|
Abstract |
A Possible Denial of Service (DoS) vulnerability in the
IBM® WebSphere® Edge Server Caching Proxy component when using
JunctionRewrite with UseCookie is resolved with the following: PQ91084 and
IY58670 and Fix Pack 5.1.1 |
|
|
|
Content |
Several IBM WebSphere Edge Server component Caching Proxy
versions contain a possible Denial of Service (DoS) vulnerability when
using JunctionRewrite with the UseCookie directive enabled.
The Caching Proxy component fails to handle incomplete "GET" requests
when the JunctionRewrite and UseCookie directives are
active. Successful exploitation may cause a Denial of Service condition.
LOCAL FIX:
Any valid HTTP request, which must include a URL, optional HTTP version
and other HTTP headers, will not trigger this vulnerability. If you are
using the JunctionRewrite plug-in with directive JunctionRewrite
On, the vulnerability will not be triggered.
Instead of the UseCookie option for JunctionWrite directive, use
the Junction plug-in, by setting the JunctionRewrite On directive
and the 2 junction rewrite plug-in entries,
to avoid this Denial of Service condition.
These APAR fixes resolve the vulnerability in junction rewrite module.
After applying the fix, an error page will be returned when an attempt to
exploit this vulnerability is made and the connection between the client
and the proxy will be closed.
VERSIONS AFFECTED:
The following products and versions are affected:
- Caching Proxy Versions 4.0.2 through 4.0.2.45: Released
with IBM Edge Server Version 2.0 products (APAR IY58670)
- Caching Proxy Versions 5.0.0.2 through 5.0.2.20: Released
with IBM WebSphere Application Server Version 5.0 with IBM Edge Server Fix
Pack 2, and IBM WebSphere Application Server Version 5.0.1, and 5.0.2
products (APAR PQ91084)
- Caching Proxy Versions 5.1 through 5.1.0.7: Released with
IBM WebSphere Application Server Version 5.1. product: (Fix Pack
5.1.1)
This caching proxy issue is resolved in IBM WebSphere Application Server
Versions 5.1.0.8 or later, or Versions 5.1.1 or later. Additionally, the
IBM WebSphere Edge Server Versions 2.0.46 or later are not affected by
this vulnerability.
Versions Affected Additional Note: If the proxy server is
installed on Linux®, the rpm reported version will be one greater than the
interim fix level states, for example: if the rpm reports
"WSES_*4.0.2-46", your interim fix level is truly 4.0.2.45 and, therefore,
you will still need to upgrade to WSES_*4.0.2-47, which would be interim
fix level 4.0.2.46 to get the vulnerability addressed.
SOLUTIONS:
Fixes are available for the Caching Proxy in the IBM Edge Server Version
2.0 products and the IBM WebSphere Application Server Versions 5.0, and
5.1 products.
Select the applicable version and download and apply the APAR fix:
- Caching Proxy Versions 4.0.2.0 through 4.0.2.45, released
with IBM Edge Server Version 2.0 products, via APAR IY58670
- Caching Proxy Versions 5.0.0.2 through 5.0.2.20, released
with IBM WebSphere Application Server Version 5.0 with IBM Edge Server Fix
Pack 2, and IBM WebSphere Application Server Version 5.0.1 and 5.0.2
products, via APAR PQ91084
- Caching Proxy Versions 5.1.0.0 through 5.1.0.7, released
with IBM WebSphere Application Server Version 5.1. product, upgrade to Fix Pack 5.1.1.
- You might select to upgrade only the Caching Proxy
components of the Fix Pack, if you wish.
For additional information:
The Secunia Stay Secure Website published an alert at:
http://secunia.com/advisories/12013/CERT |
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
WebSphere Edge Server |
Caching Proxy |
Multi-Platform |
Edge Server 2.0.x |
Edition Independent |
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|