Fix (APAR): PM46234 Status: Fix Release: 7.0.0.19, 7.0.0.17, 7.0.0.15, 6.1.0.39, 6.1.0.37, 6.1.0.35, 6.0.2.43 Operating System: AIX,HP-UX,Linux,Linux pSeries,Solaris,Windows Supersedes Fixes: CMVC Defect: PM46234 Byte size of APAR: 7.0.0.15-WS-WASIHS-AixPPC32-IFPM46234.pak 226,837 7.0.0.15-WS-WASIHS-HpuxIA64-IFPM46234.pak 666,712 7.0.0.15-WS-WASIHS-HpuxPaRISC-IFPM46234.pak 298,309 7.0.0.15-WS-WASIHS-LinuxPPC32-IFPM46234.pak 214,352 7.0.0.15-WS-WASIHS-LinuxS390-IFPM46234.pak 224,599 7.0.0.15-WS-WASIHS-LinuxX32-IFPM46234.pak 201,812 7.0.0.15-WS-WASIHS-SolarisSparc-IFPM46234.pak 480,030 7.0.0.15-WS-WASIHS-SolarisX64-IFPM46234.pak 213,420 7.0.0.15-WS-WASIHS-WinX32-IFPM46234.pak 447,232 7.0.0.17-WS-WASIHS-AixPPC32-IFPM46234.pak 226,835 7.0.0.17-WS-WASIHS-HpuxIA64-IFPM46234.pak 666,711 7.0.0.17-WS-WASIHS-HpuxPaRISC-IFPM46234.pak 298,307 7.0.0.17-WS-WASIHS-LinuxPPC32-IFPM46234.pak 214,352 7.0.0.17-WS-WASIHS-LinuxS390-IFPM46234.pak 224,602 7.0.0.17-WS-WASIHS-LinuxX32-IFPM46234.pak 201,810 7.0.0.17-WS-WASIHS-SolarisSparc-IFPM46234.pak 480,028 7.0.0.17-WS-WASIHS-SolarisX64-IFPM46234.pak 213,418 7.0.0.17-WS-WASIHS-WinX32-IFPM46234.pak 474,143 7.0.0.19-WS-WASIHS-AixPPC32-IFPM46234.pak 227,098 7.0.0.19-WS-WASIHS-HpuxIA64-IFPM46234.pak 668,093 7.0.0.19-WS-WASIHS-HpuxPaRISC-IFPM46234.pak 298,494 7.0.0.19-WS-WASIHS-LinuxPPC32-IFPM46234.pak 214,441 7.0.0.19-WS-WASIHS-LinuxS390-IFPM46234.pak 224,790 7.0.0.19-WS-WASIHS-LinuxX32-IFPM46234.pak 201,915 7.0.0.19-WS-WASIHS-SolarisSparc-IFPM46234.pak 479,773 7.0.0.19-WS-WASIHS-SolarisX64-IFPM46234.pak 213,508 7.0.0.19-WS-WASIHS-WinX32-IFPM46234.pak 481,657 6.1.0.35-WS-WASIHS-AixPPC32-IFPM46234.pak 214,089 6.1.0.35-WS-WASIHS-HpuxIA64-IFPM46234.pak 641,690 6.1.0.35-WS-WASIHS-HpuxPaRISC-IFPM46234.pak 286,276 6.1.0.35-WS-WASIHS-LinuxPPC32-IFPM46234.pak 224,379 6.1.0.35-WS-WASIHS-LinuxS390-IFPM46234.pak 225,759 6.1.0.35-WS-WASIHS-LinuxX32-IFPM46234.pak 205,868 6.1.0.35-WS-WASIHS-SolarisSparc-IFPM46234.pak 449,371 6.1.0.35-WS-WASIHS-SolarisX64-IFPM46234.pak 205,947 6.1.0.35-WS-WASIHS-WinX32-IFPM46234.pak 411,978 6.1.0.37-WS-WASIHS-AixPPC32-IFPM46234.pak 214,089 6.1.0.37-WS-WASIHS-HpuxIA64-IFPM46234.pak 641,689 6.1.0.37-WS-WASIHS-HpuxPaRISC-IFPM46234.pak 286,275 6.1.0.37-WS-WASIHS-LinuxPPC32-IFPM46234.pak 224,379 6.1.0.37-WS-WASIHS-LinuxS390-IFPM46234.pak 225,758 6.1.0.37-WS-WASIHS-LinuxX32-IFPM46234.pak 205,869 6.1.0.37-WS-WASIHS-SolarisSparc-IFPM46234.pak 449,372 6.1.0.37-WS-WASIHS-SolarisX64-IFPM46234.pak 205,945 6.1.0.37-WS-WASIHS-WinX32-IFPM46234.pak 411,979 6.1.0.39-WS-WASIHS-AixPPC32-IFPM46234.pak 214,089 6.1.0.39-WS-WASIHS-HpuxIA64-IFPM46234.pak 641,690 6.1.0.39-WS-WASIHS-HpuxPaRISC-IFPM46234.pak 286,275 6.1.0.39-WS-WASIHS-LinuxPPC32-IFPM46234.pak 224,379 6.1.0.39-WS-WASIHS-LinuxS390-IFPM46234.pak 225,760 6.1.0.39-WS-WASIHS-LinuxX32-IFPM46234.pak 205,869 6.1.0.39-WS-WASIHS-SolarisSparc-IFPM46234.pak 449,371 6.1.0.39-WS-WASIHS-SolarisX64-IFPM46234.pak 205,945 6.1.0.39-WS-WASIHS-WinX32-IFPM46234.pak 411,979 6.0.2.43-WS-WASIHS-AixPPC32-IFPM46234.pak 1,612,644 6.0.2.43-WS-WASIHS-HpuxIA64-IFPM46234.pak 5,071,051 6.0.2.43-WS-WASIHS-HpuxPaRISC-IFPM46234.pak 1,797,167 6.0.2.43-WS-WASIHS-LinuxPPC32-IFPM46234.pak 1,901,778 6.0.2.43-WS-WASIHS-LinuxS390-IFPM46234.pak 1,661,861 6.0.2.43-WS-WASIHS-LinuxX32-IFPM46234.pak 1,591,810 6.0.2.43-WS-WASIHS-SolarisSparc-IFPM46234.pak 3,581,101 6.0.2.43-WS-WASIHS-WinX32-IFPM46234.pak 4,321,522 Date: 2010-09-06 Abstract: Potential Denial of Service with malicious range requests Description/symptom of problem: PM46234 resolves the following problem: ERROR DESCRIPTION: Malicious HTTP requests with a very long "Range" HTTP header cause IBM HTTP Server to consume large amounts of memory and CPU. See also: CVE-2011-3192 LOCAL FIX: Refer to: 'Flash: Potential security exposure with IBM HTTP Server 8.0 and earlier (PM46234)' http://www-01.ibm.com/support/docview.wss?uid=swg21512087 PROBLEM SUMMARY USERS AFFECTED: All IBM HTTP Server V6R0, V6R1, V7R0, and V8R0 users are affected. The default configuration of the Apache- based IBM HTTP Server on the z/OS platform is not affected due to the presence of mod_charset_lite which indirectly disables this feature. IBM HTTP Server for z/OS (V5R3) is not affected. IBM HTTP Server 1.3.x or earlier are also not affected. PROBLEM DESCRIPTION: Malicious HTTP requests with a very long "Range" HTTP header causes IBM HTTP Server to consume large amounts of memory and CPU. RECOMMENDATION: Apply the fix for this APAR immediately, or implement the circumvention until the fix can be applied. PROBLEM CONCLUSION: IBM HTTP Server was updated to more efficiently process Range requests, such that arbitrarily complex ranges could be served without using excessive CPU and memory. Additionally, when a range request would return more bytes than the entire resource being requested, IBM HTTP Server now ignores the Range header and returns the entire file. This fix is targeted for IBM HTTP Server fixpacks: - 6.1.0.41 - 7.0.0.21 - 8.0.0.1 Directions to apply fix: Special Instructions: None NOTE: For V8, The user must: - be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. - be logged in with the same authority level when unpacking a fix, fix pack or refresh pack. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown IBM HTTP Server before applying the iFixes. Restart IBM HTTP Server after applying the iFixes. For V6 and V7, The user must: * For V6, have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * For V7, logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * For V6, be at V6.1.0.13 or newer of the Update Installer and for V7, be at V7.0.0.0 or newer of the Update Installer. Certain iFixes may require a newer version of the Update Installer and the Update Installer will inform you during the installation process if a newer version is required. This can be checked by reviewing the level of the Update Installer in file /updateinstaller/version.txt. The Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991 For detailed instructions to Extract the Update Installer see the following Technote: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205400 Note that there are two different methods for delivering iFixes, depending on the contents. The fix may be delivered either as a single file with a .pak extension (such as 6.1.0.11-WS-WAS-IFPK12345.pak) or a single file with a .zip extension (such as 6.1.0.11-WS-WAS-IFPK12345.zip) which then contains one or more files with a .pak extension. 1) If your iFix is delivered as a single file with a .pak extension, Copy the .pak file directly to the maintenance directory. If your iFix is delivered as a single file with a .zip extension, unzip the file into the maintenance directory. 2) Stop IBM HTTP Server 3) Launch the Update Installer and click the Next button on the Welcome page. 4) Enter the directory path of the installation location of the WebSphere product you want to update, and click the Next button. 5) Select the "Install maintenance package" operation and click the Next button. 6) Enter the directory path of your maintenance directory where you have the maintenance packages (.pak files) and click the Next button. 7) The Available Maintenance Package to Install page should list all maintenance packages (.pak files) that it finds in the directory path provided in the previous step. The Update Installer will select the correct maintenance packages based on your system configuration and will not allow an invalid combination to be installed. Please keep the Update Installer recommendations and click the Next button and continue with the installation of the maintenance package. To determine why some maintenance packages have been identified as not applicable, see description in log found in /logs/tmp*/updatelogs.txt 8) Please note that in the future, if a Feature Pack is installed or uninstalled, a different set of iFixes will be needed. Use the Update Installer again at that time, with the maintenance directory location where these maintenance packages are stored, to determine the required interim fixes for the new WebSphere and Feature Pack(s) combination. 9) For V7, all platforms except Windows. In pre-install summary panel, use the "verify permission" feature to verify the user has permissions to apply updates to files associated with the selected maintenance. Correct any file permissions before clicking next to start the install. 10) Restart IBM HTTP Server Directions to remove fix: For V8, The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown IBM HTTP Server before removing the iFixes. Restart IBM HTTP Server after removing the iFixes. For V6 and V7, NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED * YOU MAY REAPPLY ANY REMOVED FIX Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Stop IBM HTTP Server 1) Start Update Installer 2) Enter the installation location of the WebSphere product you want to remove the fix. 3) Select "Uninstall maintenance package" operation. 4) Enter the file name of the maintenance package to uninstall (PKxxxxx.pak). 5) UnInstall maintenance package. 7) Restart IBM HTTP Server Directions to re-apply fix: 1) Stop IBM HTTP Server. 2) Follow the Fix instructions to apply the fix. 3) Restart IBM HTTP Server. Additional Information: