PM80058: Potential exposure in several IBM HTTP Server optional modules

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • This APAR resolves IHS vulnerabilities in several optional
    modules.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM HTTP Server that use the       *
    *                  optional mod_info, mod_ldap, mod_status,    *
    *                  mod_imagemap, mod_proxy_ftp, or             *
    *                  mod_proxy_balancer modules.                 *
    ****************************************************************
    * PROBLEM DESCRIPTION: XSS flaws due to unescaped hostnames    *
    *                      and URIs HTML output in several         *
    *                      optional IHS modules.                   *
    ****************************************************************
    * RECOMMENDATION:  Apply the fix.                              *
    ****************************************************************
    Cross-site scripting vulnerabilities:
    - CVE-2012-3499
    - CVE-2012-4558
    

Problem conclusion

  • The affected modules were updated to resolve the exposures.
    
    This fix is targeted for IBM HTTP Server fixpacks:
     - 6.1.0.47
     - 7.0.0.29
     - 8.0.0.6
     - 8.5.0.2
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM80058

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-01-07

  • Closed date

    2013-02-19

  • Last modified date

    2013-02-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R61A PSY

       UP

  • R61H PSY

       UP

  • R61I PSY

       UP

  • R61P PSY

       UP

  • R61S PSY

       UP

  • R61W PSY

       UP

  • R61Z PSY

       UP

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM HTTP Server
Runtime

Software version:

8.5

Reference #:

PM80058

Modified date:

2013-02-19

Translate my page

Machine Translation

Content navigation