Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5875
Security Bulletin: IBM HTTP Server is vulnerable to denial of service due
to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233)
15 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM HTTP Server
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-43680 CVE-2017-9233 CVE-2013-0340
Original Bulletin:
https://www.ibm.com/support/pages/node/6839161
Comment: CVSS (Max): 7.5 CVE-2022-43680 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM HTTP Server is vulnerable to denial of service due to libexpat
(CVE-2022-43680, CVE-2013-0340, CVE-2017-9233)
Document Information
Document number : 6839161
Modified date : 14 November 2022
Product : IBM HTTP Server
Software version : 7.0, 8.0, 8.5, 9.0
Operating system(s): AIX
HP-UX
Linux
Solaris
Windows
Edition : Base,Enterprise,Advanced,Single Server,Network Deployment
Summary
IBM HTTP Server used by IBM WebSphere Application Server is vulnerable to
denial of service due to libexpat. This has been addressed.
Vulnerability Details
CVEID: CVE-2022-43680
DESCRIPTION: libexpat is vulnerable to a denial of service, caused by a
use-after free created by overeager destruction of a shared DTD in
XML_ExternalEntityParserCreate in out-of-memory situations. A remote attacker
could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
238951 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2013-0340
DESCRIPTION: expat is vulnerable to a denial of service, caused by the improper
handling of internal entity expansion. By persuading a victim to open a
specially crafted XML document, an attacker could exploit this vulnerability to
consume all available resources.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
132738 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID: CVE-2017-9233
DESCRIPTION: libexpat is vulnerable to a denial of service, caused by a XML
External Entity vulnerability in the parser. By using a specially-crafted XML
file, a remote attacker could exploit this vulnerability to cause an infinite
loop.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
129459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
+--------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------+----------+
|IBM HTTP Server |9.0 |
+--------------------+----------+
|IBM HTTP Server |8.5 |
+--------------------+----------+
|IBM HTTP Server |8.0 |
+--------------------+----------+
|IBM HTTP Server |7.0 |
+--------------------+----------+
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by applying a
currently available interim fix or fix pack that contains APAR PH50316.
For IBM HTTP Server used by IBM WebSphere Application Server:
For V9.0.0.0 through 9.0.5.13:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH50316
- --OR--
. Apply Fix Pack 9.0.5.15 or later (targeted availability 2Q2023).
For V8.5.0.0 through 8.5.5.22:
. Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH50316
- --OR--
. Apply Fix Pack 8.5.5.23 or later (targeted availability 1Q2023).
For V8.0.0.0 through 8.0.0.15:
. Upgrade to 8.0.0.15 and then apply Interim Fix PH50316
For V7.0.0.0 through 7.0.0.45:
. Upgrade to 7.0.0.45 and then apply Interim Fix PH50316
Additional interim fixes may be available and linked off the interim fix
download page.
IBM HTTP Server V7.0 and V8.0 are no longer in full support; IBM recommends
upgrading to a fixed, supported version/release/platform of the product.
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site. Security and integrity APARs and associated fixes
will
be posted to this portal. IBM suggests reviewing the CVSS scores and applying
all security or integrity fixes as soon as possible to minimize any potential
risk.
Workarounds and Mitigations
None
Change History
14 Nov 2022: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3MArMkNZI30y1K9AQgS+xAAsj00vqq6fhMV3xIepa+/AXoweHQf3DvJ
xzMU32b4FKZd9BpzIsDx4yzFxJ2RXCFfB/9UBvHiqlUyrSC9ZN0b8MgW2fPGjDCG
5x2EFbn/NVX3rZGV0Q5m3/XzUg4DUCwEdinhbFeZRQ4qL4AHFYtCTWcPN++0hA9J
XLxr/YJ7mXbOeULT11343vU6gVAFfm6/G38BDNqrHK6aNGNSXs05cjqIchabG0wd
5g7A8jtpOI5D37KoqbyDqGP3ieTkclSF3UaC3vBwmHx36k/7iUn1VQAJQHOu6WIs
kzqizIpTg9FLg1KboVflvGW68uA+iSnaM03RVDKtUqJtVvwSYMerjvP0BI3aQohd
7aFGt8IDh4E5VCVLL7uNjvlA6jeasq+eWi+fwq6/nLI19LhhPIlKn7YNYff9Ekhw
QZRTbSiPhy04hIaQSahbKPPs6ChPplg3sD6t1TZzOq+0DfeJm6QwwBXHiQVT80AP
f/VJ456wlQc9f86Asz0iZTcVqxOf2FLB1NPIHLaqxe8DYL8bcMS1KCm8itNCA0hT
g/yaG3aqqvc8hDEjI05P72zkIAfWk3Jntz9KEkkQKa90+yLK7CdKuB58TX98Mv3d
bD1bHLxxd0ajiqURITuudkBQkrE2UMlcZoP1+CnnqfWhZBDQtCw+wN8ufnIgl4lk
okWTfJa8FGQ=
=nzuk
-----END PGP SIGNATURE-----