-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2673
Security Bulletin: Multiple vulnerabilities have been identified in the IBM
            HTTP Server bundled with IBM Domino 9.0.0x & 9.0.1x
               (CVE-2015-1283, CVE-2015-3183, CVE-2015-4947)
                              22 October 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Domino
Publisher:         IBM
Operating System:  Windows
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-4947 CVE-2015-3183 CVE-2015-2716
                   CVE-2015-1283  

Reference:         ASB-2015.0103
                   ASB-2015.0086
                   ASB-2015.0073
                   ASB-2015.0049
                   ESB-2015.1350
                   ESB-2015.1342
                   ESB-2015.1305
                   ESB-2015.1296

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21969062

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities have been identified in the
IBM HTTP Server bundled with IBM Domino 9.0.0x & 9.0.1x (CVE-2015-1283,
CVE-2015-3183, CVE-2015-4947)

Document information

More support for:
IBM Domino

Software version:
9.0, 9.0.1

Operating system(s):
Windows

Reference #:
1969062

Modified date:
2015-10-21

Security Bulletin

Summary

IBM HTTP Server (IHS) is shipped as an optional component (at install
time) of IBM Domino 9.0.x. Two stack overflows and one request smuggling
vulnerability have been identified in IHS. Refer to the links below for
fix downloads.

Vulnerability Details

CVEID: CVE-2015-1283

    DESCRIPTION: Multiple integer overflows in the XML_GetBuffer function in
    Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and
    other products(Apache IHS), allow remote attackers to cause a denial
    of service (heap-based buffer overflow) or possibly have unspecified
    other impact via crafted XML data, a related issue to CVE-2015-2716.

    CVSS Base Score: 6.3
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/104964 for the
    current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-3183

    DESCRIPTION: Apache HTTP Server is vulnerable to HTTP request smuggling,
    caused by a chunk header parsing flaw in the apr_brigade_flatten()
    function. By sending a specially-crafted request in a malformed
    chunked header to the Apache HTTP server, an attacker could exploit
    this vulnerability to poison the web cache, bypass web application
    firewall protection, and conduct XSS attacks.

    CVSS Base Score: 6.1
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/104844 for the
    current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2015-4947

    DESCRIPTION: IBM HTTP Server Administration Server could be vulnerable to
    a stack buffer overflow, caused by improper handling of user input. An
    authenticated remote attacker could overflow a buffer and execute
    arbitrary code on the system.

    CVSS Base Score: 7.5
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/104912 for the
    current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Principal Product and Version(s)	Affected Supporting Product
					and Version

IBM Domino 9.0.0x & 9.0.1x		IBM HTTP Server 8.5.5.5

Remediation/Fixes

IBM recommends not using the IBM HTTP Server option and instead using
"IBM Domino Interim Fixes to Support TLS 1.2" "

However, for those customers who have a continuing need to use IBM HTTP
Server (IHS), the fix linked below will patch Domino 9.0.1 for Windows
with IHS patch 8.5.5.7. There is a W32 and a W64 version that should be
used based on the 32-bit/64-bit edition of Domino that is installed.

Note the following:

    Although this fix can be installed on any 9.0.1.x release, it is
    recommended to install the latest Fix Pack, 9.0.1 Fix Pack 4 (FP4). This
    fix can be installed on top of Domino 9.0.1 FP4 and future 9.0.1 Fix
    Packs with or without hotfixes already installed.
    Also, this fix can be installed either before or after a Fix Pack. Adding
    hotfixes later will not affect the install.

Platform						Fix Central
				Fix ID					File name & Download link

W32				901FP4_IHSPatch8557_W32			901FP4HF517_W32.exe
W64				901FP4_IHSPatch8557_W64			901FP4HF517_W64.exe

Workarounds and Mitigations

Since TLS support has been added to IBM Domino, customers who have deployed
IBM HTTP Server with Domino can now use either the method described in the
"Workarounds and Mitigations section" of the security bulletin above or
the IBM Domino Interim Fixes to configure the native HTTP stack to help
deter these attacks. For more information, consult "IBM Domino Interim
Fixes to Support TLS 1.2"

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References
Complete CVSS v3 Guide
On-line Calculator v3

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVih/q36ZAP0PgtI9AQJ6PxAAnlnuKE6eZpxSqu+3Jn96ra5xsCik9yF2
l35/c7GHz9hRJydmNJ3zjAl5dOWbyfDZ7rI6Cm2atq4/1DQFizmc4fiSScmSsHDm
k2dYDxFYMYHT4IB5FpEWWWi8spkE1AS85h5s+lu2css8QjYaLzffk7Z2dBHiEO2y
uoyCsxDvhuIvtCHnAr+BVMqjmZUOyhaRu2JsgcOS/L5Q9+HauRX5LkqeURQqo7zr
e879/kbuPk1RfDbOrI2PXre35MVKSQkICfOdg8Un6obvX0G5zk96qaZr8UAZxv/r
7DHvR80MFz/eh7v/zZaHL1lZnXDJ6/lrnY4rUhC180tf8fO6rZt08lzfGJw97tv2
vbVKEj2AhRmUkmscvlc0QS+stM3eNKpTbEh0Sxsbq/DXp/GltdYTf3MKjpr5jSbX
EjWchAiN0iUh/LFM3MSYJWMACY7vn5qPi6p1jP3QQFmAIdlJU6xgjnr9e7rMUl7Y
fV5D7HbEqSY64Ewsl2DFjusWZtc/jiS9oZFoq8RdbqGKLY9IUb3jKLMHItFM87kv
pCkdyh8p2zORgeDy3ZiPIAa0BQ7KaeazkMn3MOnh68cij5tj55R6+e64FIhsW+mp
XEW3dFCmW1brnqRaKIBiRvLJ2MD4hTWhcWLee088J41idmeFITh9DNH8IzHAGcXj
hb2ZcEMAwoM=
=qgGV
-----END PGP SIGNATURE-----