IBM Support

PCI Compliance

News


Abstract

PCI Compliance

Content

The Payment Card Industry Data Security Standard (PCI DSS) is a set of specific security standards designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment during and after a financial transaction.

Adhering to the specific security standards documented in the PCI DSS make something PCI-compliant.

The IBM HTTP Server for i is PCI-Compliant Web server. Known Apache security vulnerabilities are patched via. PTFs on IBM i.

IBM i 7.5: Apache security vulnerabilities

IBM i 7.4: Apache security vulnerabilities

IBM i 7.3: Apache security vulnerabilities

IBM i 7.2: Apache security vulnerabilities

IBM i 7.1: Apache security vulnerabilities

Notice: On May 31, 2022, the Apache 2.4 server that is delivered with IBM i HTTP Server (5770DG1) on i 7.2 will be going out of support. No CVE fix will be delivered after that. To insure you remain on a fully support and compliant web server you need to consider moving to IBM i 7.3 or higher.

IBM i 7.5: Apache security vulnerabilities:

Common vulnerabilities and exposures

Description

Severity

Status on IBM i

PTF(s)

CVE-2022-22720 HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier important Fixed SF99952-level2
CVE-2022-22721 core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody Low Fixed SF99952-level2
IBM i 7.4: Apache security vulnerabilities: 
 

Common vulnerabilities and exposures

Description

Severity

Status on IBM i

PTF(s)

CVE-2022-22720 HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier important Fixed SI80014
CVE-2022-22721 core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody Low Fixed SI80014
CVE-2021-44224 Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier moderate Fixed SI78295
SI78296
CVE-2021-40438 mod_proxy SSRF High Fixed SI77906
CVE-2021-39275 ap_escape_quotes buffer overflow Low Fixed SI77906
CVE-2021-34798 NULL pointer dereference in HTTPd core moderate Fixed SI77906
CVE-2019-17567 mod_proxy_wstunnel tunneling of non Upgraded connections moderate Fixed SI76706
CVE-2020-13950 mod_proxy_http NULL pointer dereference Low Fixed SI76706
CVE-2021-30641 Unexpected URL matching with 'MergeSlashes OFF' moderate Fixed SI76706
CVE-2021-31618 NULL pointer dereference on specially crafted HTTP/2 request important Fixed SI76700
CVE-2020-11993 Push Diary Crash on Specifically Crafted HTTP/2 Header moderate Fixed SI74088
CVE-2020-9490 Push Diary Crash on Specifically Crafted HTTP/2 Header important Fixed SI74088
CVE-2020-1927 mod_rewrite CWE-601 open redirect Low Fixed SI73415
CVE-2020-1934 mod_proxy_ftp use of uninitialized value Low Fixed SI73415
CVE-2019-10092 Limited cross-site scripting in mod_proxy error page Low Fixed SI71097
CVE-2019-10098 mod_rewrite potential open redirect Low Fixed SI71097
CVE-2019-10082 mod_http2, read-after-free in h2 connection shutdown moderate Fixed SI70962
CVE-2019-10081 mod_http2, memory corruption on early pushes moderate Fixed SI70962
CVE-2019-9517 mod_http2, DoS attack by exhausting h2 workers. moderate Fixed SI70961
CVE-2019-0220  Apache HTTPd URL normalization inconsistincy Low Fixed SI69187
CVE-2019-0916 mod_http2, read-after-free on a string compare Low Fixed SI69189
CVE-2019-0917 mod_http2, possible crash on late upgrade Low Fixed SI69189
IBM i 7.3: Apache security vulnerabilities: 

Common vulnerabilities and exposures

Description

Severity

Status on IBM i

PTF(s)

CVE-2022-22720 HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier important Fixed SI79641
CVE-2022-22721 core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody Low Fixed SI79641
CVE-2021-44224 Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier moderate Fixed SI78298
SI78299
CVE-2021-40438 mod_proxy SSRF High Fixed SI77576
CVE-2021-39275 ap_escape_quotes buffer overflow Low Fixed SI77576
CVE-2021-34798 NULL pointer dereference in HTTPd core moderate Fixed SI77576
CVE-2019-17567 mod_proxy_wstunnel tunneling of non Upgraded connections moderate Fixed SI76831
CVE-2020-13950 mod_proxy_http NULL pointer dereference Low Fixed SI76831
CVE-2021-30641 Unexpected URL matching with 'MergeSlashes OFF' moderate Fixed SI76831
CVE-2021-31618 NULL pointer dereference on specially crafted HTTP/2 request important Fixed SI76820
CVE-2020-11993 Push Diary Crash on Specifically Crafted HTTP/2 Header moderate Fixed SI74087
CVE-2020-9490 Push Diary Crash on Specifically Crafted HTTP/2 Header important Fixed SI74087
CVE-2020-11985 IP address spoofing when proxying using mod_remoteip and mod_rewrite Low Fixed SI74074
CVE-2020-1927 mod_rewrite CWE-601 open redirect Low Fixed SI72840
CVE-2020-1934 mod_proxy_ftp use of uninitialized value Low Fixed SI72840
CVE-2019-10092 Limited cross-site scripting in mod_proxy error page Low Fixed SI71052
CVE-2019-10098 mod_rewrite potential open redirect Low Fixed SI71052
CVE-2019-10082 mod_http2, read-after-free in h2 connection shutdown moderate Fixed SI70964
CVE-2019-10081 mod_http2, memory corruption on early pushes moderate Fixed SI70964
CVE-2019-9517 mod_http2, DoS attack by exhausting h2 workers. moderate Fixed SI70970
CVE-2019-0220  Apache HTTPd URL normalization inconsistincy Low Fixed SI69900
CVE-2019-0916 mod_http2, read-after-free on a string compare Low Fixed SI69828
CVE-2019-0917 mod_http2, possible crash on late upgrade Low Fixed SI69828
CVE-2018-17189 DoS for HTTP/2 connections via slow request bodies Low Fixed SI68962
CVE-2018-11763 DoS for HTTP/2 connections by continuous SETTINGS Low Fixed SI68430

CVE-2018-1333

DoS for HTTP/2 connections by crafted requests

Low

Fixed

SI68124

CVE-2018-1301

Possible out of bound access after failure in reading the HTTP request

Low

Fixed

SI67362

CVE-2017-15715

<FilesMatch> bypass with a trailing newline in the file name

Low

Fixed

SI67362

CVE-2017-12618

Out-of-bounds access in corrupted SDBM database

moderate

Fixed

SI66488

CVE-2017-12613

Out-of-bounds array dereference in apr_time_exp*() functions

important

Fixed

SI66479

CVE-2017-9798

Use-after-free when using <Limit > with an unrecognized method

in .htaccess ("OptionsBleed")

Low

Fixed

SI65906

CVE-2017-7679

mod_mime Buffer Overread

important

Fixed

SI65194

CVE-2017-7668

ap_find_token() Buffer Overread

important

Fixed

SI65194

CVE-2017-3167

ap_get_basic_auth_pw() Authentication Bypass

important

Fixed

SI65194

SI65201

CVE-2016-8743

Apache HTTP Request Parsing white space Defects

important

Fixed

SI63997

CVE-2016-4975

mod_userdir CRLF injection

moderate

Fixed

SI63997

CVE-2016-0718

Expat XML Parser Crashes on Malformed Input

moderate

Fixed

SF99722 level 5

CVE-2016-5387

HTTP_PROXY environment variable "httpoxy" mitigation

Low

Fixed

SF99722 level 5

 IBM i 7.2: Apache security vulnerabilities: 

Common vulnerabilities and exposures

Description

Severity

Status on IBM i

PTF(s)

CVE-2022-22721 Possible buffer overflow with very large or unlimited LimitXMLRequestBody low Fixed SI79640
CVE-2022-22720 HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier important Fixed SI79640
CVE-2021-44224 Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier moderate Fixed SI78297
CVE-2021-40438 mod_proxy SSRF High Fixed SI77594
CVE-2021-39275 ap_escape_quotes buffer overflow Low Fixed SI77594
CVE-2021-34798 NULL pointer dereference in HTTPd core moderate Fixed SI77594
CVE-2019-17567 mod_proxy_wstunnel tunneling of non Upgraded connections moderate Fixed SI77099
CVE-2020-13950 mod_proxy_http NULL pointer dereference Low Fixed SI77099
CVE-2021-30641 Unexpected URL matching with 'MergeSlashes OFF' moderate Fixed SI77099
CVE-2020-11985 IP address spoofing when proxying using mod_remoteip and mod_rewrite Low Fixed SI74073
CVE-2020-1927 mod_rewrite CWE-601 open redirect Low Fixed SI72748
CVE-2020-1934 mod_proxy_ftp use of uninitialized value Low Fixed SI72748
CVE-2019-10092 Limited cross-site scripting in mod_proxy error page Low Fixed SI71028
CVE-2019-10098 mod_rewrite potential open redirect Low Fixed SI71028
CVE-2019-0220 Apache HTTPd URL normalization inconsistincy Low Fixed SI69901

CVE-2018-1301

Possible out of bound access after failure in reading the HTTP request

Low

Fixed

SI67357

CVE-2017-15715

<FilesMatch> bypass with a trailing newline in the file name

Low

Fixed

SI67357

CVE-2017-12618

Out-of-bounds access in corrupted SDBM database

moderate

Fixed

SI66490

CVE-2017-12613

Out-of-bounds array dereference in apr_time_exp*() functions

important

Fixed

SI66345

CVE-2017-9798

Use-after-free when using <Limit > with an unrecognized

method in .htaccess ("OptionsBleed")

Low

Fixed

SI65915

CVE-2017-7679

mod_mime Buffer Overread

important

Fixed

SI65279

CVE-2017-7668

ap_find_token() Buffer Overread

important

Fixed

SI65279

CVE-2017-3167

ap_get_basic_auth_pw() Authentication Bypass

important

Fixed

SI65279

SI65280

CVE-2016-8743

Apache HTTP Request Parsing white space Defects

important

Fixed

SI64140

CVE-2016-4975 mod_userdir CRLF injection moderate Fixed SI64140

CVE-2016-0718

Expat XML Parser Crashes on Malformed Input

moderate

Fixed

SI61648

CVE-2016-5387

HTTP_PROXY environment variable "httpoxy" mitigation

Low

Fixed

SI62159

CVE-2015-1283

XML_GetBuffer expat buffer overflow

Low

Fixed

SI57960

CVE-2015-0253

Crash in ErrorDocument 400 handling

Low

Fixed

SI58157

CVE-2015-3183

HTTP request smuggling attack against chunked request parser

Low

Fixed

SI57806

CVE-2015-3185

ap_some_auth_required API unusable

Low

Fixed

SI57806

CVE-2013-5704

HTTP Trailers processing bypass

Low

Fixed

SI55722

CVE-2014-3581

mod_cache crash with empty Content-Type header

Low

Fixed

SI55552

CVE-2014-0118

mod_deflate denial of service

moderate

Fixed

SI54023

CVE-2014-0098

mod_log_config crash

Low

Fixed

SI52811

CVE-2013-6438

mod_dav crash

moderate

Fixed

SI52821

CVE-2013-1896

mod_dav crash

moderate

Fixed

SI52821

CVE-2012-3499

Various XSS flaws due to unescaped hostnames and URIs HTML output

Low

Fixed

SI51122

CVE-2012-4558

A XSS flaw affected the mod_proxy_balancer manager interface.

moderate

Fixed

SI51122

CVE-2012-2687

XSS in mod_negotiation when untrusted uploads are supported

Low

Fixed

SI51122

IBM i 7.1: Apache security vulnerabilities: 
Common vulnerabilities and exposures Description Severity Status on IBM i PTF(s)

CVE-2017-12618

Out-of-bounds access in corrupted SDBM database

moderate

Fixed

SI66487

CVE-2017-12613

Out-of-bounds array dereference in apr_time_exp*() functions

important

Fixed

SI66472

CVE-2017-9798

Use-after-free when using <Limit > with an unrecognized method

in .htaccess ("OptionsBleed")

Low

Fixed

SI65939

CVE-2017-7679

mod_mime Buffer Overread

important

Fixed

SI65281

CVE-2017-7668

ap_find_token() Buffer Overread

important

Fixed

SI65281

CVE-2017-3167

ap_get_basic_auth_pw() Authentication Bypass

important

Fixed

SI65281

SI65282

CVE-2016-8743

Apache HTTP Request Parsing white space Defects

important

Fixed

SI63670

CVE-2016-4975 mod_userdir CRLF injection moderate Fixed SI63670

CVE-2016-0718

Expat XML Parser Crashes on Malformed Input

moderate

Fixed

SI61649

CVE-2016-5387

HTTP_PROXY environment variable "httpoxy" mitigation

Low

Fixed

SI61471

CVE-2015-1283

XML_GetBuffer expat buffer overflow Low Fixed SI57962

CVE-2015-3183

HTTP request smuggling attack against chunked request parser Low Fixed SI57763

CVE-2013-5704

HTTP Trailers processing bypass Low Fixed SI55746

CVE-2007-6750

"Slowloris" denial of service attack due to the lack of the mod_reqtimeout module moderate Fixed SI53684



SI53701

CVE-2014-0118

mod_deflate denial of service moderate Fixed SI54022

CVE-2014-0098

mod_log_config crash Low Fixed SI52916

CVE-2013-6438

mod_dav crash moderate Fixed SI52602

CVE-2013-1896

mod_dav crash moderate Fixed SI50824

CVE-2013-1862

mod_rewrite log



escape filtering
Low Fixed SI50403

CVE-2012-4558

A XSS flaw affected the mod_proxy_balancer manager interface. moderate Fixed SI49746

CVE-2012-3499

Various XSS flaws due to unescaped hostnames and URIs HTML output Low Fixed SI49746

CVE-2012-2687

XSS in mod_negotiation when untrusted uploads are supported Low Fixed SI47606

CVE-2012-0053

error responses can expose cookies moderate Fixed SI45900

CVE-2012-0031

scoreboard parent DoS Low Fixed SI45900

CVE-2012-0021

mod_log_config crash Low Fixed SI52916

CVE-2011-4317

mod_proxy reverse proxy exposure moderate Fixed SI45438

CVE-2011-3639

mod_proxy reverse proxy exposure moderate Fixed SI45438

CVE-2011-3607

Integer overflow in ap_pregsub() leads to buffer overflow moderate Fixed SI45438

CVE-2011-3368

mod_proxy reverse proxy exposure moderate Fixed SI44812

CVE-2011-3192

byte range filter (DoS) Low Fixed SI44630

CVE-2011-1928

apr_fnmatch high cpu utilization Low Fixed SI43722

CVE-2011-0419

apr_fnmatch DoS (mod_autoindex) Low Fixed SI43722

CVE-2010-1623

apr_bridage_split_line DoS Low Fixed SI41367

CVE-2010-2068

Timeout detection flaw (mod_proxy_http) important Fixed SI40534

CVE-2010-1452

mod_cache and mod_dav DoS Low Fixed SI40534

CVE-2010-0434

Subrequest handling of request headers (mod_headers) Low Fixed SI38640

CVE-2009-3555

TLS/SSL handshake renegotiation Low Fixed MF48823

CVE-2009-3094

mod_proxy_ftp DoS Low Fixed SI36656

CVE-2009-3095

mod_proxy_ftp FTP command injection Low Fixed SI36656

CVE-2009-2412

APR apr_palloc heap overflow Low Fixed SI36656

CVE-2009-1890

mod_proxy reverse proxy DoS important Fixed Fixed

CVE-2009-1891

mod_deflate DoS Low Fixed Fixed

CVE-2009-1195

AllowOverride Options handling bypass Low Fixed Fixed

CVE-2009-1956

APR-util off-by-one overflow moderate Fixed Fixed

CVE-2009-1955

APR-util XML DoS moderate Fixed Fixed

CVE-2009-0023

APR-util heap underwrite moderate Fixed Fixed

CVE-2007-1863

mod_cache proxy DoS moderate Fixed Fixed

CVE-2007-1862

mod_cache information leak moderate Fixed Fixed

CVE-2007-3304

Signals to arbitrary processes moderate Fixed Fixed

CVE-2006-5752

mod_status cross-site scripting moderate Fixed Fixed

CVE-2007-3847

mod_proxy crash moderate Fixed Fixed

CVE-2007-5000

mod_imagemap XSS moderate Fixed Fixed

CVE-2007-6388

mod_status XSS moderate Fixed Fixed

CVE-2007-6421

mod_proxy_balancer XSS Low Fixed Fixed

CVE-2007-6422

mod_proxy_balancer DoS Low Fixed Fixed

CVE-2008-0005

mod_proxy_ftp UTF-7 XSS Low Fixed Fixed

CVE-2008-2364

mod_proxy_http DoS moderate Fixed Fixed

CVE-2007-6420

mod_proxy_balancer CSRF Low Fixed Fixed

CVE-2008-2939

mod_proxy_ftp globbing XSS Low Fixed Fixed

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
13 June 2022

UID

ibm11170946