Download
Downloadable File
| File link | File size | File description |
|---|---|---|
Abstract
IBM HTTP Server is vulnerable to HTTP response splitting due to the included Apache HTTP Server (CVE-2024-24795 CVSS 6.5, CVE-2023-38709 CVSS 6.5)
Download Description
PH60619 resolves the following problem:
ERROR DESCRIPTION:
Confidential for Security Integrity interim fix CVE-2023-38709, CVE-2024-24795
LOCAL FIX:
PROBLEM SUMMARY:
Confidential for Security Integrity interim fix CVE-2023-38709, CVE-2024-24795
PROBLEM CONCLUSION:
Confidential for CVE-2023-38709, CVE-2024-24795
The fix for this APAR is targeted for inclusion in 8.5.5.26, 9.0.5.20.
For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553
This fix supersedes (includes) the fix for PH59697, PH53014, PH57408 (for some 8.5.5.24, 8.5.5.25, and 9.0.5.18)
ERROR DESCRIPTION:
Confidential for Security Integrity interim fix CVE-2023-38709, CVE-2024-24795
LOCAL FIX:
PROBLEM SUMMARY:
Confidential for Security Integrity interim fix CVE-2023-38709, CVE-2024-24795
PROBLEM CONCLUSION:
Confidential for CVE-2023-38709, CVE-2024-24795
The fix for this APAR is targeted for inclusion in 8.5.5.26, 9.0.5.20.
For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553
This fix supersedes (includes) the fix for PH59697, PH53014, PH57408 (for some 8.5.5.24, 8.5.5.25, and 9.0.5.18)
Vulnerable Configurations
- CVE-2023-38709: Configurations that load HTTP proxy modules other than the WAS WebServer Plug-in and malicious or exploitable backend applications
- CVE-2024-24795: Configurations with mod_cgi, mod_cgid, or mod_proxy_fcgi and malicious or exploitable backend applications
- CVE-2023-52425 (from PH59697 superseded for 8.5.5.24, 8.5.5.25, and 9.0.5.18): Configurations that load mod_dav or any third-party modules, and have set LimitXMLRequestBody explicitly set to a value on the order of hundreds of megabytes or more, may be vulnerable.
Behavior Changes
- CVE-2024-24795: The Content-Length header on CGI responses is ignored. Set internal environment variable ap_trust_cgilike_cl to trust the Content-Length header from CGI and CGI-like modules.
- CVE-2023-52425 (from PH59697 superseded for 8.5.5.24, 8.5.5.25, and 9.0.5.18)
- The fix for the 8.5 releases imposes a hard limit of 100 megabytes on the LimitXMLRequestBody directive. The default limit remains at 1 megabyte.
- There is no behavior change for the 9.0 release.
- The fix for the 8.5 releases imposes a hard limit of 100 megabytes on the LimitXMLRequestBody directive. The default limit remains at 1 megabyte.
Prerequisites
None
Download Package
|
IMPORTANT NOTE:
|
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table. Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages. |
| DOWNLOAD | RELEASE DATE | SIZE(Bytes) |
URL |
|---|---|---|---|
| IBM Installation Manager downloadable repositories | |||
| 9.0.5.19-WS-WASIHS-IFPH60619 | 09 April 2024 | 110151845 | FC |
| 9.0.5.18-WS-WASIHS-IFPH60619 | 10 April 2024 (updated, see changelog) |
110152315 | FC |
| 8.5.5.24-WS-WASIHS-IFPH60619 | 11 April 2024 (updated, see changelog) |
89864358 | FC |
| 8.5.5.25-WS-WASIHS-IFPH60619 | 11 April 2024 (updated, see changelog) |
89864110 | FC |
| IBM HTTP Server archive installs | |||
| aix-ppc64 | 09 April 2024 | 35884146 | FC |
| linux-x86_64 | 09 April 2024 | 26691903 | FC |
| linux-ppc64le | 09 April 2024 | 27123430 | FC |
| linux-s390x | 09 April 2024 | 29567964 | FC |
| win-x86 | 09 April 2024 | 33263137 | FC |
| win-x86_64 | 09 April 2024 | 35510746 | FC |
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.
Problems Solved
PH60619, PH53014, PH57408
Change History
- April 10: Initial publish around 09:40 EDT (13:40 UTC)
- April 10: Add caution about 9.0.5.18 missing a supersedes (did not block installation)
- April 10: The 9.0.5.18 fix was replaced around 11:20 EDT (15230 UTC) to add supersedes information.
- April 11: 8.5.5.24 and 8.5.5.25 fixes were updated around 14:00 UTC to properly supersede PH57668, allowing them to be co-installed
On
Technical Support
Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"IBM HTTP Server"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.24;8.5.5.25;9.0.5.18;9.0.5.19","Edition":"Base","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
11 April 2024
UID
ibm17147814