IBM Support

IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680 CVSS 7.5, CVE-2013-0340 CVSS 4.3, CVE-2017-9233 CVSS 5.3)

Download


Downloadable File

File link File size File description

Abstract

IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680 CVSS 7.5, CVE-2013-0340 CVSS 4.3, CVE-2017-9233 CVSS 5.3)

Download Description

This fix is superseded by later interim fixes.

The interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH51982 to resolve this APAR. 

PH50316 resolves the following problem:

ERROR DESCRIPTION:
IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680 CVSS 7.5, CVE-2013-0340 CVSS 4.3, CVE-2017-9233 CVSS 5.3)

PROBLEM CONCLUSION:
Confidential for CVE-2022-43680, CVE-2013-0340, CVE-2017-9233

The fix for this APAR is currently targeted for inclusion
in fix packs 8.5.5.23 and 9.0.5.15

For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

This fix supersedes (includes) prior fixes depending on the base fix pack, including PH49572 PH47792 PH46897 PH44829 PH44271 PH43122 where applicable. Consult the individual fixes on Fix Central for specifics.
This fix is superseded by the fix for the PH51982
Mitigations and affected configurations:
 
  • CVE-2022-43680, CVE-2013-0340, CVE-2017-9233
    • IBM HTTP Server on z/OS is not vulnerable, the expat library is not included in IHS on z/OS.
      • The IBM Installation Manager fixes for this APAR allows installation on z/OS to allow prior installable fixes to be superseded on all platforms.
    • IBM HTTP Server without third-party modules added to the server is not vulnerable.
      • If third-party modules are present, a third-party module that uses the expat library may be vulnerable if it calls expat in the way described by the listed CVEs.

Prerequisites

None

Installation Instructions

Review the readme.txt for detailed installation instructions.

 
URL SIZE(Bytes)
V90 IM readme file 2050
V85 IM readme file 1894
V90 Archive readme file 1306
V80 IM readme file 1968
V70 UPDI readme file 4986

Download Package

This fix is superseded by later interim fixes.

The interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH51982 to resolve this APAR. 

Problems Solved

PH50316, PH46897, PH49572

Known Side Effects

Behavior Change Warning:
As a result of APAR PH46897 included in this interim fix, IBM HTTP Server now limits HTTP request bodies to 1 Gigabyte by default. Previously, there was no limit.
The limit can be increased by using the LimitRequestBody directive.  Users are encouraged to limit such increases using limited scope such as <Location> rather than changing it globally.

Change History

  • Nov 22 2022: Add 9.0.5.14 IM and Archive fixes
  • Feb 14 2023: Superseded by PH51982 https://www.ibm.com/support/pages/node/6955257

On

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m0z000000XatiAAC","label":"IBM HTTP Server\/WebSphere Plugin-All Platforms-\u003EIHS-\u003EIHS.Security Vulnerabilities"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]

Document Information

Modified date:
14 February 2023

UID

ibm16839115

Page Feedback