Fixes are available
PH43122: Vulnerability in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-23852 CVSS 9.8 and more)
PH44393:crash in ap_scan_http_field_content with interim fix IFPH43122
PH44271: Vulnerability in IBM HTTP Server used by IBM WebSphere Application Server due to Expat (CVE-2022-25315 CVSS 7.8 and more)
PH44829:Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-22720 CVSS 7.3 and more)
APAR status
Closed as program error.
Error description
IHS may crash in the sidDelete function
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM HTTP Server * **************************************************************** * PROBLEM DESCRIPTION: IHS may crash in the sidDelete * * function * **************************************************************** * RECOMMENDATION: * **************************************************************** Prior to this APAR, the sidDelete function uses the operating system pthread_getspecific() family of functions to interact with the external SSL session cache daemon (sidd). On one system, pthread_getspecific appears to produce incorrect results leading to a crash.
Problem conclusion
Parts of mod_ibm_ssl code were rewritten to remove the dependenc on the pthread_getspecific family of functions to avoid any impact from operating system regressions in this area. The fix for this APAR is targeted for inclusion in IBM HTTP Server fix packs 8.5.5.21 and 9.0.5.11. For more information, se 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH42030
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-11-10
Closed date
2022-01-11
Last modified date
2022-01-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
04 May 2022