Question & Answer
A vulnerabilty in OpenSSL or mod_ssl may or may not apply to IBM HTTP Server for a variety of reasons. Consult IHS recommended updates and bulletins for full details.
For any relevant security issues with IHS, users are encouraged to apply the latest IBM HTTP Server fix pack levels to ensure the web server is patched with latest security fixes.
Display of included Apache HTTP Server vulnerability fixes
The -V option of the httpd.exe command (Windows®) or the apachectl command (UNIX® and Linux®) will list the CVE ids of included vulnerability fixes in the server itself, but it will not list vulnerabilities from the GSKit TLS security library, where most OpennSSL-related vulnerabilities will be addressed.
C:\Program Files\IBM\HTTPServer\bin>apache -V
Server version: IBM_HTTP_Server/18.104.22.168-PI56034 (Win32)
Apache version: 2.4.12 (with additional fixes)
Server built: Apr 18 2016 20:28:53
Build level: RIHSX.IHS/webIHS1616.01
Server's Module Magic Number: 20120211:57
Server loaded: APR 1.5.1, APR-UTIL 1.5.2
Compiled using: APR 1.5.1, APR-UTIL 1.5.2
Operating System: Windows
Server MPM: WinNT
threaded: yes (fixed thread count)
Server compiled with....
-D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
Apache vulnerability fixes included:
CVE-2009-1191 CVE-2009-1890 CVE-2009-3094 CVE-2009-3095
CVE-2010-0434 CVE-2010-0425 CVE-2010-0408 CVE-2009-3555
CVE-2010-1452 CVE-2010-1623 CVE-2011-3368 CVE-2011-3607
CVE-2011-3192 CVE-2011-3348 CVE-2011-4317 CVE-2012-0021
CVE-2012-0031 CVE-2012-0053 CVE-2012-0883 CVE-2012-2687
CVE-2012-3502 CVE-2012-4558 CVE-2012-3499 CVE-2013-2249
CVE-2013-1896 CVE-2013-4352 CVE-2013-6438 CVE-2014-0098
CVE-2014-0963 CVE-2014-0231 CVE-2014-0118 CVE-2014-0226
CVE-2014-3523 CVE-2014-0117 CVE-2013-5704 CVE-2014-8109
CVE-2014-3581 CVE-2014-3583 CVE-2015-0253 CVE-2015-3185
CVE-2015-3183 CVE-2015-1829 CVE-2014-8730 CVE-2015-0228
CVE-2015-4947 CVE-2015-1283 CVE-2015-7420 CVE-2016-0201
This list does not necessarily include vulnerabilities which do not apply to IBM HTTP Server on any platform, such as mod_ssl vulnerabilities.
It does not necessarily include vulnerabilities already fixed in the base level of Apache included in IBM HTTP Server.
04 December 2019