Download
Downloadable File
| File link | File size | File description |
|---|---|---|
Abstract
Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-22720 CVSS 7.3 and more)
Download Description
This fix is superseded by later interim fixes.The interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH46897 to resolve this APAR.
If this APAR applied to older fix packs that the superseding APAR does not, the download link for those older fixes will be preserved below.
PH44829 resolves the following problem:
ERROR DESCRIPTION:
Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server: CVE-2022-22719, CVE-2022-22720, and CVE-2022-22721
ERROR DESCRIPTION:
Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server: CVE-2022-22719, CVE-2022-22720, and CVE-2022-22721
PROBLEM SUMMARY:
Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server: CVE-2022-22719, CVE-2022-22720, and CVE-2022-22721
PROBLEM CONCLUSION:
Confidential for CVE-2022-22719, CVE-2022-22720, and CVE-2022-22721
The fix for this APAR is currently targeted for inclusion in fix packs 8.5.5.22, 9.0.5.12.
For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
This fix supersedes (includes) the fix for all previously published fixes on top of the respective fix pack. Depending on the specific interim fix, this may include one or more of the following APARS: PH41945, PH42030, PH42587, PH42862, PH43122, PH43887, PH44271, PH44393
Mitigations and affected configurations:
- CVE-2022-22719: Only configurations that load mod_lua and have scripts that call r:parsebody are affected.
- CVE-2022-22720: Only configurations without RequestReadTimeout (and a non-zero body timeout) are affected. This directive is provided by mod_reqtimeout.
- CVE-2022-22721: Only configurations with LimitXMLRequestBody explicitly specified in the IHS configuration (350MB or larger, including 0). Additionally, only 32-bit (and 31-bit) builds of IHS are affected.
- The IHS architecture is displayed when running apachectl -V or httpd.exe -V (windows).
Prerequisites
None
Installation Instructions
Review the readme.txt for detailed installation instructions.
| URL | SIZE(Bytes) |
|---|---|
| V90 readme file | 2090 |
| V85 readme file | 1984 |
| V80 readme file | 2047 |
| V70 readme file | 5061 |
| V90(IHS Archive) readme file | 1405 |
Download Package
This fix is superseded by later interim fixes.The interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH46897 to resolve this APAR.
If this APAR applied to older fix packs that the superseding APAR does not, the download link for those older fixes will be preserved below.
Problems Solved
PH44829, PH41945, PH42030, PH42587, PH42862, PH43122, PH43887, PH44271, PH44393
Change History
April 5: Update CVE-2022-22721 to address LimitXMLRequestBody dependency
Junt 15: Supersede with https://www.ibm.com/support/pages/node/6594853
On
Technical Support
Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"IBM HTTP Server"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0.0.45;8.0.0.15;8.5.5.20;8.5.5.21;9.0.5.10;9.0.5.11","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
06 January 2023
UID
ibm16564709