Security Bulletin: IBM HTTP Server (powered by Apache) for i is vulnerable to CVE-2021-44224

Summary

IBM HTTP Server (powered by Apache) for i is vulnerable to the issue described in the vulnerability details section. IBM i has addressed the applicable CVE in the Apache HTTP Server implementation.

Vulnerability Details

CVEID:CVE-2021-44224
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service or server-side request forgery. By sending a specially crafted URI to httpd configured as a forward proxy, an attacker could exploit this vulnerability to cause a NULL pointer dereference. By sending a specially crafted URI to configurations mixing forward and reverse proxy declarations, an attacker could allow for requests to be directed to a declared Unix Domain Socket endpoint.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215719 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

Affected Products and Versions

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i. Releases 7.4, 7.3, and 7.2 of IBM i will be fixed.

The IBM i PTF numbers containing the fix for the CVE follows. Future Group PTFs for HTTP Server will also contain the fixes for this CVE.

Release 7.4 - SI78295, SI78296
Release 7.3 - SI78298, SI78299
Release 7.2 - SI78297

<https://www.ibm.com/support/fixcentral&gt;

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None