Fix (APAR):  PH50316

Status:  Fix

Release:  9.0.5.13,9.0.5.12

Operating System:  AIX,HP-UX,Linux,Solaris,Windows,z/OS

Supersedes Fixes:  PH49572 PH46897

CMVC Defect:  xxxxxx

Byte size of APAR:  44643319

Date: 2022-11-10

Abstract:  IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680 CVSS 7.5, CVE-2013-0340 CVSS 4.3, CVE-2017-9233 CVSS 5.3)

Description/symptom of problem:  

PH50316 resolves the following problem:

ERROR DESCRIPTION:
IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680 CVSS 7.5, CVE-2013-0340 CVSS 4.3, CVE-2017-9233 CVSS 5.3) 

PROBLEM CONCLUSION:
Confidential for CVE-2022-43680, CVE-2013-0340, CVE-2017-9233




Directions to apply fix:  
Special Instructions: None

NOTE: The user must:
* Be at V1.8.5 or newer of the Installation Manager. Certain iFixes may require
  a newer version of the Installation Manager and the Installation Manager will
  inform you during the installation process if a newer version is required.
* Be logged in with the same authority level when unpacking a fix, fix pack, or
  refresh pack.

The IBM Information Center can provide details, if needed, on the use of the
Installation Manager to apply the interim fix:
http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html.

1) Shutdown IBM HTTP Server
2) Apply the interim fix using Installation Manager
3) Restart IBM HTTP Server




Directions to remove fix:  
The IBM Information Center can provide details, if needed, on the use of the
Installation Manager to remove the interim fix:
http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html.

1) Shutdown IBM HTTP Server
2) Remove the interim fix using Installation Manager
3) Restart IBM HTTP Server




Directions to re-apply fix:  
1) Stop IBM HTTP Server.
2) Follow the directions to apply the fix.
3) Restart IBM HTTP Server.




Additional Information: