PI66849:Multiple vulnerabilities associated with IBM HTTP Server.

Download

Abstract

Multiple vulnerabilities associated with IBM HTTP Server.

Download Description

PI66849 resolves the following problems:

ERROR DESCRIPTION:
The "expat" XML parsing library bundled with IHS has several input-related vulnerabilities, and the HTTPOXY vulnerability also affects IHS. This PI66849 interim fix includes fixes for PI63098 and PI65855.

LOCAL FIX:

PROBLEM SUMMARY:
The IHS related vulnerabilities resolved by this interim fix are:

CVEID: CVE-2012-0876
DESCRIPTION: Expat is vulnerable to a denial of service,
caused by insufficient randomization of hash data structures.

CVEID: CVE-2012-1148
DESCRIPTION: Expat is vulnerable to a denial of service,
caused by a memory leak in poolGrow when handling XML data.

CVEID: CVE-2016-4472
DESCRIPTION: Expat XML parser is vulnerable to a denial of
service, caused by the removal by compilers with certain
optimization settings.

CVEID: CVE-2016-0718
DESCRIPTION: Expat XML parser is vulnerable to a denial of
service, caused by an out-of-bounds read within XML parser.

CVEID: CVE-2016-5387
DESCRIPTION: Apache HTTP Server could allow a remote attacker
to redirect HTTP traffic of CGI application, caused by the
lack of protection of untrusted client data in the HTTP_PROXY
environment variable.

PROBLEM CONCLUSION:
The bundled expat library was updated with the latest fixes, and IHS was updated to not copy the particular request header into HTTP-prefixed environment variable to resolve httpoxy.

The PI66849 APAR is expected to be included in IHS fixpacks:
- 9.0.0.2
- 8.5.5.11
- 8.0.0.13
- 7.0.0.43
The PI63098 APAR is expected to be included in IHS fixpacks:
- 9.0.0.1
- 8.5.5.10
- 8.0.0.13
- 7.0.0.43
The PI65855 APAR is expected to be included in IHS fixpacks:
- 9.0.0.1
- 8.5.5.11
- 8.0.0.13
- 7.0.0.43

Prerequisites

UpdateInstaller is required for IHS 7.0 interim fixes.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt included with each interim fix for detailed installation instructions.
For versions where there are "MultiOS" and "OS390" fix files, the "MultiOS" file should be used for distributed platforms and the "OS390" file should be used for z/OS.

- The 9.0 fix files will apply to IBM HTTP Server version 9.0.0.0
- The 8.5 fix files will apply to IBM HTTP Server version 8.5.5.7 through 8.5.5.10
- The 8.0 fix files will apply to IBM HTTP Server version 8.0.0.10 through 8.0.0.12
- The 7.0 fix files will apply to IBM HTTP Server version 7.0.0.37 through 7.0.0.41

Download Package

Note: This interim fix has been superseded by the PI73984 interim fix. It is recommended to use that interim fix in place of this one for applicable versions.

          [{"DNLabel":"7.0.0.37-WS-WASIHS-WinX32-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"702543","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-WinX32-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"9.0.0.0-WS-WASIHS-MultiOS-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"7387658","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=9.0.0.0-WS-WASIHS-MultiOS-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"9.0.0.0-WS-WASIHS-OS390-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"1250700","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=9.0.0.0-WS-WASIHS-OS390-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37-WS-WASIHS-AixPPC32-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"689281","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-AixPPC32-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37-WS-WASIHS-HpuxIA64-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"3033096","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-HpuxIA64-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37-WS-WASIHS-HpuxPaRISC-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"798056","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-HpuxPaRISC-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37-WS-WASIHS-LinuxPPC32-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"490085","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-LinuxPPC32-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37-WS-WASIHS-LinuxS390-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"491365","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-LinuxS390-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37-WS-WASIHS-LinuxX32-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"452301","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-LinuxX32-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37-WS-WASIHS-SolarisSparc-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"699602","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-SolarisSparc-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37-WS-WASIHS-SolarisX64-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"477487","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-SolarisX64-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.7-WS-WASIHS-MultiOS-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"9645137","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.7-WS-WASIHS-MultiOS-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.7-WS-WASIHS-OS390-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"1168406","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.7-WS-WASIHS-OS390-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.10-WS-WASIHS-MultiOS-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"9111482","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.10-WS-WASIHS-MultiOS-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.10-WS-WASIHS-OS390-IFPI66849","DNDate":"08-15-2016","DNLang":"US English","DNSize":"639719","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.10-WS-WASIHS-OS390-IFPI66849&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"9.0.0.1-WS-WASIHS-IFPI66849","DNDate":"16 Sep 2016","DNLang":"US English","DNSize":"8576019","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=9.0.0.1-WS-WASIHS-IFPI66849&productid=WebSphere%20Application%20Server&brandid=5","DNURL_FTP":" ","DDURL":null}]
          

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0.0.1;9.0.0.0;8.5.5.9;8.5.5.8;8.5.5.7;8.0.0.12;8.0.0.11;8.0.0.10;7.0.0.41;7.0.0.39;7.0.0.37","Edition":"Advanced;Base;Enterprise;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PI66849

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24042637

Tips