News
Abstract
PCI Compliance
Content
The Payment Card Industry Data Security Standard (PCI DSS) is a set of specific security standards designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment during and after a financial transaction.
Adhering to the specific security standards documented in the PCI DSS make something PCI-compliant.
The IBM HTTP Server for i is PCI-Compliant Web server. Known Apache security vulnerabilities are patched via. PTFs on IBM i.
IBM i 7.5: Apache security vulnerabilities
IBM i 7.4: Apache security vulnerabilities
IBM i 7.3: Apache security vulnerabilities
IBM i 7.2: Apache security vulnerabilities
IBM i 7.1: Apache security vulnerabilities
Notice: On Apil 1, 2018, the Apache 2.2 server that is delivered with IBM i HTTP Server (5770DG1) on i 7.1 will be going out of support. No CVE fix will be delivered after that. To insure you remain on a fully support and compliant web server you need to consider moving to IBM i 7.3 or higher.
IBM i 7.5: Apache security vulnerabilities:
| Common vulnerabilities and exposures | Description | Severity | Status on IBM i | PTF(s) |
|---|---|---|---|---|
| CVE-2022-31813 | mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism | low | Fixed | SI80337 |
| CVE-2022-28614 | read beyond bounds via ap_rwrite() | low | Fixed | SI80337 |
| CVE-2022-28615 | Read beyond bounds in ap_strcmp_match() | low | Fixed | SI80337 |
| CVE-2022-22720 | HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier | important | Fixed | SF99952-level2 |
| CVE-2022-22721 | core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody | Low | Fixed | SF99952-level2 |
| Common vulnerabilities and exposures | Description | Severity | Status on IBM i | PTF(s) |
|---|---|---|---|---|
| CVE-2022-31813 | mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism | low | Fixed | SI80353 |
| CVE-2022-28614 | read beyond bounds via ap_rwrite() | low | Fixed | SI80353 |
| CVE-2022-28615 | Read beyond bounds in ap_strcmp_match() | low | Fixed | SI80353 |
| CVE-2022-22720 | HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier | important | Fixed | SI80014 |
| CVE-2022-22721 | core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody | Low | Fixed | SI80014 |
| CVE-2021-44224 | Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier | moderate | Fixed | SI78295 SI78296 |
| CVE-2021-40438 | mod_proxy SSRF | High | Fixed | SI77906 |
| CVE-2021-39275 | ap_escape_quotes buffer overflow | Low | Fixed | SI77906 |
| CVE-2021-34798 | NULL pointer dereference in HTTPd core | moderate | Fixed | SI77906 |
| CVE-2019-17567 | mod_proxy_wstunnel tunneling of non Upgraded connections | moderate | Fixed | SI76706 |
| CVE-2020-13950 | mod_proxy_http NULL pointer dereference | Low | Fixed | SI76706 |
| CVE-2021-30641 | Unexpected URL matching with 'MergeSlashes OFF' | moderate | Fixed | SI76706 |
| CVE-2021-31618 | NULL pointer dereference on specially crafted HTTP/2 request | important | Fixed | SI76700 |
| CVE-2020-11993 | Push Diary Crash on Specifically Crafted HTTP/2 Header | moderate | Fixed | SI74088 |
| CVE-2020-9490 | Push Diary Crash on Specifically Crafted HTTP/2 Header | important | Fixed | SI74088 |
| CVE-2020-1927 | mod_rewrite CWE-601 open redirect | Low | Fixed | SI73415 |
| CVE-2020-1934 | mod_proxy_ftp use of uninitialized value | Low | Fixed | SI73415 |
| CVE-2019-10092 | Limited cross-site scripting in mod_proxy error page | Low | Fixed | SI71097 |
| CVE-2019-10098 | mod_rewrite potential open redirect | Low | Fixed | SI71097 |
| CVE-2019-10082 | mod_http2, read-after-free in h2 connection shutdown | moderate | Fixed | SI70962 |
| CVE-2019-10081 | mod_http2, memory corruption on early pushes | moderate | Fixed | SI70962 |
| CVE-2019-9517 | mod_http2, DoS attack by exhausting h2 workers. | moderate | Fixed | SI70961 |
| CVE-2019-0220 | Apache HTTPd URL normalization inconsistincy | Low | Fixed | SI69187 |
| CVE-2019-0916 | mod_http2, read-after-free on a string compare | Low | Fixed | SI69189 |
| CVE-2019-0917 | mod_http2, possible crash on late upgrade | Low | Fixed | SI69189 |
|
Common vulnerabilities and exposures |
Description |
Severity |
Status on IBM i |
PTF(s) |
|---|---|---|---|---|
| CVE-2022-31813 | mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism | Low | Fixed | SI80354 |
| CVE-2022-28614 | read beyond bounds via ap_rwrite() | Low | Fixed | SI80354 |
| CVE-2022-28615 | Read beyond bounds in ap_strcmp_match() | Low | Fixed | SI80354 |
| CVE-2022-22720 | HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier | important | Fixed | SI79641 |
| CVE-2022-22721 | core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody | Low | Fixed | SI79641 |
| CVE-2021-44224 | Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier | moderate | Fixed | SI78298 SI78299 |
| CVE-2021-40438 | mod_proxy SSRF | High | Fixed | SI77576 |
| CVE-2021-39275 | ap_escape_quotes buffer overflow | Low | Fixed | SI77576 |
| CVE-2021-34798 | NULL pointer dereference in HTTPd core | moderate | Fixed | SI77576 |
| CVE-2019-17567 | mod_proxy_wstunnel tunneling of non Upgraded connections | moderate | Fixed | SI76831 |
| CVE-2020-13950 | mod_proxy_http NULL pointer dereference | Low | Fixed | SI76831 |
| CVE-2021-30641 | Unexpected URL matching with 'MergeSlashes OFF' | moderate | Fixed | SI76831 |
| CVE-2021-31618 | NULL pointer dereference on specially crafted HTTP/2 request | important | Fixed | SI76820 |
| CVE-2020-11993 | Push Diary Crash on Specifically Crafted HTTP/2 Header | moderate | Fixed | SI74087 |
| CVE-2020-9490 | Push Diary Crash on Specifically Crafted HTTP/2 Header | important | Fixed | SI74087 |
| CVE-2020-11985 | IP address spoofing when proxying using mod_remoteip and mod_rewrite | Low | Fixed | SI74074 |
| CVE-2020-1927 | mod_rewrite CWE-601 open redirect | Low | Fixed | SI72840 |
| CVE-2020-1934 | mod_proxy_ftp use of uninitialized value | Low | Fixed | SI72840 |
| CVE-2019-10092 | Limited cross-site scripting in mod_proxy error page | Low | Fixed | SI71052 |
| CVE-2019-10098 | mod_rewrite potential open redirect | Low | Fixed | SI71052 |
| CVE-2019-10082 | mod_http2, read-after-free in h2 connection shutdown | moderate | Fixed | SI70964 |
| CVE-2019-10081 | mod_http2, memory corruption on early pushes | moderate | Fixed | SI70964 |
| CVE-2019-9517 | mod_http2, DoS attack by exhausting h2 workers. | moderate | Fixed | SI70970 |
| CVE-2019-0220 | Apache HTTPd URL normalization inconsistincy | Low | Fixed | SI69900 |
| CVE-2019-0916 | mod_http2, read-after-free on a string compare | Low | Fixed | SI69828 |
| CVE-2019-0917 | mod_http2, possible crash on late upgrade | Low | Fixed | SI69828 |
| CVE-2018-17189 | DoS for HTTP/2 connections via slow request bodies | Low | Fixed | SI68962 |
| CVE-2018-11763 | DoS for HTTP/2 connections by continuous SETTINGS | Low | Fixed | SI68430 |
|
DoS for HTTP/2 connections by crafted requests |
Low |
Fixed |
SI68124 |
|
|
Possible out of bound access after failure in reading the HTTP request |
Low |
Fixed |
SI67362 |
|
|
<FilesMatch> bypass with a trailing newline in the file name |
Low |
Fixed |
SI67362 |
|
|
Out-of-bounds access in corrupted SDBM database |
moderate |
Fixed |
SI66488 |
|
|
Out-of-bounds array dereference in apr_time_exp*() functions |
important |
Fixed |
SI66479 |
|
|
Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed") |
Low |
Fixed |
SI65906 |
|
|
mod_mime Buffer Overread |
important |
Fixed |
SI65194 |
|
|
ap_find_token() Buffer Overread |
important |
Fixed |
SI65194 |
|
|
ap_get_basic_auth_pw() Authentication Bypass |
important |
Fixed |
SI65194 SI65201 |
|
|
Apache HTTP Request Parsing white space Defects |
important |
Fixed |
SI63997 |
|
|
mod_userdir CRLF injection |
moderate |
Fixed |
SI63997 |
|
|
Expat XML Parser Crashes on Malformed Input |
moderate |
Fixed |
SF99722 level 5 |
|
|
HTTP_PROXY environment variable "httpoxy" mitigation |
Low |
Fixed |
SF99722 level 5 |
|
Common vulnerabilities and exposures |
Description |
Severity |
Status on IBM i |
PTF(s) |
|---|---|---|---|---|
| CVE-2022-31813 | mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism | low | Fixed | SI80355 |
| CVE-2022-28614 | read beyond bounds via ap_rwrite() | low | Fixed | SI80355 |
| CVE-2022-28615 | Read beyond bounds in ap_strcmp_match() | low | Fixed | SI80355 |
| CVE-2022-22721 | Possible buffer overflow with very large or unlimited LimitXMLRequestBody | low | Fixed | SI79640 |
| CVE-2022-22720 | HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier | important | Fixed | SI79640 |
| CVE-2021-44224 | Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier | moderate | Fixed | SI78297 |
| CVE-2021-40438 | mod_proxy SSRF | High | Fixed | SI77594 |
| CVE-2021-39275 | ap_escape_quotes buffer overflow | Low | Fixed | SI77594 |
| CVE-2021-34798 | NULL pointer dereference in HTTPd core | moderate | Fixed | SI77594 |
| CVE-2019-17567 | mod_proxy_wstunnel tunneling of non Upgraded connections | moderate | Fixed | SI77099 |
| CVE-2020-13950 | mod_proxy_http NULL pointer dereference | Low | Fixed | SI77099 |
| CVE-2021-30641 | Unexpected URL matching with 'MergeSlashes OFF' | moderate | Fixed | SI77099 |
| CVE-2020-11985 | IP address spoofing when proxying using mod_remoteip and mod_rewrite | Low | Fixed | SI74073 |
| CVE-2020-1927 | mod_rewrite CWE-601 open redirect | Low | Fixed | SI72748 |
| CVE-2020-1934 | mod_proxy_ftp use of uninitialized value | Low | Fixed | SI72748 |
| CVE-2019-10092 | Limited cross-site scripting in mod_proxy error page | Low | Fixed | SI71028 |
| CVE-2019-10098 | mod_rewrite potential open redirect | Low | Fixed | SI71028 |
| CVE-2019-0220 | Apache HTTPd URL normalization inconsistincy | Low | Fixed | SI69901 |
|
Possible out of bound access after failure in reading the HTTP request |
Low |
Fixed |
SI67357 |
|
|
<FilesMatch> bypass with a trailing newline in the file name |
Low |
Fixed |
SI67357 |
|
|
Out-of-bounds access in corrupted SDBM database |
moderate |
Fixed |
SI66490 |
|
|
Out-of-bounds array dereference in apr_time_exp*() functions |
important |
Fixed |
SI66345 |
|
|
Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed") |
Low |
Fixed |
SI65915 |
|
|
mod_mime Buffer Overread |
important |
Fixed |
SI65279 |
|
|
ap_find_token() Buffer Overread |
important |
Fixed |
SI65279 |
|
|
ap_get_basic_auth_pw() Authentication Bypass |
important |
Fixed |
SI65279 SI65280 |
|
|
Apache HTTP Request Parsing white space Defects |
important |
Fixed |
SI64140 |
|
| CVE-2016-4975 | mod_userdir CRLF injection | moderate | Fixed | SI64140 |
|
Expat XML Parser Crashes on Malformed Input |
moderate |
Fixed |
SI61648 |
|
|
HTTP_PROXY environment variable "httpoxy" mitigation |
Low |
Fixed |
SI62159 |
|
|
XML_GetBuffer expat buffer overflow |
Low |
Fixed |
SI57960 |
|
|
Crash in ErrorDocument 400 handling |
Low |
Fixed |
SI58157 |
|
|
HTTP request smuggling attack against chunked request parser |
Low |
Fixed |
SI57806 |
|
|
ap_some_auth_required API unusable |
Low |
Fixed |
SI57806 |
|
|
HTTP Trailers processing bypass |
Low |
Fixed |
SI55722 |
|
|
mod_cache crash with empty Content-Type header |
Low |
Fixed |
SI55552 |
|
|
mod_deflate denial of service |
moderate |
Fixed |
SI54023 |
|
|
mod_log_config crash |
Low |
Fixed |
SI52811 |
|
|
mod_dav crash |
moderate |
Fixed |
SI52821 |
|
|
mod_dav crash |
moderate |
Fixed |
SI52821 |
|
|
Various XSS flaws due to unescaped hostnames and URIs HTML output |
Low |
Fixed |
SI51122 |
|
|
A XSS flaw affected the mod_proxy_balancer manager interface. |
moderate |
Fixed |
SI51122 |
|
|
XSS in mod_negotiation when untrusted uploads are supported |
Low |
Fixed |
SI51122 |
| Common vulnerabilities and exposures | Description | Severity | Status on IBM i | PTF(s) |
|---|---|---|---|---|
|
Out-of-bounds access in corrupted SDBM database |
moderate |
Fixed |
SI66487 |
|
|
Out-of-bounds array dereference in apr_time_exp*() functions |
important |
Fixed |
SI66472 |
|
|
Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed") |
Low |
Fixed |
SI65939 |
|
|
mod_mime Buffer Overread |
important |
Fixed |
SI65281 |
|
|
ap_find_token() Buffer Overread |
important |
Fixed |
SI65281 |
|
|
ap_get_basic_auth_pw() Authentication Bypass |
important |
Fixed |
SI65281 SI65282 |
|
|
Apache HTTP Request Parsing white space Defects |
important |
Fixed |
SI63670 |
|
| CVE-2016-4975 | mod_userdir CRLF injection | moderate | Fixed | SI63670 |
|
Expat XML Parser Crashes on Malformed Input |
moderate |
Fixed |
SI61649 |
|
|
HTTP_PROXY environment variable "httpoxy" mitigation |
Low |
Fixed |
SI61471 |
|
| XML_GetBuffer expat buffer overflow | Low | Fixed | SI57962 | |
| HTTP request smuggling attack against chunked request parser | Low | Fixed | SI57763 | |
| HTTP Trailers processing bypass | Low | Fixed | SI55746 | |
| "Slowloris" denial of service attack due to the lack of the mod_reqtimeout module | moderate | Fixed | SI53684 SI53701 |
|
| mod_deflate denial of service | moderate | Fixed | SI54022 | |
| mod_log_config crash | Low | Fixed | SI52916 | |
| mod_dav crash | moderate | Fixed | SI52602 | |
| mod_dav crash | moderate | Fixed | SI50824 | |
| mod_rewrite log escape filtering |
Low | Fixed | SI50403 | |
| A XSS flaw affected the mod_proxy_balancer manager interface. | moderate | Fixed | SI49746 | |
| Various XSS flaws due to unescaped hostnames and URIs HTML output | Low | Fixed | SI49746 | |
| XSS in mod_negotiation when untrusted uploads are supported | Low | Fixed | SI47606 | |
| error responses can expose cookies | moderate | Fixed | SI45900 | |
| scoreboard parent DoS | Low | Fixed | SI45900 | |
| mod_log_config crash | Low | Fixed | SI52916 | |
| mod_proxy reverse proxy exposure | moderate | Fixed | SI45438 | |
| mod_proxy reverse proxy exposure | moderate | Fixed | SI45438 | |
| Integer overflow in ap_pregsub() leads to buffer overflow | moderate | Fixed | SI45438 | |
| mod_proxy reverse proxy exposure | moderate | Fixed | SI44812 | |
| byte range filter (DoS) | Low | Fixed | SI44630 | |
| apr_fnmatch high cpu utilization | Low | Fixed | SI43722 | |
| apr_fnmatch DoS (mod_autoindex) | Low | Fixed | SI43722 | |
| apr_bridage_split_line DoS | Low | Fixed | SI41367 | |
| Timeout detection flaw (mod_proxy_http) | important | Fixed | SI40534 | |
| mod_cache and mod_dav DoS | Low | Fixed | SI40534 | |
| Subrequest handling of request headers (mod_headers) | Low | Fixed | SI38640 | |
| TLS/SSL handshake renegotiation | Low | Fixed | MF48823 | |
| mod_proxy_ftp DoS | Low | Fixed | SI36656 | |
| mod_proxy_ftp FTP command injection | Low | Fixed | SI36656 | |
| APR apr_palloc heap overflow | Low | Fixed | SI36656 | |
| mod_proxy reverse proxy DoS | important | Fixed | Fixed | |
| mod_deflate DoS | Low | Fixed | Fixed | |
| AllowOverride Options handling bypass | Low | Fixed | Fixed | |
| APR-util off-by-one overflow | moderate | Fixed | Fixed | |
| APR-util XML DoS | moderate | Fixed | Fixed | |
| APR-util heap underwrite | moderate | Fixed | Fixed | |
| mod_cache proxy DoS | moderate | Fixed | Fixed | |
| mod_cache information leak | moderate | Fixed | Fixed | |
| Signals to arbitrary processes | moderate | Fixed | Fixed | |
| mod_status cross-site scripting | moderate | Fixed | Fixed | |
| mod_proxy crash | moderate | Fixed | Fixed | |
| mod_imagemap XSS | moderate | Fixed | Fixed | |
| mod_status XSS | moderate | Fixed | Fixed | |
| mod_proxy_balancer XSS | Low | Fixed | Fixed | |
| mod_proxy_balancer DoS | Low | Fixed | Fixed | |
| mod_proxy_ftp UTF-7 XSS | Low | Fixed | Fixed | |
| mod_proxy_http DoS | moderate | Fixed | Fixed | |
| mod_proxy_balancer CSRF | Low | Fixed | Fixed | |
| mod_proxy_ftp globbing XSS | Low | Fixed | Fixed |
Was this topic helpful?
Document Information
Modified date:
01 August 2022
UID
ibm11170946