IBM Support

PH46897:Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-26377 CVSS 7.3 and more)

Download


Downloadable File

File link File size File description

Abstract

Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-26377 CVSS 7.3 and more)

Download Description

This fix is superseded by later interim fixes.

The interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH51982 to resolve this APAR. 

PH46897 resolves the following problems:
 
  • CVE-2022-26377
  • CVE-2022-28614
  • CVE-2022-28615
  • CVE-2022-29404 
  • CVE-2022-30556 
  • CVE-2022-31813

ERROR DESCRIPTION:
Confidential for Security Integrity ifix for CVE-2022-26377 (and more)

PROBLEM SUMMARY:
Confidential for Security Integrity ifix for CVE-2022-26377 (and more)

PROBLEM CONCLUSION:
Confidential for CVE-2022-26377

The fix for this APAR is currently targeted for inclusion
in fix packs 8.5.5.23 and 9.0.5.13

For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg2700498
This fix supersedes (includes) the fixes for all published security fixes for the affected fix packs: PH44271, PH44829, PH43122, PH42030, and PH42072 where applicable.
The fixes for 7.0 and 8.0 supersede every prior 7.0 and 8.0 security fix.
Behavior Change Warning:
As a result of this APAR, IBM HTTP Server now limits HTTP request bodies to 1 Gigabyte by default. Previously, there was no limit.
The limit can be increased by using the LimitRequestBody directive.  Users are encouraged to limit such increases using limited scope such as <Location> rather than changing it globally.
Mitigations and affected configurations:
  • CVE-2022-26377 
    • IBM HTTP Server configurations with "mod_proxy_ajp"  loaded and configured are affected. This module is not provided in the 9.0 release.
  • CVE-2022-28614 & CVE-2022-28615
    • IBM HTTP Server configurations with "mod_lua" loaded and configured or any third-party modules may be affected.  
  • CVE-2022-29404 (9.0 only)
    • IBM HTTP Server configurations with "mod_lua" loaded and configured may be affected.
  • CVE-2022-30556 (9.0 only)
    • IBM HTTP Server configurations with "mod_lua" loaded and configured may be affected. 
  • CVE-2022-31813
    • IBM HTTP Server configurations with "mod_proxy_http" loaded and configured and the backend server depends on the X-Forwarded-For header for security purposes are affected.

Prerequisites

None

Download Package

This fix is superseded by later interim fixes.

The interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH51982 to resolve this APAR. 

Problems Solved

PH44271, PH44829, PH43122, PH42030, PH42072

Known Side Effects

Behavior Change Warning:
As a result of this APAR, IBM HTTP Server now limits HTTP request bodies to 1 Gigabyte by default. Previously, there was no limit.
The limit can be increased by using the LimitRequestBody directive.  Users are encouraged to limit such increases using limited scope such as <Location> rather than changing it globally.

Change History

  • Oct 5 2022: With the release of PH49572, this interim fix is superseded on Linux, AIX, Windows, Solaris, and HP-UX
  • Oct 13 2022: Simplify/clarify supersede situation

On

Technical Support

Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"IBM HTTP Server"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0.0.45;8.0.0.15;8.5.5.20;8.5.5.21;9.0.5.11;9.0.5.12","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
14 February 2023

UID

ibm16594853

Page Feedback