Security Bulletin: IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server

Summary

There are multiple vulnerabilities in the IBM HTTP Server, which is used by IBM WebSphere Application Server, due to the included Apache HTTP Server.

Vulnerability Details

CVEID:CVE-2024-38472
**DESCRIPTION:**Apache HTTP Server is vulnerable to server-side request forgery, caused by improper validation of WIndows UNC. By sending a specially crafted request, an attacker could exploit this vulnerability to leak NTML hashes to a malicious server.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296127 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-38473
**DESCRIPTION:**Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by an encoding flaw in mod_proxy. By sending specially crafted requests with incorrect encoding an attacker could exploit this vulnerability to bypass authentication validation.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296126 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2024-38474
**DESCRIPTION:**Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by a substitution encoding issue in mod_rewrite. By sending a specially crafted request, an attacker could exploit this vulnerability to execute scripts in directories permitted by the configuration.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296125 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVEID:CVE-2024-38475
**DESCRIPTION:**Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by improper escaping of output in mod_rewrite. By sending a specially crafted request, an attacker could exploit this vulnerability to map URLs to filesystem locations permitted to be served by the server but are not intentionally or directly reachable by any URL, resulting in code execution.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296124 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVEID:CVE-2024-38476
**DESCRIPTION:**Apache HTTP Server allow a remote attacker to obtain sensitive information, caused by improper input validation by the backend applications response headers. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, perform server-side request forgery attack or local script execution.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296123 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-38477
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in mod_proxy. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296122 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-39573
**DESCRIPTION:**Apache HTTP Server is vulnerable to server-side request forgery, caused by a flaw in the mod_rewrite. By sending a specially crafted request, an attacker could exploit this vulnerability to cause unsafe RewriteRules to unexpectedly setup URL’s to be handled by mod_proxy.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296120 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains APAR PH61893.

For IBM HTTP Server used by IBM WebSphere Application Server:

For V9.0.0.0 through 9.0.5.20:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH61893
--OR–
· Apply Fix Pack 9.0.5.21 or later (targeted availability 3Q2024).

For V8.5.0.0 through 8.5.5.26:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH61893
--OR–
· Apply Fix Pack 8.5.5.27 or later (targeted availability 1Q2025).

Additional interim fixes may be available and linked off the interim fix download page.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

Workarounds and Mitigations

None