PH53014: IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690 CVSS 6.1)

Download

Downloadable File

File link	File size	File description

Abstract

IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690 CVSS 6.1)

Download Description

View the Security Bulletin

PH53014 resolves the following problem:

ERROR DESCRIPTION:
Confidential for Security Integrity interim fix CVE-2023-25690.

The fix for this APAR is targeted for inclusion in 8.5.5.24 and 9.0.5.16

For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553

Supersedes Info:

This fix supersedes (includes) the fix for PH52754, PH49572, PH50316, PH51982, PH52860, PH47792,PH46897, PH48168 where applicable.

Mitigations and affected configurations:

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains APAR PH53014.

Vulnerable configurations use mod_rewrite with URLs that are handled by either the WebSphere Web Server Plug-in or mod_proxy.
- The RewriteRules are vulnerable only if they use back-references or other variables in the substitution parameter.
Additionally, configurations with ProxyPassMatch (and not necessarily mod_rewrite) are presumed vulnerable based on the publicly available CVE details.

Prerequisites

None

Installation Instructions

Review the readme.txt for detailed installation instructions.

URL	SIZE(Bytes)
V90 IM readme file	1871
V85 IM readme file	1809
V90 archive readme file	1225

Download Package

IMPORTANT NOTE:	WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table.

Installation Manager repositories	RELEASE DATE	SIZE(Bytes)	URL
9.0.5.15-WS-WASIHS-IFPH53014	03 April 2023	14714921	FC
9.0.5.14-WS-WASIHS-IFPH53014	15 March 2023	35400807	FC
9.0.5.13-WS-WASIHS-IFPH53014	15 March 2023	34162482	FC
8.5.5.23-WS-WASIHS-IFPH53014	15 March 2023	31787100	FC
8.5.5.22-WS-WASIHS-IFPH53014	15 March 2023	37813658	FC

The IHS Archive fix for this APAR is superseded by later interim fixes.
Users of the IHS Archive Install should download and install the interim fix for PH48747 to resolve this APAR.

Users that install/update via IBM Installation Manager should continue with the interim fix above

Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH53014, PH49572, PH50316, PH51982, PH52860, PH52754

Known Side Effects

After PH53014, control characters in rewritten URL's are rejected by the server.

Change History

March 17: Add information about ProxyPassMatch
April 4: Add 9.0.5.15 fixes and add PH52754 and others as superseded
May 2: Supersede archive installs with PH48747

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"IBM HTTP Server"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.22;8.5.5.23;9.0.5.13;9.0.5.14","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PH53014, PH49572, PH50316, PH51982, PH52860, PH52754

Was this topic helpful?

Document Information

Modified date:
04 May 2023

UID

ibm16963614

Tips