Security Bulletin: IBM System x Integrated Management Module (IMM) Lighttpd W (CVE-2011-4362, CVE-2010-0295, CVE-2008-4360, CVE-2008-4359, CVE-20084298, CVE-2008-1531)

2019-01-3008:20:01

www.ibm.com

EPSS

0.111

Percentile

95.3%

JSON

Summary

Older versions of lighttpd, used by System x IMM contain multiple vulnerabilities.

Vulnerability Details

Abstract

Older versions of lighttpd, used by System x IMM contain multiple vulnerabilities.

Content

Vulnerability Details:

CVE ID: CVE-2011-4362

Description:
Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/71536> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE ID: CVE-2010-0295

Description:
lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/56038> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE ID: CVE-2008-4360

Description:
mod_userdir in lighttpd before 1.4.20, when a case-insensitive operating system or filesystem is used, performs case-sensitive comparisons on filename components in configuration options, which might allow remote attackers to bypass intended access restrictions, as demonstrated by a request for a .PHP file when there is a configuration rule for .php files.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/45689> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE ID: CVE-2008-4359

Description:
lighttpd before 1.4.20 compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/45690> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE ID: CVE-2008-4298

Description:
Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/45471> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE ID: CVE-2008-1531

Description:
The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/41545> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected products and versions

The following IMM code levels may exhibit this issue:

All versions 1.00 to 1.41

The following platforms may be affected:

IBM System x3500 M2, Type 7839, any model
IBM System x3500 M3, Type 7380, any model
IBM System x3550 M2, Type 4198, any model
IBM System x3550 M2, Type 7946, any model
IBM System x3550 M3, Type 4254, any model
IBM System x3550 M3, Type 7944, any model
IBM System x3630 M3, Type 7377, any model
IBM System x3650 M2, Type 4199, any model
IBM System x3650 M2, Type 7947, any model
IBM System x3650 M3, Type 4255, any model
IBM System x3650 M3, Type 5454, any model
IBM System x3650 M3, Type 7945, any model
IBM System x3690 X5, Type 7147, any model
IBM System x3690 X5, Type 7148, any model
IBM System x3690 X5, Type 7149, any model
IBM System x3690 X5, Type 7192, any model
IBM System x3850 X5, Type 7143, any model
IBM System x3850 X5, Type 7145, any model
IBM System x3850 X5, Type 7146, any model
IBM System x3850 X5, Type 7191, any model
IBM System x3950 X5, Type 7143, any model
IBM System x3950 X5, Type 7145, any model

Remediation:

IBM recommends updating IMM to 1.42 YUOOG2C or later. Firmware updates are available through IBM Fix Central.

Note that although the lighttpd used by IMM is patched, the lighttpd version number does not change.

Workaround(s) & Mitigation(s):

None

References:

Acknowledgement
None

Change History
29 January 2014: Original Copy Published

The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.