Fix (APAR):  PI22070

Status:  Fix

Release:  8.0.0.9

Operating System:  z/OS

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  1114815

Date: 2014-09-17

Abstract:  Multiple Apache web server vulnerabilities

Description/symptom of problem:  
PI22070 resolves the following problem:

ERROR DESCRIPTION:
This interim fix resolves several IHS vulnerabilities.

LOCAL FIX:                                                      
Various depending on particular CVE.
CVE-2014-0226: Block access to mod_status from untrusted IPs
CVE-2014-0118: Disable SetInputFilter DEFLATE
CVE-2014-0231: None practical if mod_cgid is needed
CVE-2013-5704: None.
                                                            
PROBLEM SUMMARY:
The vulnerabilities resolved in this interim fix are:

- PI22070: CVE-2014-0118 (mod_deflate), 
           CVE-2014-0226 (mod_status), 
           CVE-2014-0231 (mod_cgid), 
           CVE-2013-5704 (core)  
           
  Note: CVE-2014-0117 does not affect any release of IHS.

PROBLEM CONCLUSION:
This interim fix is being made available to resolve the set of 
vulnerabilities identified above.
                                                    
This fix is targeted for IBM HTTP Server fix packs:
- 7.0.0.35                                          
- 8.0.0.10                                          
- 8.5.5.4                                          



Directions to apply fix:  
Special Instructions: None

NOTE: The user must:
* Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require
  a newer version of the Installation Manager and the Installation Manager will
  inform you during the installation process if a newer version is required.
* Be logged in with the same authority level when unpacking a fix, fix pack, or
  refresh pack.

The IBM Information Center can provide details, if needed, on the use of the
Installation Manager to apply the interim fix:
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.

1) Shutdown IBM HTTP Server
2) Apply the interim fix using Installation Manager
3) Restart IBM HTTP Server


Directions to remove fix:  
The IBM Information Center can provide details, if needed, on the use of the
Installation Manager to remove the interim fix:
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.

1) Shutdown IBM HTTP Server
2) Remove the interim fix using Installation Manager
3) Restart IBM HTTP Server


Directions to re-apply fix:  
1) Stop IBM HTTP Server.
2) Follow the directions to apply the fix.
3) Restart IBM HTTP Server.


Additional Information: