IBM Support

Security Bulletin: Rational Build Forge Security Advisory for Apache Tomcat and Apache HTTP Server (CVE-2018-11763; CVE-2018-11784)

Security Bulletin


Summary

Apache Tomcat and Apache HTTP Server have security vulnerabilities that allows a remote attacker to exploit the application. Respective security vulnerabilities are discussed in detail in the subsequent sections.

Vulnerability Details

This section includes the vulnerability details that affects the Rational Build Forge.

CVEID: CVE-2018-11784
DESCRIPTION: Apache Tomcat could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the default servlet. An attacker could exploit this vulnerability using a specially-crafted URL  to redirect a user to arbitrary websites.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/150860 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2018-11763
DESCRIPTION: Apache HTTP Server is vulnerable to a denial-of-service.  When a client sending continuous large SETTINGS frames of maximum size to maintain the ongoing HTTP/2 connection busy, a remote attacker could exploit this vulnerability to cause the service to fail connection timeout.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/150420 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Rational Build Forge from 8.0.0.9.

Remediation/Fixes

You must download the Fix pack specified in the following table and apply it.

Affected Supporting Product

Remediation/Fix

IBM Rational Build Forge 8.0.0.10

 Rational Build Forge 8.0.0.10 Download.

 

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

* 15 NOVEMBER 2018: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PSIRT Advisory 13522, Record 122473; PSIRT Advisory 13438, Record 122196.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSB2MV","label":"Rational Build Forge"},"Component":"Web Console","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.0.0.6;8.0.0.7;8.0.0.8;8.0.0.9","Edition":"Enterprise;Enterprise Plus;Express;Standard","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 November 2018

UID

ibm10734567

Page Feedback