IBM Support

Apache security vulnerabilities and how they affect the Rational Web Platform and CM Server

Troubleshooting


Problem

This technote describes how commonly reported security problems affect the IBM Rational Web Platform and Change Management (CM) Server. These platforms serve as Web interfaces for Rational ClearCase, Rational ClearQuest, Rational ProjectConsole, and Rational RequisitePro.

Symptom


Version 7.x of the Rational Web Platform contains the IBM HTTP Server. This is utilized by RequisitePro and ProjectConsole, as well as ClearQuest and ClearCase in 7.0.x versions. Starting in version 7.1, ClearQuest and ClearCase use CM Server as a Web platform. This also utilizes IBM HTTP Server.

Because IBM HTTP Server is based on the Apache HTTP Server, known software vulnerabilities which exist in native Apache, may trigger security warnings in some vulnerability scanning programs.

Cause

The IBM HTTP Server is based off of Apache version 2.0.47. Some vulnerability scanners only look at the server version string when assessing vulnerabilities, and might not be aware of different version and fix levels of IBM HTTP Server.

Diagnosing The Problem


Many of these Apache HTTP Server vulnerabilities do not apply to IBM HTTP Server, for several different reasons based on the vulnerability:

  • IBM HTTP Server provides an alternate implementation of the Apache feature which contained the vulnerability
  • IBM HTTP Server does not provide the Apache feature which contained the vulnerability
  • IBM HTTP Server is based on a level of Apache which did not have the vulnerability
  • IBM HTTP Server fix packs or e-fixes contain the fix for the vulnerability

Aside from the vulnerabilities addressed in the base Apache version, IBM HTTP Server addresses additional vulnerabilities in the form of fix packs. Starting with version 7.0.1 Rational products, IBM HTTP Server is packaged with an applied fix pack.

The applied fix packs address many of the common vulnerabilities that affect Apache, including variations of mod_rewrite and Cross-site Scripting (XSS). These fixed vulnerabilities can be observed when viewing the version information of the IBM HTTP Server install on the server machine by running the command "Apache.exe -V/apachectl -V" from the following directories (assuming a default install path):

  • Microsoft® Windows®

    Version 7.0.0.x and 7.0.1.x: C:\Program Files\Rational\Common\rwp\IHS\bin
  • Version 7.0.2.x, 7.0.3.x, 7.0.4.x, and 7.1.x: C:\Program Files\IBM\RationalSDLC\common\IHS\bin

  • Linux® and UNIX®

    Version 7.0.0.x and 7.0.1.x: /opt/rational/common/rwp/IHS/bin

  • Version 7.0.2.x, 7.0.3.x, 7.0.4.x, and 7.1.x: /opt/IBM/RationalSDLC/common/IHS/bin


These vulnerabilities are tracked using Common Vulnerabilities and Exposures (CVE) IDs. More information and descriptions for these IDs can be found on the National Vulnerability Database. If a scanner reports that IBM HTTP Server is vulnerable to one of the issues listed as fixed in above version output, the scanner is in error. It is not uncommon for some vulnerability scanning programs to use a proprietary cataloging system for these security problems. It is the responsibility of the security administrator using these programs to map these cataloging systems to the CVE standard.

Not included in the list of fixed CVEs are those that involve mod_ssl. IBM HTTP Server does not contain mod_ssl, and therefore is not subject to these security problems.

Resolving The Problem


In order to assure that the Rational Web Platform server has the latest available vulnerability fixes, consider upgrading to the latest version of the Rational products. Additionally, it is also possible to apply fix packs directly to IBM HTTP Server, the base of which is located in the following directories by default:

    Microsoft Windows
    Version 7.0.0.x and 7.0.1.x: C:\Program Files\Rational\Common\rwp\IHS
    Version 7.0.2.x, 7.0.3.x, 7.0.4.x, and 7.1.x: C:\Program Files\IBM\RationalSDLC\common\IHS


    Linux and UNIX
    Version 7.0.0.x and 7.0.1.x: /opt/rational/common/rwp/IHS
    Version 7.0.2.x, 7.0.3.x, 7.0.4.x, and 7.1.x: /opt/IBM/RationalSDLC/common/IHS


Information on updating IBM HTTP Server for the Rational Web Platform is located in technote 1295608. You can verify the version to download the fix for, by using the previously mentioned command line call. It is recommended that the fix pack is applied to a test server first, in order to assure that the Rational Web Platform runs without problems.

For additional information regarding the IBM HTTP Server, refer to the IBM HTTP Server Questions and Answers website. The topics "What release of Apache is IBM HTTP Server based on?" and "Is a specific Apache fix in my level of IBM HTTP Server?" cover additional information about the Apache core.

[{"Product":{"code":"SSCTQH","label":"Rational Common Components"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Rational Web Platform","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0;7.0.1;7.0.2;7.0.3;7.0.4;7.1;7.1.1;7.1.2","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"ClearCase Web (CCWeb)","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"CM Server","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"CM Server","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Web Java Server","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSSH6V","label":"Rational ProjectConsole"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Server","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSSHCT","label":"Rational RequisitePro"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"RequisiteWeb","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Base Server","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022

UID

swg21266155