IBM Support

PH61893: IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server

Download


Downloadable File

File link File size File description

Abstract

IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server

Download Description

PH61893 resolves the following problems:
  • CVE-2024-38472
    • Vulnerable Configurations: IHS on Windows
  • CVE-2024-38473, CVE-2024-38477
    • Vulnerable Configurations: IHS 9.0 with mod_proxy loaded
  • CVE-2024-38474, CVE-2024-38475
    • Vulnerable Configurations: IHS with mod_rewrite loaded.
      See https://httpd.apache.org/security/vulnerabilities_24.html for mod_rewrite specifics.
  • CVE-2024-38476
    • Vulnerable Configurations:  IHS with mod_negotiation or CGI modules loaded
  • CVE-2024-39573
    • Vulnerable: IHS with both mod_rewrite and mod_proxy loaded
      See https://httpd.apache.org/security/vulnerabilities_24.html for mod_rewrite specifics.


Behavior Changes in mod_rewrite:
  • If non-malicious URL's use encoded question marks (%3F), some RewriteRules that add a "?" to the substitution will return 403 unless the flag UnsafeAllow3F is added.
  • If a mod_rewrite substitution begins with a variable or back-reference, and has no PT flag, and the first path segment matches a directory at the root of the filesystem, the substitution will no longer map the URL to that directory unless the flag UnsafePrefixStat is added.
The fix for this APAR is targeted for inclusion in 8.5.5.27 and 9.0.5.21.

For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553

This fix supersedes (includes) the fix for PH53014, PH57408, PH57668, PH59697, PH60619 (where applicable to the base fix pack level)

Prerequisites

None

Download Package

 
IMPORTANT NOTE:
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table. 

Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages.
DOWNLOAD RELEASE DATE SIZE(Bytes)

URL

IBM Installation Manager downloadable repositories
8.5.5.24-WS-WASIHS-IFPH61893 09 July 2024 89941873 FC
8.5.5.25-WS-WASIHS-IFPH61893 09 July 2024 89941917 FC
9.0.5.18-WS-WASIHS-IFPH61893 09 July 2024 110529905 FC
9.0.5.19-WS-WASIHS-IFPH61893 09 July 2024 110529247 FC
9.0.5.20-WS-WASIHS-IFPH61893 09 July 2024 110529130 FC
IBM HTTP Server archive installs
9.0.5-WS-IHS-ARCHIVE-linux-x86_64-FP020-IFPH61893 09 July 2024 26737929 FC
9.0.5-WS-IHS-ARCHIVE-linux-s390x-FP020-IFPH61893 09 July 2024 29625329 FC
9.0.5-WS-IHS-ARCHIVE-linux-ppc64le-FP020-IFPH61893 09 July 2024 27185741 FC
9.0.5-WS-IHS-ARCHIVE-aix-ppc64-FP020-IFPH61893 09 July 2024 35908017 FC
9.0.5-WS-IHS-ARCHIVE-win-x86-FP020-IFPH61893 09 July 2024 33271458 FC
9.0.5-WS-IHS-ARCHIVE-win-x86_64-FP020-IFPH61893 09 July 2024 35549377 FC
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH61893, PH53014, PH57408, PH57668, PH59697, PH60619

On

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.24;8.5.5.25;9.0.5.18;9.0.5.19;9.0.5.20","Edition":"Base","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]

Problems (APARS) fixed
PH61893, PH53014, PH57408, PH57668, PH59697, PH60619

Document Information

Modified date:
09 July 2024

UID

ibm17159808

Page Feedback