Download
Downloadable File
| File link | File size | File description |
|---|---|---|
Abstract
IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server
Download Description
PH61893 resolves the following problems:
- CVE-2024-38472
- Vulnerable Configurations: IHS on Windows
- CVE-2024-38473, CVE-2024-38477
- Vulnerable Configurations: IHS 9.0 with mod_proxy loaded
- CVE-2024-38474, CVE-2024-38475
- Vulnerable Configurations: IHS with mod_rewrite loaded.
See https://httpd.apache.org/security/vulnerabilities_24.html for mod_rewrite specifics.
- Vulnerable Configurations: IHS with mod_rewrite loaded.
- CVE-2024-38476
- Vulnerable Configurations: IHS with mod_negotiation or CGI modules loaded
- CVE-2024-39573
- Vulnerable: IHS with both mod_rewrite and mod_proxy loaded
See https://httpd.apache.org/security/vulnerabilities_24.html for mod_rewrite specifics.
- Vulnerable: IHS with both mod_rewrite and mod_proxy loaded
PH62263 resolves the following problems:
- CVE-2024-40898
- Vulnerable Configurations: IHS with mod_rewrite in use on Windows
- CVE-2024-40725
- Vulnerable Configurations: IHS w/ IFPH61893 installed and with `AddType` directive used to configure a handler (such as PHP or other scripting languages).
- AddType is a legacy method from Apache 1.3 to associate a a file extension with a handler. Modern configurations would use "AddHandler" which is unaffected.
- Vulnerable Configurations: IHS w/ IFPH61893 installed and with `AddType` directive used to configure a handler (such as PHP or other scripting languages).
Behavior Changes in mod_rewrite:
- If non-malicious URL's use encoded question marks (%3F), some RewriteRules that add a "?" to the substitution will return 403 unless the flag UnsafeAllow3F is added.
- If a mod_rewrite substitution begins with a variable or back-reference, and has no PT flag, and the first path segment matches a directory at the root of the filesystem, the substitution will no longer map the URL to that directory unless the flag UnsafePrefixStat is added.
Behavior Changes on Windows:
- Use of network shares (such as //servername) requires the IP or hostname to be specified with the UNCList directive. The directive should appear before the directives (such as Alias or DocumentRoot or <Directory>) that reference the //servername remote path.
The UNCList directive takes multiple hostname/IP arguments but cannot be repeated.
UNCLIst myserver other-server DocumentRoot "//myserver/Doclinks" <Directory "//myserver/Doclinks"> ... </Directory> Alias /images "//otherserver/images" <Directory "//other-server/images"> ... </Directory>
The fix for this APAR is targeted for inclusion in 8.5.5.27 and 9.0.5.21.
For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553
This fix supersedes (includes) the fix for PH53014, PH57408, PH57668, PH59697, PH60619, PH61893 (where applicable to the base fix pack level)
For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553
This fix supersedes (includes) the fix for PH53014, PH57408, PH57668, PH59697, PH60619, PH61893 (where applicable to the base fix pack level)
Prerequisites
None
Download Package
|
IMPORTANT NOTE:
|
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table.
Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages. |
| DOWNLOAD | RELEASE DATE | SIZE(Bytes) |
URL |
|---|---|---|---|
|
|
|||
| 9.0.5.20-WS-WASIHS-IFPH62263 | 22 July 2024 | 110527919 | FC |
| 9.0.5.19-WS-WASIHS-IFPH62263 | 22 July 2024 | 110528229 | FC |
| 9.0.5.18-WS-WASIHS-IFPH62263 | 22 July 2024 | 110528732 | FC |
| 8.5.5.26-WS-WASIHS-IFPH62263 | 29 July 2024 | 89941695 | FC |
| 8.5.5.25-WS-WASIHS-IFPH62263 | 22 July 2024 | 89941753 | FC |
| 8.5.5.24-WS-WASIHS-IFPH62263 | 22 July 2024 | 89941891 | FC |
|
|
|||
| 9.0.5-WS-IHS-ARCHIVE-linux-x86_64-FP020-IFPH62263 | 22 July 2024 | 26738097 | FC |
| 9.0.5-WS-IHS-ARCHIVE-linux-s390x-FP020-IFPH62263 | 22 July 2024 | 29625448 | FC |
| 9.0.5-WS-IHS-ARCHIVE-linux-ppc64le-FP020-IFPH62263 | 22 July 2024 | 27184461 | FC |
| 9.0.5-WS-IHS-ARCHIVE-aix-ppc64-FP020-IFPH62263 | 22 July 2024 | 35908543 | FC |
| 9.0.5-WS-IHS-ARCHIVE-win-x86_64-FP020-IFPH62263 | 22 July 2024 | 35549670 | FC |
| 9.0.5-WS-IHS-ARCHIVE-win-x86-FP020-IFPH62263 | 22 July 2024 | 33269254 | FC |
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.
Problems Solved
PH62263, PH61893, PH53014, PH57408, PH57668, PH59697, PH60619
Change History
- July 22: Replace fixes with IFPH62263 due to supersede.
- July 25: Clarify IFPH61893 as the source of CVE-2024-40725
- July 29: Add 8.5.5.26 fixes for 8.5.5.26 eGA.
On
Technical Support
Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.24;8.5.5.25;9.0.5.18;9.0.5.19;9.0.5.20","Edition":"Base","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
29 July 2024
UID
ibm17159808