There is a vulnerability in the IBM HTTP Server used by WebSphere Application Server.
CVEID: CVE-2018-17199 DESCRIPTION: Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by checking the session expiry time before decoding the session by mod_session. An attacker could exploit this vulnerability to ignore session expiry time and gain access to the application.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156006> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
This vulnerability affects the following version and release of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.
For V9.0.0.0 through 9.0.0.10:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH06010
--OR–
· Apply Fix Pack 9.0.0.11 or later (targeted availability 2Q 2019).