Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5875 Security Bulletin: IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233) 15 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM HTTP Server Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-43680 CVE-2017-9233 CVE-2013-0340 Original Bulletin: https://www.ibm.com/support/pages/node/6839161 Comment: CVSS (Max): 7.5 CVE-2022-43680 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233) Document Information Document number : 6839161 Modified date : 14 November 2022 Product : IBM HTTP Server Software version : 7.0, 8.0, 8.5, 9.0 Operating system(s): AIX HP-UX Linux Solaris Windows Edition : Base,Enterprise,Advanced,Single Server,Network Deployment Summary IBM HTTP Server used by IBM WebSphere Application Server is vulnerable to denial of service due to libexpat. This has been addressed. Vulnerability Details CVEID: CVE-2022-43680 DESCRIPTION: libexpat is vulnerable to a denial of service, caused by a use-after free created by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. A remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 238951 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2013-0340 DESCRIPTION: expat is vulnerable to a denial of service, caused by the improper handling of internal entity expansion. By persuading a victim to open a specially crafted XML document, an attacker could exploit this vulnerability to consume all available resources. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 132738 for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVEID: CVE-2017-9233 DESCRIPTION: libexpat is vulnerable to a denial of service, caused by a XML External Entity vulnerability in the parser. By using a specially-crafted XML file, a remote attacker could exploit this vulnerability to cause an infinite loop. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 129459 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM HTTP Server |9.0 | +--------------------+----------+ |IBM HTTP Server |8.5 | +--------------------+----------+ |IBM HTTP Server |8.0 | +--------------------+----------+ |IBM HTTP Server |7.0 | +--------------------+----------+ Remediation/Fixes IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains APAR PH50316. For IBM HTTP Server used by IBM WebSphere Application Server: For V9.0.0.0 through 9.0.5.13: . Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH50316 - --OR-- . Apply Fix Pack 9.0.5.15 or later (targeted availability 2Q2023). For V8.5.0.0 through 8.5.5.22: . Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH50316 - --OR-- . Apply Fix Pack 8.5.5.23 or later (targeted availability 1Q2023). For V8.0.0.0 through 8.0.0.15: . Upgrade to 8.0.0.15 and then apply Interim Fix PH50316 For V7.0.0.0 through 7.0.0.45: . Upgrade to 7.0.0.45 and then apply Interim Fix PH50316 Additional interim fixes may be available and linked off the interim fix download page. IBM HTTP Server V7.0 and V8.0 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. Important Note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. Workarounds and Mitigations None Change History 14 Nov 2022: Initial Publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3MArMkNZI30y1K9AQgS+xAAsj00vqq6fhMV3xIepa+/AXoweHQf3DvJ xzMU32b4FKZd9BpzIsDx4yzFxJ2RXCFfB/9UBvHiqlUyrSC9ZN0b8MgW2fPGjDCG 5x2EFbn/NVX3rZGV0Q5m3/XzUg4DUCwEdinhbFeZRQ4qL4AHFYtCTWcPN++0hA9J XLxr/YJ7mXbOeULT11343vU6gVAFfm6/G38BDNqrHK6aNGNSXs05cjqIchabG0wd 5g7A8jtpOI5D37KoqbyDqGP3ieTkclSF3UaC3vBwmHx36k/7iUn1VQAJQHOu6WIs kzqizIpTg9FLg1KboVflvGW68uA+iSnaM03RVDKtUqJtVvwSYMerjvP0BI3aQohd 7aFGt8IDh4E5VCVLL7uNjvlA6jeasq+eWi+fwq6/nLI19LhhPIlKn7YNYff9Ekhw QZRTbSiPhy04hIaQSahbKPPs6ChPplg3sD6t1TZzOq+0DfeJm6QwwBXHiQVT80AP f/VJ456wlQc9f86Asz0iZTcVqxOf2FLB1NPIHLaqxe8DYL8bcMS1KCm8itNCA0hT g/yaG3aqqvc8hDEjI05P72zkIAfWk3Jntz9KEkkQKa90+yLK7CdKuB58TX98Mv3d bD1bHLxxd0ajiqURITuudkBQkrE2UMlcZoP1+CnnqfWhZBDQtCw+wN8ufnIgl4lk okWTfJa8FGQ= =nzuk -----END PGP SIGNATURE-----