Fix (APAR):  PI44793

Status:  Fix

Release:  8.0.0.11,8.0.0.10,8.0.0.9

Operating System:  AIX,HP-UX,Linux,Solaris,Windows

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  704231

Date: 2015-08-28

Abstract:  CVE-2015-4947 for IBM HTTP Server Administration Server

Description/symptom of problem:  
PI44793 resolves the following problem:

ERROR DESCRIPTION:
Vulnerability in the IBM HTTP Server Admin Server could allow
a denial of service or remote code execution attack from 
malicious authenticated requests.

LOCAL FIX:                                                      

PROBLEM SUMMARY:
Improper handling of user input by the IHS Admin Server can    
result in a stack-allocated buffer being overrun as a result   
of a malicious request.  This can only happen on an            
authenticated request.                                         

PROBLEM CONCLUSION:
The IHS Admin Server was updated to prevent the potential
buffer overflow condition.                               
                                                         
This fix is targeted for IBM HTTP Server fix packs:      
- 7.0.0.39                                               
- 8.0.0.12                                               
- 8.5.5.7                                                



Directions to apply fix:  
Special Instructions: None

NOTE: The user must:
* Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require
  a newer version of the Installation Manager and the Installation Manager will
  inform you during the installation process if a newer version is required.
* Be logged in with the same authority level when unpacking a fix, fix pack, or
  refresh pack.

The IBM Knowledge Center can provide details, if needed, on the use of the
Installation Manager to apply the interim fix:
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.

1) Shutdown IBM HTTP Server
2) Apply the interim fix using Installation Manager
3) Restart IBM HTTP Server


Directions to remove fix:  
The IBM Knowledge Center can provide details, if needed, on the use of the
Installation Manager to remove the interim fix:
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.

1) Shutdown IBM HTTP Server
2) Remove the interim fix using Installation Manager
3) Restart IBM HTTP Server


Directions to re-apply fix:  
1) Stop IBM HTTP Server.
2) Follow the directions to apply the fix.
3) Restart IBM HTTP Server.


Additional Information: