Apache HTTP Server is supported on IBM i. IBM i has addressed the applicable CVEs.
CVEID:CVE-2020-9490
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by a flaw when the server tries to HTTP/2 PUSH a resource afterwards. By using a specially-crafted value for the “Cache-Digest” header, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186404 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-11993
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by a flaw when trace/debug enabled for the HTTP/2 module and on certain traffic edge patterns. By sending a specially-crafted HTTP/2 Header, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186405 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-11985
**DESCRIPTION:**Apache HTTP Server could allow a remote attacker to conduct spoofing attacks, caused by a flaw when using proxying with mod_remoteip and certain mod_rewrite rules. By sending a specially-crafted request, an attacker could exploit this vulnerability to spoof IP address for logging and PHP scripts. Note: This vulnerability was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186403 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM i | 7.4 |
IBM i | 7.3 |
IBM i | 7.2 |
The issue can be fixed by applying a PTF to IBM i.
Releases 7.4, 7.3, and 7.2 of IBM i are supported and will be fixed.
The IBM i PTF numbers containing the fix for the CVEs follow. Future Group PTFs for HTTP Server will also contain the fixes for this CVE.
Release 7.4 - SI74088
Release 7.3 - SI74074 and SI74087
Release 7.2 - SI74073
<https://www-945.ibm.com/support/fixcentral/>
_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
None