Fix (APAR):  PH21992

Status:  Fix

Release:  9.0.5.3,9.0.5.2

Operating System:  AIX,Linux,Windows

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  323920899

Date: 2020-04-13

Abstract:  Multiple vulnerabilities in IBM HTTP Server (CVE-2020-1927, CVE-2020-1934)

Description/symptom of problem:  
PH21992 resolves the following problem:

ERROR DESCRIPTION:
CVE-2020-1927: IBM HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. 
CVE-2020-1934: IBM HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by the use of an uninitialized value in mod_proxy_ftp.  

LOCAL FIX:

PROBLEM SUMMARY:
CVE-2020-1927, CVE-2020-1934 in IBM HTTP Server. 

PROBLEM CONCLUSION:
IHS was updated to resolve the vulnerabilities.
This fix is targeted for IBM HTTP Server fix packs:
- 8.5.5.18
- 9.0.5.4


Directions to apply fix:  
1) Stop IBM HTTP Server. AIX Only: run "slibclean" as root.
2) Backup your IBM HTTP Server installation directory
3) Extract this interim fix with your IBM HTTP Server installation as your working directory
4) Start IBM HTTP Server

Directions to remove fix:  
1) Stop IBM HTTP Server. AIX Only: run "slibclean" as root.
2) Restore earlier IBM HTTP Server installation root from backup. Or, extract a previous maintenance level archive install on top of current installation
2) Start IBM HTTP Server

Directions to re-apply fix:  
1) Stop IBM HTTP Server.
2) Follow the directions to apply the fix.
3) Restart IBM HTTP Server.


Additional Information: