How is IBM® HTTP Server (IHS) related to Open SSL?
On Apache HTTP Server, the SSL functionality is achieved using the module "mod_ssl" which is part of Open SSL. Even though the IBM HTTP Server is based on Apache, it does not use "mod_ssl" for SSL, but rather ships it's own Gskit implementation which interfaces with a module named "mod_ibm_ssl".
Furthermore, OpenSSL (mod_ssl) is not supported as a module within the IBM HTTP Server.
Vulnerabilities which are reported against OpenSSL do not apply to the IBM HTTP Server.
For any relevant security issues with IHS, users are encouraged to apply the latest IBM HTTP Server fix pack levels to ensure the web server is patched with latest security fixes.
Display of included vulnerability fixes
The -V option of the httpd.exe command (Windows®) or the apachectl command (UNIX® and Linux®) will list the CVE ids of included vulnerability fixes. Example:
/IHS70/bin # ./apachectl -V
Server version: IBM_HTTP_Server/220.127.116.11 (Unix)
Apache version: 2.2.8 (with additional fixes)
Server built: Sep 10 2013 11:42:42
Build level: IHS70/webIHS1336.01
Server's Module Magic Number: 20051115:21
Server loaded: APR 1.2.12, APR-Util 1.2.12
Compiled using: APR 1.2.12, APR-Util 1.2.12
Server MPM: Worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
Apache vulnerability fixes included:
CVE-2005-3352 CVE-2005-3357 CVE-2006-3918 CVE-2006-3747
CVE-2007-4465 CVE-2007-1862 CVE-2006-5752 CVE-2007-3304
CVE-2007-1863 CVE-2007-3847 CVE-2008-0005 CVE-2007-5000
CVE-2007-6388 CVE-2007-6422 CVE-2007-6421 CVE-2006-7225
CVE-2007-6420 CVE-2008-2364 CVE-2008-2939 CVE-2009-1195
CVE-2009-1955 CVE-2009-0023 CVE-2009-1956 CVE-2009-1890
CVE-2009-1891 CVE-2009-2412 CVE-2009-1191 CVE-2009-3094
CVE-2009-3095 CVE-2009-3555 CVE-2010-0408 CVE-2010-0434
CVE-2010-1452 CVE-2010-1623 CVE-2009-3560 CVE-2009-3720
CVE-2011-0419 CVE-2011-1928 CVE-2011-3192 CVE-2011-3348
CVE-2011-3368 CVE-2011-3639 CVE-2011-4317 CVE-2011-3607
CVE-2012-0717 CVE-2012-0031 CVE-2012-0053 CVE-2012-0883
CVE-2012-2190 CVE-2012-2191 CVE-2012-2687 CVE-2012-4558
CVE-2012-3499 CVE-2012-4557 CVE-2013-0169 CVE-2013-1862
This list does not necessarily include vulnerabilities which do not apply to IBM HTTP Server on any platform, such as mod_ssl vulnerabilities. It does not necessarily include vulnerabilities already fixed in the base level of Apache included in IBM HTTP Server.