Fix (APAR):  PH53014

Status:  Fix

Release:  9.0.5.15

Operating System:  AIX,Linux,Windows

Supersedes Fixes:  PH52860

CMVC Defect:  xxxxxx

Byte size of APAR:  187689799

Date: 2023-03-29

Abstract:  IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690 CVSS 6.1)

Description/symptom of problem:  
PH53014 resolves the following problem:

ERROR DESCRIPTION:
Confidential for Security Integrity interim fix CVE-2023-25690

Directions to apply fix:  
1) Stop IBM HTTP Server. AIX Only: run "slibclean" as root.
2) Backup your IBM HTTP Server installation directory
3) Extract this interim fix with your IBM HTTP Server installation as your working directory
4) Post-installation script requirements:
- **Windows only:** Run `postinstall.bat` from the server root, passing no arguments.
- **AIX and Linux**: After an upgrade, running `apachectl start` causes `postinstall.sh` to be re-run automatically. Run `./postinstall.sh` manually if other scripts (such as gskcapicmd) within the IHS/bin/ directory need to be used **prior** to the next `apachectl start`.
5) Start IBM HTTP Server

Directions to remove fix:  
1) Stop IBM HTTP Server. AIX Only: run "slibclean" as root.
2) Restore earlier IBM HTTP Server installation root from backup. Or, extract a previous maintenance level archive install on top of current installation
2) Start IBM HTTP Server

Directions to re-apply fix:  
1) Stop IBM HTTP Server.
2) Follow the directions to apply the fix.
3) Restart IBM HTTP Server.


Additional Information: