Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMB0BD7FF9270F6D182D388974D6D523C9784F1F1DD77748ED0F0CF6F25070291E
HistoryFeb 23, 2024 - 5:45 p.m.

Security Bulletin: IBM Aspera Console 3.4.2 PL7 has addressed multiple vulnerabilities (CVE-2022-37436, CVE-2021-34798)

2024-02-2317:45:37
www.ibm.com
10
ibm
aspera console
3.4.2 pl7
cve-2022-37436
cve-2021-34798
apache http server
security patch
windows
linux

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

9.6 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.5%

JSON

Summary

This Security Bulletin addresses security vulnerabilities that have been remediated (CVE-2022-37436, CVE-2021-34798) in IBM Aspera Console 3.4.2 PL7.

Vulnerability Details

CVEID:CVE-2022-37436
**DESCRIPTION:**Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by the use of a malicious backend by mod_proxy. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244885 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-34798
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference in httpd core. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209518 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Aspera Console 3.4.0 - 3.4.2 PL4

Remediation/Fixes

It is recommended that customers upgrade to the latest version of IBM Aspera Console:

Product(s) Fixing VRM Platform Link to Fix
IBM Aspera Console

3.4.2 PL7

| Windows| click here
IBM Aspera Console|

3.4.2 PL7

| Linux| click here

Workarounds and Mitigations

This patch includes the fix for CVE-2022-37436 and CVE-2021-34798.

Affected configurations

Vulners
Node
ibmaspera_faspexMatch1.0
CPENameOperatorVersion
ibm asperaeq1.0

Related

cvelist 2
debiancve 2
nessus 69
osv 15
nvd 2
ibm 13
prion 2
redhatcve 2
alpinelinux 2
cbl_mariner 4
ubuntucve 2
httpd 1
f5 2
veracode 2
openvas 40
ubuntu 3
broadcom 1
cve 2
cnvd 1
oraclelinux 5
rocky 3
almalinux 3
redhat 4
altlinux 2
slackware 1
mageia 1
fedora 2
debian 2
ics 1
amazon 1
redos 1
freebsd 1
kaspersky 1
suse 2
photon 1
centos 1
cvelist
cvelist
CVE-2022-37436 Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting
2023-01-17 19:12:59
CVE-2021-34798 NULL pointer dereference in httpd core
2021-09-16 14:40:17
debiancve
debiancve
CVE-2022-37436
2023-01-17 20:15:11
CVE-2021-34798
2021-09-16 15:15:07
nessus
nessus
F5 Networks BIG-IP : Apache HTTPD vulnerability (K000132665)
2023-06-23 00:00:00
Tenable SecurityCenter 5.22.0 / 5.23.1 / 6.0.0 Apache Header Truncation (TNS-2023-06)
2023-02-23 00:00:00
F5 Networks BIG-IP : Apache HTTPD vulnerability (K72382141)
2021-10-28 00:00:00
osv
osv
apache2 vulnerability
2023-02-02 13:34:35
CVE-2021-34798
2021-09-16 15:15:07
BIT-apache-2021-34798
2024-03-06 10:55:30
nvd
nvd
CVE-2021-34798
2021-09-16 15:15:07
CVE-2022-37436
2023-01-17 20:15:11
ibm
ibm
Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-34798)
2022-01-17 17:46:22
Security Bulletin: IBM Aspera Orchestrator was vulnerable to denial of service due to an Apache HTTP Server vulnerability (CVE-2021-34798)
2023-02-02 17:40:12
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2021-40438, CVE-2021-34798)
2021-10-18 06:27:04
prion
prion
Null pointer dereference
2021-09-16 15:15:00
Code injection
2023-01-17 20:15:00
redhatcve
redhatcve
CVE-2021-34798
2021-09-16 21:57:58
CVE-2022-37436
2023-01-18 19:05:38
alpinelinux
alpinelinux
CVE-2021-34798
2021-09-16 15:15:07
CVE-2022-37436
2023-01-17 20:15:11
cbl_mariner
cbl_mariner
CVE-2021-34798 affecting package httpd 2.4.46-6
2021-10-15 04:46:31
CVE-2021-34798 affecting package httpd for versions less than 2.4.52-1
2022-04-09 06:51:57
CVE-2022-37436 affecting package httpd 2.4.54-1
2023-02-14 02:35:58
ubuntucve
ubuntucve
CVE-2021-34798
2021-09-16 00:00:00
CVE-2022-37436
2023-01-17 00:00:00
httpd
httpd
Apache Httpd < 2.4.49 : NULL pointer dereference in httpd core
2021-09-16 00:00:00
f5
f5
K000132665 : Apache HTTPD vulnerability CVE-2022-37436
2023-02-22 00:00:00
K72382141 : Apache HTTPD vulnerability CVE-2021-34798
2021-10-13 00:00:00
veracode
veracode
HTTP Response Splitting
2023-01-21 12:15:11
Denial Of Service (DoS)
2021-09-19 21:02:16
openvas
openvas
Ubuntu: Security Advisory (USN-5839-2)
2023-02-03 00:00:00
Fedora: Security Advisory for httpd (FEDORA-2023-f6ff3f85eb)
2023-01-29 00:00:00
SUSE: Security Advisory (SUSE-SU-2023:0321-1)
2023-02-10 00:00:00
ubuntu
ubuntu
Apache HTTP Server vulnerability
2023-02-02 00:00:00
Apache HTTP Server vulnerabilities
2023-02-01 00:00:00
Apache HTTP Server vulnerabilities
2021-09-27 00:00:00
broadcom
broadcom
mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting
2023-06-12 00:00:00
cve
cve
CVE-2022-37436
2023-01-17 20:15:11
CVE-2021-34798
2021-09-16 15:15:07
cnvd
cnvd
Apache HTTP Server code issue vulnerability
2021-09-22 00:00:00
oraclelinux
oraclelinux
httpd security update
2021-12-16 00:00:00
httpd:2.4 security update
2022-03-16 00:00:00
httpd:2.4 security update
2022-01-06 00:00:00
rocky
rocky
httpd:2.4 security update
2022-03-15 09:10:44
httpd:2.4 security and bug fix update
2023-02-22 01:08:53
httpd security and bug fix update
2023-04-06 15:53:36
almalinux
almalinux
Moderate: httpd:2.4 security update
2022-03-15 09:10:44
Moderate: httpd:2.4 security and bug fix update
2023-02-21 00:00:00
Moderate: httpd security and bug fix update
2023-02-28 00:00:00
redhat
redhat
(RHSA-2022:0891) Moderate: httpd:2.4 security update
2022-03-15 09:10:44
(RHSA-2023:0970) Moderate: httpd security and bug fix update
2023-02-28 07:53:34
(RHSA-2023:0852) Moderate: httpd:2.4 security and bug fix update
2023-02-21 08:48:58
altlinux
altlinux
Security fix for the ALT Linux 9 package apache2 version 1:2.4.55-alt1
2023-02-16 00:00:00
Security fix for the ALT Linux 10 package apache2 version 1:2.4.55-alt1
2023-02-07 00:00:00
slackware
slackware
[slackware-security] httpd
2023-01-18 06:23:09
mageia
mageia
Updated apache packages fix security vulnerability
2023-02-07 03:06:39
fedora
fedora
[SECURITY] Fedora 37 Update: httpd-2.4.55-1.fc37
2023-01-28 01:27:38
[SECURITY] Fedora 36 Update: httpd-2.4.55-1.fc36
2023-02-03 01:42:01
debian
debian
[SECURITY] [DLA 2776-1] apache2 security update
2021-10-02 16:07:56
[SECURITY] [DSA 4982-1] apache2 security update
2021-10-08 20:56:04
ics
ics
Siemens Apache HTTP Server (Update A)
2022-10-13 12:00:00
amazon
amazon
Important: httpd
2023-02-17 00:10:00
redos
redos
ROS-20240603-04
2024-06-03 00:00:00
freebsd
freebsd
Apache httpd -- Multiple vulnerabilities
2023-01-17 00:00:00
kaspersky
kaspersky
KLA20167 Multiple vulnerabilities in Apache HTTP Server
2023-01-17 00:00:00
suse
suse
Security update for apache2 (important)
2021-10-26 00:00:00
Security update for apache2 (important)
2021-11-02 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0437
2021-10-01 00:00:00
centos
centos
httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update
2022-01-25 17:31:14

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

9.6 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.5%

JSON
Related for B0BD7FF9270F6D182D388974D6D523C9784F1F1DD77748ED0F0CF6F25070291E
cvelist2debiancve2nessus69osv15nvd2ibm13prion2redhatcve2alpinelinux2cbl_mariner4ubuntucve2httpd1f52veracode2openvas40ubuntu3broadcom1cve2cnvd1oraclelinux5rocky3almalinux3redhat4altlinux2slackware1mageia1fedora2debian2ics1amazon1redos1freebsd1kaspersky1suse2photon1centos1