IBM Support

Security Bulletin: Network Intrusion Prevention System is affected by multiple Apache web server vulnerabilities (CVE-2013-6438, CVE-2014-0098, CVE-2014-0226, CVE-2014-0231)

Created by Rick Wu on
Published URL:
https://www.ibm.com/support/pages/node/252529
252529

Security Bulletin


Summary

Security vulnerabilities have been discovered in the Apache web server component bundled with IBM Security Network Intrusion Prevention System.

Vulnerability Details


CVE-ID: CVE-2013-6438

DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by an error in the mod_dav module when tracking the length of CDATA that includes removing white space. By sending a specially-crafted DAV WRITE request, a remote attacker could exploit this vulnerability to cause the service to stop responding.

The attack does not require local network access or authentication, but some specialized knowledge and techniques are required. An exploit would not affect the integrity of data or confidentiality of information, but it could impact the availability of the system.

Affected Versions: Apache HTTP Server before 2.4.8

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90878 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)


CVE-ID: CVE-2014-0098

DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by an error in the mod_log_config module when logging a cookie with an unassigned value. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the service to crash.

The attack does not require local network access, authentication, or specialized knowledge and techniques. An exploit would not affect the integrity of data or confidentiality of information, but it could impact the availability of the system.

Affected Versions: Apache HTTP Server before 2.4.8

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91879 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


CVE-ID: CVE-2014-0226

DESCRIPTION: Apache HTTP Server is vulnerable to a heap-based buffer overflow, caused by a race condition in the mod_status module when handling the scoreboard. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

The attack does not require local network access, authentication, or specialized knowledge and techniques. An exploit could affect the integrity of data, confidentiality of information, and the availability of the system.

Affected Versions: Apache HTTP Server before 2.4.10

CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/94678 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)


CVE-ID: CVE-2014-0231

DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by an error in the mod_cgid module. By sending specially-crafted requests, an attacker could exploit this vulnerability to cause child processes to hang.

The attack does not require local network access, authentication, or specialized knowledge and techniques. An exploit would not affect the integrity of data or confidentiality of information, but it could impact the availability of the system.

Affected Versions: Apache HTTP Server before 2.4.10

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/94674 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Products: GX3002, GX4002, GX4004, GX4004-v2, GX5008, GX5008-v2, GX5108, GX5108-v2, GX5208, GX5208-v2, GX6116, GX7412, GX7412-10, GX7412-05, GX7800, GV200, GV1000
Firmware versions: 4.6.2, 4.6.1, 4.6, 4.5, 4.4, and 4.3

Remediation/Fixes

The following IBM Threat Fixpacks have the fixes for these vulnerabilities:

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.3;4.4;4.5;4.6;4.6.1;4.6.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
23 February 2022

UID

swg21685968