Possible security exposure with IBM HTTP Server regarding a denial-of-service attack at the SSL record/protocol layer
 Flash (Alert)
 
Abstract
A potential denial-of-service vulnerability can be triggered by certain malformed Secure Sockets Layer (SSL) records causing IBM® Global Security Toolkit (GSKIT) component to fail, and thereby, causing the application to terminate.
 
Content
IBM can confirm that we have identified a specific reliability issue in all products that use the GSKIT component for managing SSL (Secure Socket Layer) communication, a key aspect of ensuring that information sent across a network between two systems is provided in a secure fashion.

GSKIT is not a separate product; rather, as part of the IBM Componentization strategy, the reuse of common software benefits the customer by introducing reliable capabilities across the IBM portfolio.

A customer raised the awareness of a specific tool that was used to test a earlier issue reported by CERT* that involved malforming (purposely altering the steps and network data) the SSL handshake. While the customer provided this as awareness to identify this known issue, internal test teams found that it introduced a new issue on products that were not affected by the original CERT issue.

In the case of this issue, when subjected to a very specific malformed transmission, the IBM product will either have a serious performance degradation, or will terminate. The termination of the application does not introduce any further security concerns such as being able to access a remote system.

The applications affected all can be restarted with no issue. Data loss and Data integrity issues have not been observed in testing.

*CERT Advisory referenced is CA-2003-26.

VERSIONS AFFECTED:
All IBM products that require IBM Global Security Toolkit (GSKIT) for SSL run-time support are affected by this vulnerability. The following versions of IBM HTTP Server are affected by this exposure:
  • IBM HTTP Server 1.3.12.x (Uses IBM Global Security Toolkit (GSKIT) versions prior to 4.0.3.345), released with IBM WebSphere Application Server Version 3.5.x
  • IBM HTTP Server 1.3.19.x (Uses IBM Global Security Toolkit (GSKIT) versions prior to 5.0.5.92), released with IBM WebSphere Application Server Version 4.0.x
  • IBM HTTP Server 1.3.26.x on platforms other than Linux for PowerPC (Uses IBM Global Security Toolkit (GSKIT) versions prior to 5.0.5.92), released with IBM WebSphere Application Server Version 5.0.x
  • IBM HTTP Server 1.3.26.x on Linux for PowerPC (Uses IBM Global Security Toolkit (GSKIT) versions prior to 6.0.6.33), released with IBM WebSphere Application Server Version 5.0.2
  • IBM HTTP Server 1.3.28 (Uses IBM Global Security Toolkit (GSKIT) versions prior to 7.0.1.16), released with IBM WebSphere Application Server Version 5.1
  • IBM HTTP Server 2.0.42.x on platforms other than Linux for PowerPC (Uses IBM Global Security Toolkit (GSKIT) versions prior to 5.0.5.92), released with IBM WebSphere Application Server Version 4.0.5 and later, IBM WebSphere Application Server Version 5.0.x
  • IBM HTTP Server 2.0.42.x on Linux for PowerPC (Uses IBM Global Security Toolkit (GSKIT) versions prior to 6.0.6.33), released with IBM WebSphere Application Server Version 5.0.2
  • IBM HTTP Server 2.0.47 (Uses IBM Global Security Toolkit (GSKIT) versions prior to 7.0.1.16), released with IBM WebSphere Application Server Version 5.1

The IBM Global Security Toolkit (GSKIT) version can be determined by running gsk#ver, where the number sign (#) is the major version number (currently 4, 5, 6, or 7) from a command prompt window. (See the Documentation Update Location section for the products impacted, and the Solutions section for details on how to obtain corrective fixes for this specific issue.)

SOLUTIONS:

Fixes for IBM HTTP Server are available through APAR PQ86671 (for IBM HTTP Server Versions 1.3.x) and APAR PQ85834 (for IBM HTTP Server Versions 2.0.x).
To download the fixes for IBM HTTP Server:
This security vulnerability has been tested and is not present in the IBM Java Secure Sockets Extension (IBMJSSE) implementation.

DOCUMENTATION UPDATE LOCATION:

IBM HTTP Server Support webpage:

http://www.ibm.com/software/webservers/httpservers/support/

 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers IBM HTTP Server SSL Multi-Platform 1.3.12, 1.3.12.1, 1.3.12.2, 1.3.12.3, 1.3.12.4, 1.3.12.5, 1.3.12.6, 1.3.12.7, 1.3.19, 1.3.19.1, 1.3.19.2, 1.3.19.3, 1.3.19.4, 1.3.19.5, 1.3.26, 1.3.26.1, 1.3.26.2, 1.3.28, 2.0.42, 2.0.42.1, 2.0.42.2, 2.0.47 Edition Independent
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > IBM HTTP Server
Operating system(s): Windows
Software version: 6.0
Software edition:
Reference #: 1165486
IBM Group: Software Group
Modified date: Apr 7, 2004