|
Abstract |
IBM® HTTP Server versions based on Apache HTTP Server
version 2.0 are vulnerable to the security exposure described in
CAN-2004-0493 as documented at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493
Potential denial of service through memory exhaustion and buffer overflow
remote exploit. |
|
Content |
DESCRIPTION:
IBM HTTP Server versions based on Apache HTTP Server Version 2.0 are
vulnerable to the security exposure described by CAN-2004-0493 as
documented by: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493
The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote
attackers to cause a denial of service (memory exhaustion), and possibly
an integer signedness error leading to a heap-based buffer overflow on 64
bit systems.
VERSIONS AFFECTED:
The following versions of IBM HTTP Server are affected by this exposure:
- IBM HTTP Server 2.0.42: Released concurrently and
tested with WebSphere® Application Server Versions 5.0.
- IBM HTTP Server 2.0.47: Released concurrently and
tested with WebSphere Application Server Versions 5.1.
Note that IBM HTTP Server Version 2.x is web download only and does not
appear on the IBM WebSphere® Application Server CD.
SOLUTION:
This CAN-2004-0493 exposure, for all affected versions of IBM HTTP Server,
is resolved with one or two interim APAR fixes as noted below.
If you are running an affected version of IBM HTTP Server, select the
applicable version, then download and apply the APAR or APAR(s):
A complete list of Recommended Updates for IBM HTTP Server is available
at:
http://www.ibm.com/support/docview.wss?rs=177&context=SSEQTJ&uid=swg27005198
The fix for this exposure will be incorporated into later releases of IBM
HTTP Server. We will update with the releases when available. |
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
WebSphere Application Server |
IBM HTTP Server |
AIX, HP-UX, Linux, Solaris, Windows |
5.1.1, 5.0.2, 5.0.1, 5.0 |
Base, Network Deployment |
|
|
|
|