Fix (APAR):  PK53193

Status:  Fix

Release:  6.1.0.13,6.1.0.11

Operating System:  AIX,HP-UX,i5/OS,Linux,Linux pSeries,Linux zSeries,OS/400,Solaris,Windows

Supersedes Fixes:  

CMVC Defect:  PK53193

Byte size of APAR:  42016

Date: 2007-11-28

Abstract:  When an HTTP client sends a request with both a Content-Length header and a Transfer-Encoding chunked header (or two Content-Lengths), that is usually a sign of a request smuggling

Description/symptom of problem:  
PK53193 resolves the following problem:

ERROR DESCRIPTION:                                              
A 3rd-party software violates RFC 2616 by persistently creating 
both a 'Content-Length: 0' and a 'Transfer-Encoding: chunked'   
header in a POST. This can not be supressed in the client code. 
The design of WebSphere is to immediately turn off HTTP 1.1     
default 'Persistence' and send a 'Connection: Close'. This      
is to guard against a "smuggling attack."                       
Turning off persistence lowers transaction performance for      
large data transfers. The persistence-off normally can not      
be overridden.                                                  

LOCAL FIX:                                                      

PROBLEM SUMMARY

USERS AFFECTED:
Users of the WebSphere Application Server
v6.1 HTTP channel

PROBLEM DESCRIPTION:
When an HTTP client sends a request
with both a Content-Length header and
a Transfer-Encoding chunked header (or
two Content-Lengths), that is usually
a sign of a request smuggling attack.
WebSphere Application Server has been
designed to disable the HTTP
persistence in the response to void
the possible second hidden message.

There might be situations where this
behavior is not desirable.

RECOMMENDATION:
None

In the case where the HTTP library being used by the client
always adds a Content-Length header of zero to the message
when it is chunked, the current behavior of disabling the
persistence would lead to poor performance.

PROBLEM CONCLUSION:                                             
A new custom property has been added to the HTTP channel to     
disable the request smuggling protection code (disabling the    
persistence). In situations like this where the headers are     
known and harmless, the property can be used to configure the   
channel to leave persistence enabled.                           
                                                                
HTTP channel custom property:                                   
name: EnableSmugglingProtection                                 
value: true | false                                             
default: true                                                   
                                                                
The fix for this APAR is currently targeted for inclusion       
in fixpack for 6.1.0.15 and higher.                             
Please refer to the recommended updates page for delivery       
information:                                                    
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980   


Directions to apply fix:  Fix applies to Editions:
Release 6.0
_x_ Application Server (Express or BASE)
_x_ Network Deployment (ND)
_x_ Developer
_x_ Extended Deployment (XD)

Install Fix to:
Method:
__ Application Server Nodes
__ Deployment Manager Nodes
_x_ Both

NOTE:
The user must:
* Have Administrative rights in Windows, or be the Actual Root User in a UNIX environments.
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V6.0.2.2 or newer of the Update Installer. This can be checked by reviewing the level of the Update Installer in file <was_root>/updateinstaller/version.txt.

The Update Installer can be downloaded from the following link:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991

For detailed instructions to Extract the Update Installer see the following Technote:
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg21205400

1) Copy the .pak file directly to the maintenance directory

2) Shutdown WebSphere
Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to.

3) Launch Update Installer

4) Enter the installation location of the WebSphere product you want to update.

5) Select the "Install maintenance package" operation.

6) Enter the file name of the maintenance package to install (.pak file which was copied in the maintenance directory).

7) Install the maintenance package.

8) Restart WebSphere

Directions to remove fix:  
NOTE:
* The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments.
* FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED
* DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED
* YOU MAY REAPPLY ANY REMOVED FIX

Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied.

1) Shutdown WebSphere
Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against.

2) Start Update Installer

3) Enter the installation location of the WebSphere product you want to remove the fix.

4) Select  "Uninstall maintenance package" operation.

5) Enter the file name of the maintenance package to uninstall (.pak).

6) UnInstall maintenance package.

7) Restart WebSphere

Directions to re-apply fix:  
1) Shutdown WebSphere.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere.



Additional Information: