IBM Support

PH61893, PH62263: IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server

Download


Downloadable File


Abstract

IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server

Download Description

PH61893 resolves the following problems:

  • CVE-2024-38472
    • Vulnerable Configurations: IHS on Windows
  • CVE-2024-38473, CVE-2024-38477
    • Vulnerable Configurations: IHS 9.0 with mod_proxy loaded
  • CVE-2024-38474, CVE-2024-38475
    • Vulnerable Configurations: IHS with mod_rewrite loaded.
      See https://httpd.apache.org/security/vulnerabilities_24.html for mod_rewrite specifics.
  • CVE-2024-38476
    • Vulnerable Configurations:  IHS with mod_negotiation or CGI modules loaded
  • CVE-2024-39573
    • Vulnerable: IHS with both mod_rewrite and mod_proxy loaded
      See https://httpd.apache.org/security/vulnerabilities_24.html for mod_rewrite specifics.
PH62263 resolves the following problems:

  • CVE-2024-40898
    • Vulnerable Configurations: IHS with mod_rewrite in use on Windows
  • CVE-2024-40725
    • Vulnerable Configurations: IHS w/ IFPH61893 installed and with `AddType` directive used to configure a handler (such as PHP or other scripting languages).
      • AddType is a legacy method from Apache 1.3 to associate a a file extension with a handler. Modern configurations would use "AddHandler" which is unaffected.


Behavior Changes in mod_rewrite:
  • If non-malicious URL's use encoded question marks (%3F), some RewriteRules that add a "?" to the substitution will return 403 unless the flag UnsafeAllow3F is added.
  • If a mod_rewrite substitution begins with a variable or back-reference, and has no PT flag, and the first path segment matches a directory at the root of the filesystem, the substitution will no longer map the URL to that directory unless the flag UnsafePrefixStat is added.
Behavior Changes on Windows:
  • Use of network shares (such as //servername) requires the IP or hostname to be specified with the UNCList directive. The directive should appear before the directives (such as Alias or DocumentRoot or <Directory>) that reference the //servername remote path.

    The UNCList directive takes multiple hostname/IP arguments but cannot be repeated.
     
    UNCLIst myserver other-server
    
    DocumentRoot "//myserver/Doclinks"
    <Directory "//myserver/Doclinks">
      ...
    </Directory>
    
    Alias /images "//otherserver/images"
    <Directory "//other-server/images">
      ...
    </Directory>


The fix for this APAR is targeted for inclusion in 8.5.5.27 and 9.0.5.21.

For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553

This fix supersedes (includes) the fix for PH53014, PH57408, PH57668, PH59697, PH60619, PH61893 (where applicable to the base fix pack level)

Prerequisites

None

Download Package

 
IMPORTANT NOTE:
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table. 

Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages.

DOWNLOAD RELEASE DATE SIZE(Bytes)

URL

IBM Installation Manager packages
9.0.5.20-WS-WASIHS-IFPH62263 22 July 2024 110527919 FC
9.0.5.19-WS-WASIHS-IFPH62263 22 July 2024 110528229 FC
9.0.5.18-WS-WASIHS-IFPH62263 22 July 2024 110528732 FC
8.5.5.26-WS-WASIHS-IFPH62263 29 July 2024 89941695 FC
8.5.5.25-WS-WASIHS-IFPH62263 22 July 2024 89941753 FC
8.5.5.24-WS-WASIHS-IFPH62263 22 July 2024 89941891 FC
IHS Archive packages (no IM)
9.0.5-WS-IHS-ARCHIVE-linux-x86_64-FP020-IFPH62263 22 July 2024 26738097 FC
9.0.5-WS-IHS-ARCHIVE-linux-s390x-FP020-IFPH62263 22 July 2024 29625448 FC
9.0.5-WS-IHS-ARCHIVE-linux-ppc64le-FP020-IFPH62263 22 July 2024 27184461 FC
9.0.5-WS-IHS-ARCHIVE-aix-ppc64-FP020-IFPH62263 22 July 2024 35908543 FC
9.0.5-WS-IHS-ARCHIVE-win-x86_64-FP020-IFPH62263 22 July 2024 35549670 FC
9.0.5-WS-IHS-ARCHIVE-win-x86-FP020-IFPH62263 22 July 2024 33269254 FC
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH62263, PH61893, PH53014, PH57408, PH57668, PH59697, PH60619

Change History

  • July 22: Replace fixes with IFPH62263 due to supersede.
  • July 25: Clarify IFPH61893 as the source of CVE-2024-40725
  • July 29: Add 8.5.5.26 fixes for 8.5.5.26 eGA.
On

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide


[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.24;8.5.5.25;9.0.5.18;9.0.5.19;9.0.5.20","Edition":"Base","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]

Problems (APARS) fixed
PH61893, PH53014, PH57408, PH57668, PH59697, PH60619

Document Information

More support for:
WebSphere Application Server

Software version:
8.5.5.24, 8.5.5.25, 9.0.5.18, 9.0.5.19, 9.0.5.20

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS

Document number:
7159808

Modified date:
29 July 2024

UID

ibm17159808

Manage My Notification Subscriptions