IBM Support

Security Bulletin: A HTTP server vulnerability affects IBM Security Access Manager for Web (CVE-2015-3183)

Created by Ann-Louise Bolger on
Published URL:
https://www.ibm.com/support/pages/node/539037
539037

Security Bulletin


Summary

IBM Security Access Manager for Web is affected by a request smuggling vulnerability in the HTTP server.

Vulnerability Details

CVEID: CVE-2015-3183
DESCRIPTION: Apache HTTP Server is vulnerable to HTTP request smuggling, caused by a chunk header parsing flaw in the apr_brigade_flatten() function. By sending a specially-crafted request in a malformed chunked header to the Apache HTTP server, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104844 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM Tivoli Access Manager for e-business 6.0
IBM Tivoli Access Manager for e-business 6.1
IBM Tivoli Access Manager for e-business 6.1.1
IBM Security Access Manager for Web 7.0

Remediation/Fixes

The table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch.

ProductVRMFAPARRemediation
IBM Tivoli Access Manager for e-business6.0 -Upgrade the IBM HTTP Server in your software environment as described in the following WebSphere Application Server security bulletin: "HTTP Request smuggling vulnerability may affect IBM HTTP server."
IBM Tivoli Access Manager for e-business6.1 -
IBM Tivoli Access Manager for e-business6.1.1 -
IBM Security Access Manager for Web 7.0 - 7.0.0.21 (software installations) -
IBM Security Access Manager for Web7.0 - 7.0.0.21 (appliances)IV818911. Apply Interim Fix 22:
7.0.0-ISS-WGA-IF0022

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

February 29, 2016: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSphere Application Server","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0;6.1;6.1.1;7.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21974733

Page Feedback