IBM Support

PH60619: IBM HTTP Server is vulnerable to HTTP response splitting due to the included Apache HTTP Server (CVE-2024-24795 CVSS 6.5, CVE-2023-38709 CVSS 6.5)

Download


Downloadable File

File link File size File description

Abstract

IBM HTTP Server is vulnerable to HTTP response splitting due to the included Apache HTTP Server (CVE-2024-24795 CVSS 6.5, CVE-2023-38709 CVSS 6.5)

Download Description

This fix is superseded by later interim fixes.
The interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH61893 to resolve this APAR.
PH60619 resolves the following problem:

ERROR DESCRIPTION:
Confidential for Security Integrity interim fix CVE-2023-38709, CVE-2024-24795


LOCAL FIX:

PROBLEM SUMMARY:
Confidential for Security Integrity interim fix CVE-2023-38709, CVE-2024-24795


PROBLEM CONCLUSION:
Confidential for CVE-2023-38709, CVE-2024-24795

The fix for this APAR is targeted for inclusion in 8.5.5.26, 9.0.5.20.

For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553

This fix supersedes (includes) the fix for PH59697, PH53014, PH57408 (for some 8.5.5.24, 8.5.5.25, and 9.0.5.18)
Vulnerable Configurations
  • CVE-2023-38709: Configurations that load HTTP proxy modules other than the WAS WebServer Plug-in and malicious or exploitable backend applications
  • CVE-2024-24795: Configurations with mod_cgi, mod_cgid,  or mod_proxy_fcgi and malicious or exploitable backend applications
  • CVE-2023-52425 (from PH59697 superseded for 8.5.5.24, 8.5.5.25, and 9.0.5.18): Configurations that load mod_dav  or any third-party modules, and have set LimitXMLRequestBody explicitly set to a value on the order of hundreds of megabytes or more, may be vulnerable.
Behavior Changes
  • CVE-2024-24795: The Content-Length header on CGI responses is ignored. Set internal environment variable ap_trust_cgilike_cl to trust the Content-Length header from CGI and CGI-like modules.
  • CVE-2023-52425 (from PH59697 superseded for 8.5.5.24, 8.5.5.25, and 9.0.5.18)
    • The fix for the 8.5 releases imposes a hard limit of 100 megabytes on the LimitXMLRequestBody directive. The default limit remains at 1 megabyte. 
      • There is no behavior change for the 9.0 release.

Prerequisites

None

Download Package

This fix is superseded by later interim fixes.
The interim fix for this APAR has been superseded by a later interim fix. Download and install the interim fix for PH61893 to resolve this APAR.

Problems Solved

PH60619, PH53014, PH57408

Change History

  1. April 10: Initial publish  around 09:40 EDT (13:40 UTC)
  2. April 10: Add caution about 9.0.5.18 missing a supersedes (did not block installation)
  3. April 10: The 9.0.5.18 fix was replaced around 11:20 EDT (15230 UTC) to add supersedes information.
  4. April 11: 8.5.5.24 and 8.5.5.25 fixes were updated around  14:00 UTC to properly supersede PH57668, allowing them to be co-installed 

On

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"IBM HTTP Server"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.24;8.5.5.25;9.0.5.18;9.0.5.19","Edition":"Base","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]

Document Information

Modified date:
09 July 2024

UID

ibm17147814

Page Feedback