PQ74644: CAN-2003-0189 and CAN-2003-0245 exposures

APAR status
Closed as fixed if next.

Error description
CAN-2003-0245  is a published vulnerability that is covered by
this APAR.  This vulnerability allows a remote attacker to cause
IHS child process to crash.  It is possible only if WebDAV is
enabled and publically accessible.  All IHS 2.0.42.x platforms
are affected.  The vulnerability does not lead to an information
leak.  The recommended work-around prior to an available fix is
to not enable WebDAV over the public network.

CAN-2003-0189 is a published vulnerability that is covered by
this APAR.  This vulnerability allows a remote attacker to cause
a denial of service with basic authentication.  Depending on the
OS, the denial of service can be intermittent or can last until
IHS is restarted.  The affected IHS platforms are Linux and AIX.
Local fix
Non available
Problem summary
Problems in libapr resulted in non-thread-safe
crypt() usage on Linux and AIX, and possible segfault in
memory management (triggerable via mod_dav).
Problem conclusion Temporary fix
PQ85834 cumulative e-fix has this resolved
Comments
APAR information
APAR number PQ74644
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00S
Status CLOSED FIN
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-05-29
Closed date 2004-05-13
Last modified date 2004-05-13

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
LIBAPR          

Publications Referenced

Fix information
Fixed component name WAS HTTP SERVER
Fixed component ID 5630A3603

Applicable component levels
R00A PSN    UP
R00H PSN    UP
R003 PSN    UP
R00I PSN    UP
R00S PSN    UP
R00W PSN    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > Runtime
Operating system(s):
Software version: 00S
Software edition:
Reference #: PQ74644
IBM Group: Software Group
Modified date: May 13, 2004