Download
Downloadable File
| File link | File size | File description |
|---|---|---|
Abstract
IBM HTTP Server is affected by multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-43394,CVE-2024-42516,CVE-2024-43204)
IBM HTTP Server is affected by an access control bypass due to the included Apache HTTP Server (CVE-2025-54090 CVSS 6.3)
PH68462: IBM HTTP Server is affected by multiple vulnerabilities (see description)
Download Description
- CVE-2024-43394
- Vulnerable Configurations: IHS on Windows with RewriteCond or Apache Expression Parser expressions that are tricked into looking up remote UNC file paths through use of unary file operators (-d, -f)
- CVE-2024-42516
- Vulnerable Configurations: mod_proxy loaded and backend application that can be tricked into setting an attacker controlled Content-Type header
- CVE-2024-43204
- Vulnerable Configurations: mod_proxy loaded and `Header` directive in the IHS configuration that sets Content-Type to values computed from user controlled variables/expressions
- CVE-2025-54090
- Vulnerable Configurations: `RewriteCond` directive with first argument of the literal "expr" and the condition is used for some security purpose. Only applicable to 9.0 with IFPH67153 installed.
- CVE-2025-58098
- Affected Configurations: mod_include and mod_cgid (but not mod_cgi) modules loaded
- CVE-2025-59775
- Affected Configurations: Windows with both of the following non-default directives: "AllowEncodedSlashes ON" and "MergeSlashes OFF" (extremely uncommon)
- CVE-2025-65082
- Affected Configurations: mod_cgi or mod_cgid loaded and htaccess enabled with AllowOverride other than "none" above CGI root.
- CVE-2025-66200
- Affected Configurations: mod_userdir and mod_suexec both loaded AND $IHS_HOME/bin/suexec added by administrator (extremely uncommon)
- CVE-2025-59375
- mod_dav loaded (extremely uncommon)
- mod_dav loaded (extremely uncommon)
The fixes are targeted for inclusion in 8.5.5.29 and 9.0.5.27.
For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553
Prerequisites
Download Package
IMPORTANT NOTE: | WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table. Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages. |
IBM Installation Manager packages
| DOWNLOAD | RELEASE DATE | URL |
|---|---|---|
| 9.0.5.26-WS-WASIHS-IFPH68462 | 14 December 2025 | FC |
| 9.0.5.25-WS-WASIHS-IFPH68462 | 14 December 2025 | FC |
| 9.0.5.24-WS-WASIHS-IFPH68462 | 14 December 2025 | FC |
| 8.5.5.28-WS-WASIHS-IFPH68462 | 14 December 2025 | FC |
| 8.5.5.27-WS-WASIHS-IFPH68462 | 14 December 2025 | FC |
Archive packages (no IM)
| DOWNLOAD | RELEASE DATE | URL |
|---|---|---|
| win-x86_64-FP026-IFPH68462 | 14 December 2025 | FC |
| linux-x86_64-FP026-IFPH68462 | 14 December 2025 | FC |
| linux-s390x-FP026-IFPH68462 | 14 December 2025 | FC |
| linux-ppc64le-FP026-IFPH68462 | 14 December 2025 | FC |
| aix-ppc64-FP026-IFPH68462 | 14 December 2025 | FC |
| win-x86-FP026-IFPH68462 | 14 December 2025 | FC Note: Future 32-bit archives for Windows are unlikely. Upgrade to 64-bit in place. |
Problems Solved
PH68462.PH67414, PH67153, PH61590, PH61893, PH62263, PH66956
Change History
- 28 July 2025: Add 8.5.5.28 fixes.
- 05 Aug 2025: Supersede 9.0 fixes with IFPH67414
- 15 Dec 2025: Supersede fixes with IFPH68462 due to new CVES.
Technical Support
Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 December 2025
UID
ibm17239806