IBM Support

PH46897:Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-26377 CVSS 7.3 and more)

Download


Downloadable File

File link File size File description

Abstract

Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-26377 CVSS 7.3 and more)

Download Description


This fix is superseded by later interim fixes.

For Linux, Windows, AIX, Solaris, and HP-UX the interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH49572 to resolve this APAR. The PH46897 interim fix should only be used on z/OS after 5 October 2022.


PH46897 resolves the following problems:
 
  • CVE-2022-26377
  • CVE-2022-28614
  • CVE-2022-28615
  • CVE-2022-29404 
  • CVE-2022-30556 
  • CVE-2022-31813

ERROR DESCRIPTION:
Confidential for Security Integrity ifix for CVE-2022-26377 (and more)

PROBLEM SUMMARY:
Confidential for Security Integrity ifix for CVE-2022-26377 (and more)

PROBLEM CONCLUSION:
Confidential for CVE-2022-26377

The fix for this APAR is currently targeted for inclusion
in fix packs 8.5.5.23 and 9.0.5.13

For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg2700498
This fix supersedes (includes) the fixes for all published security fixes for the affected fix packs: PH44271, PH44829, PH43122, PH42030, and PH42072 where applicable.
The fixes for 7.0 and 8.0 supersede every prior 7.0 and 8.0 security fix.

Behavior Change Warning:
As a result of this APAR, IBM HTTP Server now limits HTTP request bodies to 1 Gigabyte by default. Previously, there was no limit.
The limit can be increased by using the LimitRequestBody directive.  Users are encouraged to limit such increases using limited scope such as <Location> rather than changing it globally.

Mitigations and affected configurations:
  • CVE-2022-26377 
    • IBM HTTP Server configurations with "mod_proxy_ajp"  loaded and configured are affected. This module is not provided in the 9.0 release.
  • CVE-2022-28614 & CVE-2022-28615
    • IBM HTTP Server configurations with "mod_lua" loaded and configured or any third-party modules may be affected.  
  • CVE-2022-29404 (9.0 only)
    • IBM HTTP Server configurations with "mod_lua" loaded and configured may be affected.
  • CVE-2022-30556 (9.0 only)
    • IBM HTTP Server configurations with "mod_lua" loaded and configured may be affected. 
  • CVE-2022-31813
    • IBM HTTP Server configurations with "mod_proxy_http" loaded and configured and the backend server depends on the X-Forwarded-For header for security purposes are affected.

Prerequisites

None

Installation Instructions

Review the readme.txt for detailed installation instructions.

URL SIZE(Bytes)
V90 readme 2146
V85 readme 2091
V80 readme 2154
V70 readme 5172
V90 readme (Archive) 1501

Download Package

 
IMPORTANT NOTE:
WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes in this table. 
DOWNLOAD RELEASE DATE SIZE(Bytes)

Download

IBM Installation Manager packages
9.0.5.11-WS-WASIHS-IFPH46897 (z/OS only) 14 June 2022 24272849 FC
9.0.5.12-WS-WASIHS-IFPH46897 (z/OS only) 14 June 2022 12851109 FC
8.5.5.20-WS-WASIHS-IFPH46897 (z/OS only) 14 June 2022 45950706 FC
8.5.5.21-WS-WASIHS-IFPH46897 (z/OS only) 14 June 2022 24233643 FC
8.5.5.22-WS-WASIHS-IFPH46897 (z/OS only) 21 July 2022 13750801 FC
WebSphere Update Installer packages
8.0.0.15-WS-WASIHS-IFPH46897 (z/OS only) 14 June 2022 76387706 FC

Problems Solved

PH44271, PH44829, PH43122, PH42030, PH42072

Known Side Effects

Behavior Change Warning:
As a result of this APAR, IBM HTTP Server now limits HTTP request bodies to 1 Gigabyte by default. Previously, there was no limit.
The limit can be increased by using the LimitRequestBody directive.  Users are encouraged to limit such increases using limited scope such as <Location> rather than changing it globally.

Change History

  • Oct 5 2022: With the release of PH49572, this interim fix is superseded on all platforms except z/OS.

On

Technical Support

Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"IBM HTTP Server"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0.0.45;8.0.0.15;8.5.5.20;8.5.5.21;9.0.5.11;9.0.5.12","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
05 October 2022

UID

ibm16594853