Potential denial of service exposure through memory exhaustion and buffer overflow for all current versions of IBM HTTP Server based on Apache HTTP Server Version 2.0 (PQ90698 and PQ85834)
 Flash (Alert)
 
Abstract
IBM® HTTP Server versions based on Apache HTTP Server version 2.0 are vulnerable to the security exposure described in CAN-2004-0493 as documented at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493

Potential denial of service through memory exhaustion and buffer overflow remote exploit.
 
Content
DESCRIPTION:
IBM HTTP Server versions based on Apache HTTP Server Version 2.0 are vulnerable to the security exposure described by CAN-2004-0493 as documented by: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493

The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems.

VERSIONS AFFECTED:
The following versions of IBM HTTP Server are affected by this exposure:
  • IBM HTTP Server 2.0.42: Released concurrently and tested with WebSphere® Application Server Versions 5.0.
  • IBM HTTP Server 2.0.47: Released concurrently and tested with WebSphere Application Server Versions 5.1.

Note that IBM HTTP Server Version 2.x is web download only and does not appear on the IBM WebSphere® Application Server CD.

SOLUTION:
This CAN-2004-0493 exposure, for all affected versions of IBM HTTP Server, is resolved with one or two interim APAR fixes as noted below.

If you are running an affected version of IBM HTTP Server, select the applicable version, then download and apply the APAR or APAR(s):

A complete list of Recommended Updates for IBM HTTP Server is available at:
http://www.ibm.com/support/docview.wss?rs=177&context=SSEQTJ&uid=swg27005198

The fix for this exposure will be incorporated into later releases of IBM HTTP Server. We will update with the releases when available.
 
Related information
IBM HTTP Server Support
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server IBM HTTP Server AIX, HP-UX, Linux, Solaris, Windows 5.1.1, 5.0.2, 5.0.1, 5.0 Base, Network Deployment
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > Runtime
Operating system(s): Windows
Software version: 2.0.47.1
Software edition:
Reference #: 1174271
IBM Group: Software Group
Modified date: Jul 29, 2004