|
Abstract |
A potential denial-of-service vulnerability can be
triggered by certain malformed Secure Sockets Layer (SSL) records causing
IBM® Global Security Toolkit (GSKIT) component to fail, and thereby,
causing the application to terminate. |
|
Content |
IBM can confirm that we have identified a specific
reliability issue in all products that use the GSKIT component for
managing SSL (Secure Socket Layer) communication, a key aspect of ensuring
that information sent across a network between two systems is provided in
a secure fashion.
GSKIT is not a separate product; rather, as part of the IBM
Componentization strategy, the reuse of common software benefits the
customer by introducing reliable capabilities across the IBM portfolio.
A customer raised the awareness of a specific tool that was used to test
a earlier issue reported by CERT* that involved malforming (purposely
altering the steps and network data) the SSL handshake. While the customer
provided this as awareness to identify this known issue, internal test
teams found that it introduced a new issue on products that were not
affected by the original CERT issue.
In the case of this issue, when subjected to a very specific malformed
transmission, the IBM product will either have a serious performance
degradation, or will terminate. The termination of the application does
not introduce any further security concerns such as being able to access a
remote system.
The applications affected all can be restarted with no issue. Data loss
and Data integrity issues have not been observed in testing.
*CERT Advisory referenced is CA-2003-26.
VERSIONS AFFECTED:
All IBM products that require IBM Global Security Toolkit (GSKIT) for SSL
run-time support are affected by this vulnerability. The following
versions of IBM HTTP Server are affected by this exposure:
- IBM HTTP Server 1.3.12.x (Uses IBM Global Security
Toolkit (GSKIT) versions prior to 4.0.3.345), released with IBM WebSphere
Application Server Version 3.5.x
- IBM HTTP Server 1.3.19.x (Uses IBM Global Security
Toolkit (GSKIT) versions prior to 5.0.5.92), released with IBM WebSphere
Application Server Version 4.0.x
- IBM HTTP Server 1.3.26.x on platforms other than Linux
for PowerPC (Uses IBM Global Security Toolkit (GSKIT) versions prior
to 5.0.5.92), released with IBM WebSphere Application Server Version
5.0.x
- IBM HTTP Server 1.3.26.x on Linux for PowerPC (Uses
IBM Global Security Toolkit (GSKIT) versions prior to 6.0.6.33), released
with IBM WebSphere Application Server Version 5.0.2
- IBM HTTP Server 1.3.28 (Uses IBM Global Security
Toolkit (GSKIT) versions prior to 7.0.1.16), released with IBM WebSphere
Application Server Version 5.1
- IBM HTTP Server 2.0.42.x on platforms other than Linux
for PowerPC (Uses IBM Global Security Toolkit (GSKIT) versions prior
to 5.0.5.92), released with IBM WebSphere Application Server Version 4.0.5
and later, IBM WebSphere Application Server Version 5.0.x
- IBM HTTP Server 2.0.42.x on Linux for PowerPC (Uses
IBM Global Security Toolkit (GSKIT) versions prior to 6.0.6.33), released
with IBM WebSphere Application Server Version 5.0.2
- IBM HTTP Server 2.0.47 (Uses IBM Global Security
Toolkit (GSKIT) versions prior to 7.0.1.16), released with IBM WebSphere
Application Server Version 5.1
The IBM Global Security Toolkit (GSKIT) version can be determined by
running gsk#ver, where the number sign (#) is the major version number
(currently 4, 5, 6, or 7) from a command prompt window. (See the
Documentation Update Location section for the products impacted, and the
Solutions section for details on how to obtain corrective fixes for this
specific issue.)
SOLUTIONS:
Fixes for IBM HTTP Server are available through APAR PQ86671 (for IBM
HTTP Server Versions 1.3.x) and APAR PQ85834 (for IBM HTTP Server Versions
2.0.x).
To download the fixes for IBM HTTP Server:
This security vulnerability has been tested and is not present in the IBM
Java Secure Sockets Extension (IBMJSSE) implementation.
DOCUMENTATION UPDATE LOCATION:
IBM HTTP Server Support webpage:
http://www.ibm.com/software/webservers/httpservers/support/
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
IBM HTTP Server |
SSL |
Multi-Platform |
1.3.12, 1.3.12.1, 1.3.12.2, 1.3.12.3, 1.3.12.4, 1.3.12.5, 1.3.12.6,
1.3.12.7, 1.3.19, 1.3.19.1, 1.3.19.2, 1.3.19.3, 1.3.19.4, 1.3.19.5,
1.3.26, 1.3.26.1, 1.3.26.2, 1.3.28, 2.0.42, 2.0.42.1, 2.0.42.2,
2.0.47 |
Edition Independent |
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|
|