Possible Denial of Service with some versions of IBM WebSphere Edge Server component Caching Proxy when using JunctionRewrite with UseCookie directive (PQ91084 and IY58670 and Fix Pack 5.1.1)
 Flash (Alert)
 
Abstract
A Possible Denial of Service (DoS) vulnerability in the IBM® WebSphere® Edge Server Caching Proxy component when using JunctionRewrite with UseCookie is resolved with the following: PQ91084 and IY58670 and Fix Pack 5.1.1
 
Content
Several IBM WebSphere Edge Server component Caching Proxy versions contain a possible Denial of Service (DoS) vulnerability when using JunctionRewrite with the UseCookie directive enabled.
The Caching Proxy component fails to handle incomplete "GET" requests when the JunctionRewrite and UseCookie directives are active. Successful exploitation may cause a Denial of Service condition.

LOCAL FIX:                                                     
Any valid HTTP request, which must include a URL, optional HTTP version and other HTTP headers, will not trigger this vulnerability. If you are using the JunctionRewrite plug-in with directive JunctionRewrite On, the vulnerability will not be triggered.     

Instead of the UseCookie option for JunctionWrite directive, use the Junction plug-in, by setting the JunctionRewrite On directive and the 2 junction rewrite plug-in entries,
to avoid this Denial of Service condition.

These APAR fixes resolve the vulnerability in junction rewrite module. After applying the fix, an error page will be returned when an attempt to exploit this vulnerability is made and the connection between the client and the proxy will be closed.
         

VERSIONS AFFECTED:
The following products and versions are affected:
  • Caching Proxy Versions 4.0.2 through 4.0.2.45: Released with IBM Edge Server Version 2.0 products (APAR IY58670)
  • Caching Proxy Versions 5.0.0.2 through 5.0.2.20: Released with IBM WebSphere Application Server Version 5.0 with IBM Edge Server Fix Pack 2, and IBM WebSphere Application Server Version 5.0.1, and 5.0.2 products (APAR PQ91084)
  • Caching Proxy Versions 5.1 through 5.1.0.7: Released with IBM WebSphere Application Server Version 5.1. product: (Fix Pack 5.1.1)

This caching proxy issue is resolved in IBM WebSphere Application Server Versions 5.1.0.8 or later, or Versions 5.1.1 or later. Additionally, the IBM WebSphere Edge Server Versions 2.0.46 or later are not affected by this vulnerability.

Versions Affected Additional Note: If the proxy server is installed on Linux®, the rpm reported version will be one greater than the interim fix level states, for example: if the rpm reports "WSES_*4.0.2-46", your interim fix level is truly 4.0.2.45 and, therefore, you will still need to upgrade to WSES_*4.0.2-47, which would be interim fix level 4.0.2.46 to get the vulnerability addressed.


SOLUTIONS:
Fixes are available for the Caching Proxy in the IBM Edge Server Version 2.0 products and the IBM WebSphere Application Server Versions 5.0, and 5.1 products.

Select the applicable version and download and apply the APAR fix:
  • Caching Proxy Versions 4.0.2.0 through 4.0.2.45, released with IBM Edge Server Version 2.0 products, via APAR IY58670
  • Caching Proxy Versions 5.0.0.2 through 5.0.2.20, released with IBM WebSphere Application Server Version 5.0 with IBM Edge Server Fix Pack 2, and IBM WebSphere Application Server Version 5.0.1 and 5.0.2 products, via APAR PQ91084
  • Caching Proxy Versions 5.1.0.0 through 5.1.0.7, released with IBM WebSphere Application Server Version 5.1. product, upgrade to Fix Pack 5.1.1.
    • You might select to upgrade only the Caching Proxy components of the Fix Pack, if you wish.

For additional information:
The Secunia Stay Secure Website published an alert at:
http://secunia.com/advisories/12013/CERT
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Edge Server Caching Proxy Multi-Platform Edge Server 2.0.x Edition Independent
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Edge Component
Operating system(s): Windows
Software version: 5.1.0.5
Software edition:
Reference #: 1174183
IBM Group: Software Group
Modified date: Aug 16, 2004