Download
Downloadable File
Abstract
IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server
Download Description
- CVE-2024-38472
- Vulnerable Configurations: IHS on Windows
- CVE-2024-38473, CVE-2024-38477
- Vulnerable Configurations: IHS 9.0 with mod_proxy loaded
- CVE-2024-38474, CVE-2024-38475
- Vulnerable Configurations: IHS with mod_rewrite loaded.
See https://httpd.apache.org/security/vulnerabilities_24.html for mod_rewrite specifics.
- Vulnerable Configurations: IHS with mod_rewrite loaded.
- CVE-2024-38476
- Vulnerable Configurations: IHS with mod_negotiation or CGI modules loaded
- CVE-2024-39573
- Vulnerable: IHS with both mod_rewrite and mod_proxy loaded
See https://httpd.apache.org/security/vulnerabilities_24.html for mod_rewrite specifics.
- Vulnerable: IHS with both mod_rewrite and mod_proxy loaded
- CVE-2024-40898
- Vulnerable Configurations: IHS with mod_rewrite in use on Windows
- CVE-2024-40725
- Vulnerable Configurations: IHS w/ IFPH61893 installed and with `AddType` directive used to configure a handler (such as PHP or other scripting languages).
- AddType is a legacy method from Apache 1.3 to associate a a file extension with a handler. Modern configurations would use "AddHandler" which is unaffected.
- Vulnerable Configurations: IHS w/ IFPH61893 installed and with `AddType` directive used to configure a handler (such as PHP or other scripting languages).
Behavior Changes in mod_rewrite:
- If non-malicious URL's use encoded question marks (%3F), some RewriteRules that add a "?" to the substitution will return 403 unless the flag UnsafeAllow3F is added.
- If a mod_rewrite substitution begins with a variable or back-reference, and has no PT flag, and the first path segment matches a directory at the root of the filesystem, the substitution will no longer map the URL to that directory unless the flag UnsafePrefixStat is added.
- Use of network shares (such as //servername) requires the IP or hostname to be specified with the UNCList directive. The directive should appear before the directives (such as Alias or DocumentRoot or <Directory>) that reference the //servername remote path.
The UNCList directive takes multiple hostname/IP arguments but cannot be repeated.
UNCLIst myserver other-server DocumentRoot "//myserver/Doclinks" <Directory "//myserver/Doclinks"> ... </Directory> Alias /images "//otherserver/images" <Directory "//other-server/images"> ... </Directory>
For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553
This fix supersedes (includes) the fix for PH53014, PH57408, PH57668, PH59697, PH60619, PH61893 (where applicable to the base fix pack level)
Prerequisites
Download Package
IMPORTANT NOTE:
|
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table.
Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages. |
DOWNLOAD | RELEASE DATE | SIZE(Bytes) |
URL |
---|---|---|---|
|
|||
9.0.5.20-WS-WASIHS-IFPH62263 | 22 July 2024 | 110527919 | FC |
9.0.5.19-WS-WASIHS-IFPH62263 | 22 July 2024 | 110528229 | FC |
9.0.5.18-WS-WASIHS-IFPH62263 | 22 July 2024 | 110528732 | FC |
8.5.5.26-WS-WASIHS-IFPH62263 | 29 July 2024 | 89941695 | FC |
8.5.5.25-WS-WASIHS-IFPH62263 | 22 July 2024 | 89941753 | FC |
8.5.5.24-WS-WASIHS-IFPH62263 | 22 July 2024 | 89941891 | FC |
|
|||
9.0.5-WS-IHS-ARCHIVE-linux-x86_64-FP020-IFPH62263 | 22 July 2024 | 26738097 | FC |
9.0.5-WS-IHS-ARCHIVE-linux-s390x-FP020-IFPH62263 | 22 July 2024 | 29625448 | FC |
9.0.5-WS-IHS-ARCHIVE-linux-ppc64le-FP020-IFPH62263 | 22 July 2024 | 27184461 | FC |
9.0.5-WS-IHS-ARCHIVE-aix-ppc64-FP020-IFPH62263 | 22 July 2024 | 35908543 | FC |
9.0.5-WS-IHS-ARCHIVE-win-x86_64-FP020-IFPH62263 | 22 July 2024 | 35549670 | FC |
9.0.5-WS-IHS-ARCHIVE-win-x86-FP020-IFPH62263 | 22 July 2024 | 33269254 | FC |
Problems Solved
PH62263, PH61893, PH53014, PH57408, PH57668, PH59697, PH60619
Change History
- July 22: Replace fixes with IFPH62263 due to supersede.
- July 25: Clarify IFPH61893 as the source of CVE-2024-40725
- July 29: Add 8.5.5.26 fixes for 8.5.5.26 eGA.
Technical Support
Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
Problems (APARS) fixed
Was this topic helpful?
Document Information
More support for:
WebSphere Application Server
Software version:
8.5.5.24, 8.5.5.25, 9.0.5.18, 9.0.5.19, 9.0.5.20
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS
Document number:
7159808
Modified date:
29 July 2024
UID
ibm17159808