redhatcve 3
alpinelinux 5
prion 5
nvd 5
debiancve 5
hackerone 1
photon 2
nessus
nessus
FreeBSD : Apache httpd -- several vulnerabilities (0c2db2aa-5584-11e7-9a7d-b499baebfeaf)
2017-06-20 00:00:00
Apache 2.4.x < 2.4.26 Multiple Vulnerabilities
2019-01-09 00:00:00
Fedora 26 : httpd (2017-81976b6a91)
2017-07-17 00:00:00
openvas
openvas
Slackware: Security Advisory (SSA:2017-180-03)
2022-04-21 00:00:00
Debian: Security Advisory (DSA-3896-1)
2017-06-21 00:00:00
Fedora Update for httpd FEDORA-2017-cf9599a306
2017-07-14 00:00:00
fedora
fedora
[SECURITY] Fedora 25 Update: httpd-2.4.27-2.fc25
2017-07-15 19:56:05
[SECURITY] Fedora 26 Update: httpd-2.4.26-1.fc26
2017-07-07 23:20:56
[SECURITY] Fedora 24 Update: httpd-2.4.26-1.fc24
2017-07-12 01:54:48
debian
debian
[SECURITY] [DSA 3896-1] apache2 security update
2017-06-22 19:41:41
[SECURITY] [DSA 3896-1] apache2 security update
2017-06-22 19:41:41
[SECURITY] [DLA 1009-1] apache2 security update
2017-07-02 18:48:50
archlinux
archlinux
[ASA-201706-34] apache: multiple issues
2017-06-28 00:00:00
freebsd
freebsd
Apache httpd -- several vulnerabilities
2017-06-20 00:00:00
slackware
slackware
[slackware-security] httpd
2017-06-29 21:34:52
symantec
symantec
SA154: Apache httpd Vulnerabilities June 2017
2017-07-20 08:00:00
ubuntu
ubuntu
Apache HTTP Server vulnerabilities
2017-06-26 00:00:00
Apache HTTP Server vulnerabilities
2017-07-31 00:00:00
osv
osv
apache2 - security update
2017-06-22 00:00:00
apache2 - security update
2017-07-02 00:00:00
CVE-2017-7659
2017-07-26 21:29:00
amazon
amazon
Medium: httpd24
2017-08-03 18:53:00
Important: httpd
2017-09-13 22:50:00
redhat
redhat
(RHSA-2017:2483) Important: httpd24-httpd security update
2017-08-16 21:45:48
(RHSA-2017:2479) Important: httpd security update
2017-08-15 15:55:44
(RHSA-2017:3193) Important: httpd security update
2017-11-13 16:37:21
ibm
ibm
Security Bulletin: Vulnerabilities in HTTPD affect IBM BladeCenter Advanced Management Module (AMM)
2023-04-14 14:32:25
Security Bulletin: A Security vulnerability has been identified in IBM HTTP Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud (CVE-2017-7679, CVE-2017-7668, CVE-2017-3167)
2018-06-15 07:07:54
Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway
2018-06-16 22:01:47
centos
centos
httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update
2017-08-24 09:43:51
httpd, mod_ssl security update
2017-08-15 20:25:39
oraclelinux
oraclelinux
httpd security update
2017-08-15 00:00:00
httpd security update
2017-08-15 00:00:00
httpd security and bug fix update
2017-07-11 00:00:00
gentoo
gentoo
Apache: Multiple vulnerabilities
2017-10-29 00:00:00
mageia
mageia
Updated apache packages fix security vulnerability
2018-01-01 13:38:51
ubuntucve
ubuntucve
CVE-2017-7659
2017-07-26 00:00:00
CVE-2017-7679
2017-06-19 00:00:00
CVE-2017-7668
2017-06-19 00:00:00
cvelist
cvelist
CVE-2017-7659
2017-07-26 21:00:00
CVE-2017-7679
2017-06-20 01:00:00
CVE-2017-7668
2017-06-20 01:00:00
f5
f5
K54624443 : Apache HTTPD vulnerability CVE-2017-7668
2017-07-14 00:00:00
K05415626 : Apache HTTPD vulnerability CVE-2017-7659
2017-07-17 00:00:00
K75429050 : Apache HTTPD vulnerability CVE-2017-7679
2017-07-17 00:00:00
httpd
httpd
Apache Httpd < 2.2.34 : ap_find_token() Buffer Overread
2017-05-06 00:00:00
Apache Httpd < 2.4.26 : mod_http2 Null Pointer Dereference
2016-11-18 00:00:00
Apache Httpd < 2.2.34 : mod_mime Buffer Overread
2015-11-15 00:00:00
cve
cve
CVE-2017-7668
2017-06-20 01:29:00
CVE-2017-7679
2017-06-20 01:29:00
CVE-2017-7659
2017-07-26 21:29:00
veracode
veracode
Denial Of Service (DoS)
2019-05-02 06:45:16
Denial Of Service (DoS)
2019-05-02 06:45:13
Denial Of Service (DoS)
2019-05-02 06:45:16
checkpoint_advisories
checkpoint_advisories
Apache httpd ap_find_token Out of Bounds Read (CVE-2017-7668)
2017-07-31 00:00:00
Apache HTTPD mod_http2 Null Pointer Dereference (CVE-2017-7659)
2017-12-04 00:00:00
Apache httpd ap_find_token Out of Bounds Read - Ver2 (CVE-2017-7668)
2018-07-03 00:00:00
redhatcve
redhatcve
CVE-2017-7668
2019-10-08 10:48:59
CVE-2017-7659
2019-10-08 10:49:35
CVE-2017-7679
2019-10-11 17:04:37
alpinelinux
alpinelinux
CVE-2017-7659
2017-07-26 21:29:00
CVE-2017-7668
2017-06-20 01:29:00
CVE-2017-7679
2017-06-20 01:29:00
prion
prion
Null pointer dereference
2017-07-26 21:29:00
Default credentials
2017-06-20 01:29:00
Input validation
2017-06-20 01:29:00
nvd
nvd
CVE-2017-7659
2017-07-26 21:29:00
CVE-2017-7679
2017-06-20 01:29:00
CVE-2017-7668
2017-06-20 01:29:00
debiancve
debiancve
CVE-2017-7659
2017-07-26 21:29:00
CVE-2017-7668
2017-06-20 01:29:00
CVE-2017-7679
2017-06-20 01:29:00
hackerone
hackerone
Internet Bug Bounty: ap_find_token() Buffer Overread
2017-06-20 08:36:29
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2017-0027
2017-07-25 00:00:00
Important Photon OS Security Update - PHSA-2017-0057
2017-07-25 00:00:00

0.668 Medium

EPSS

Percentile

98.0%

JSON
Related for A284C19A15C8F994FF5D2792B1F9852750CA1B28FFC3B6248211A71DB598F67F
nessus51openvas27fedora3debian3archlinux1freebsd1slackware1symantec1ubuntu2osv7amazon2redhat9ibm21centos2oraclelinux3gentoo1mageia1ubuntucve5cvelist5f55httpd9cve5veracode5checkpoint_advisories3redhatcve3alpinelinux5prion5nvd5debiancve5hackerone1photon2