Kisco Systems

Kisco U

Finding Security Fixes for Apache on IBM i

Home : Kisco U : Finding Security Fixes for Apache on IBM i

Contributed by our partners at Seiden Group

The Apache-based IBM HTTP Server for i is a vital defense in web and API security for IBM i. As such, it requires regular attention.

IBM Support’s PCI Compliance web page is a resource we use to help our clients protect their systems.

Even if your organization does not process, store, or transmit credit card information, applying the PTFs recommended for PCI compliance constitutes a general best practice for IBM i web and API security.

As we’ve begun helping more clients with Apache security, we recommend PTFs to protect them from vulnerabilities, starting with those rated “important” by the National Vulnerability Database (NVD), including these examples:

HTTP Request Smuggling

HTTP Request Smuggling is a technique that can let a bad actor bypass security controls, gain access to sensitive data, and compromise other application users. One particular bug that may allow Request Smuggling has been described by the NVD as “Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body,” creating the possibility of exploitation.

IBM offers PTF fixes for IBM i 7.5, 7.4, 7.3, and 7.2.

Specially Crafted HTTP/2 Request Causes Crash

Several vulnerabilities have been fixed that relate to handling HTTP/2 requests, including:

“A specially crafted value for the ‘Cache-Digest’ header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via “H2Push off” will mitigate this vulnerability for unpatched servers.”

IBM offers PTF fixes for IBM i 7.4 and 7.3. The issues were already remediated in IBM i 7.5, another smart reason to stay current with system releases.

Malicious Request Headers Cause Errors

“The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.”

IBM offers PTF fixes for IBM i 7.3 and 7.2. The issues were already remediated in IBM i 7.4 and higher.

Stay Safe Out There

The landscape for web server and API security evolves quickly. While high-risk vulnerabilities like these happen infrequently, it’s important to schedule regular security check-ups for your web server to remain protected. Traditional IBM i security is not enough.

Many thanks to Seiden Group for contributing this article. Seiden Group specializes in innovative, reliable software solutions using IBM i, Db2, Node.js, PHP, Python, RPG, and APIs. They assist CIOs, IT Directors and IBM i teams in all phases of modern development and keep everyone productive with unparalleled performance and trouble-shooting services.