Security Bulletin: Potential security exposure with IBM HTTP Server 8.0 and earlier (PM46234) (CVE-2011-3192)

Security Bulletin

Summary

Crafted range requests can result in potential denial of service with IBM HTTP Server (IHS).

Vulnerability Details

Potential denial of service from attack using crafted range requests (CVE Reference: CVE-2011-3192).

Affected Products and Versions

Affected:

IBM HTTP Server (IHS) Versions 2.0 (2.0.42 and 2.0.47), 6.0 through 6.0.2.43, 6.1 through 6.1.0.39, 7.0 through 7.0.0.19, and 8.0 are affected.
All WebSphere Application Server product Versions, using these affected IHS versions, are affected.
All WebSphere Application Server Hypervisors, using these affected IHS versions, are affected.
IBM HTTP Server for z/OS (powered by Apache) Versions 6.1, 7.0 and 8.0 are affected.

Not Affected:

IBM HTTP Server Version 1.3.x is not affected.
However, due to issues in the handling of its range requests, we strongly recommend upgrading to an in-service Version of IBM HTTP Server.
Version 1.3.26 is no longer is service (ended September 2006).
Version 1.3.28 is no longer is service (ended September 2008).
IBM HTTP Server for z/OS Version 530 is not affected.

Remediation/Fixes

Apply Interim Fix APAR PM46234, or a Fix Pack containing this APAR, resolves this issue.

For IBM HTTP Server for distributed operating systems:

For Version 8.0:

Apply Interim Fix APAR PM46234.

--OR--

Apply Fix Pack 1, or later (8.0.0.1) (projected to be available 26 September 2011).

For Versions 7.0 and 7.0.0.19:

Apply Fix Pack 15, 17 or 19 (7.0.0.15, 7.0.0.17, 7.0.0.19), if not already at that level, then
Apply Interim Fix APAR PM46234.

--OR--

Apply Fix Pack 21, or later (7.0.0.21) (projected to be available 9 January 2012).

For Versions 6.1 through 6.1.0.39:

Apply Fix Pack 35, 37 or 39 (6.1.0.35, 6.1.0.37, 6.1.0.39), if not already at that level, then
Apply Interim Fix APAR PM46234.

--OR--

Apply Fix Pack 41, or later (6.1.0.41) (projected to be available 17 November 2011).

For Versions 6.0 through 6.0.2.42:

Apply Fix Pack 43 (6.0.2.43), if not already at that level, then
Apply Interim Fix APAR PM46234.

Note:

IBM HTTP Server Version 6.0.x was provided with WebSphere Application Server Version 6.0, which is no longer in service (ended September 2010).
Additional assistance will only be provided if you have a support extension contract in place, with the purchase of a support extension contract, or if you are otherwise entitled to support through another product.

For Versions 2.0 (2.0.42 and 2.0.47):

Contact IBM Technical Support for a PM46234 cumulative ifix (projected to be available 16 September 2011).
IBM HTTP Version 2.0.42 was provided with WebSphere Application Server Version 5.0, and IBM HTTP Server Version 2.0.47 was provided with WebSphere Application Server Version 5.1.
WebSphere App Server Version 5.0 is no longer in service (ended September 2006).
WebSphere App Server Version 5.1 is no longer in service (ended September 2008).
Additional assistance will only be provided if you have a support extension contract in place, with the purchase of a support extension contract, or if you are otherwise entitled to support through another product.

For IBM HTTP Server for z/OS (powered by Apache):

For V8.0.0.0:

Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 8.0.0.1, or later (targeted to be available September 2011) (FMID: HBBO800)

For V7.0.0.0 through 7.0.0.18:

Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 7.0.0.19, or later (targeted to be available September 2011) (FMID: HHAP700)

For V6.1.0.0 through 6.1.0.39:

Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 6.1.0.41, or later (targeted to be available November 2011) (FMID: JIWO610)

Note: Customers may chose to follow the directions "For Circumvention" as a temporary solution, or while waiting for the Cumulative APAR containing this solution.

For IBM WebSphere Application Server Hypervisor Edition:

For Version 7.0:

This fix will be embedded into IBM WebSphere Application Server Hypervisor Edition version 7.0.0.21 (projected to be available Jan 2012)
For versions prior to 7.0.0.21, please follow the directions for 'IBM HTTP Server Versions 7.0 and 7.0.0.19'

For Version 6.1:

This fix will be embedded into IBM WebSphere Application Server Hypervisor Edition version 6.1.0.41 (projected to be available Nov 2011)
For versions prior to 6.1.0.41, please follow the directions for 'IBM HTTP Server Versions 6.1 and 6.1.0.39'

Note: Since it takes several weeks after a Fix Pack is released before a refreshed WebSphere Application Server Hypervisor Edition virtual image becomes available, customers may choose to apply the IBM HTTP Server Fix Pack or Interim Fix listed in the Long-Term Solution section "For IBM HTTP Server for distributed operating systems" directly within their running instances rather than waiting for the updated virtual image.

Workarounds and Mitigations

Note: Circumvention may be applied to affected WebSphere Application Server and WebSphere Application Server Hypervisor environments.

For IBM HTTP Server for all operating systems:

For IBM HTTP Server 7.0 and later:

This workaround treats requests for 25 or more ranges as requests for the entire file.

Make sure mod_headers and mod_setenvif are loaded/uncommented.
Add the following to the httpd.conf (anywhere in global scope of IHS configuration, conventionally this would be placed at the bottom of the file):

SetEnvIf Range (?:,.*?){25,25} bad-range=1
RequestHeader unset Range env=bad-range

# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

For IBM HTTP Server 6.1, 6.0, and 2.0.47:

Two workarounds are available, implementing any one is sufficient.

Option 1:

The first option ignores all Range requests and returns the full page instead (the HTTP RFC says servers may simply ignore Range requests).

Make sure mod_headers is loaded/uncommented.
Add the following to httpd.conf (anywhere in global scope of IHS configuration, conventionally this would be placed at the bottom of the file):

RequestHeader unset Range
RequestHeader unset Request-Range

Option 2:

This alternative workaround rejects requests with 100 or more ranges and should only be used if the above has a negative impact.

Make sure mod_rewrite and mod_headers is loaded/uncommented.
Add the following towards the top of httpd.conf (specifically, preceding any other RewriteRule directives) and to the top of each <VirtualHost> stanza (specifically, preceding any other RewriteRule directives in that VirtualHost scope):

# Reject request when more than 100 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:Range} (?:,[^,]*){100} [NC]
RewriteRule .* - [F]

# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range

Note:

All ifixes and their respective availability dates are listed below.
Please check back here for the ifixes at the posted projected availability dates.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Additional documentation:
For additional details on IBM HTTP Server product updates, please refer to:

IBM HTTP Server Recommended Fixes.

For additional details on WebSphere Application Server product updates, please refer to:

For distributed operating systems, Recommended fixes for WebSphere Application Server.
For IBM i operating systems, see WebSphere Application Server for IBM i.
For z/OS operating systems, see WebSphere Application Server for z/OS

For additional information on this security exposures, see the following urls:

IBM Security Systems (ISS) X-Force document titled: "Apache HTTP Server ByteRange filter denial of service apache-http-byterange-dos (69396)"
Common Vulnerabilities and Exposures document at CVE-2011-3192

For all downloadable Interim Fix APARs for PM46234 for the WebSphere Application Server for distributed operating systems products, Customers may also download any of these fixes from the alternate, Fix Central, download location at this link.

Change History

1 Sept 2011: Initial publication of Flash.

2 Sept 2011:
* Removed System i and i5/OS from platforms. Not implicated.
* Under "For IBM HTTP Server for distributed operating systems:" section, the Fix Pack 21 (7.0.0.21) is projected to be available 9 January 2012 (not Sept 2011).

7 Sep 2011:
* Added download links for ifixes for Versions 6.1.0.35, 6.1.0.37, 6.1.0.39, 7.0.0.15, 7.0.0.17.
* Under "For Circumvention" section, under "Option 1", changed line:
RewriteCond %{HTTP:Range} (?:,[^,]+){25} [NC]
to
RewriteCond %{HTTP:Range} (?:,[^,]+){100} [NC]

8 Sep 2011:
*Elaborated on context/location of circumventions (order of RewriteRules matters)
* Changed descriptions of circumventions to use proper totals (25 -> 100)
* Updated regular expression use to count HTTP ranges to be more resilient (+->*)

16 Sep 2011:
* Added Interim Fix APAR download links for 6.0.2.43, 7.0.0.19, and 8.0.0 for PM46234. * This link is an alternate download location to the PM46234 APAR Download Document.
* Also added statement of, and link to, an alternate Interim Fix download location in Fix Central with the following general statement under "Additional Documentation":
"For all downloadable Interim Fix APARs for PM46234 for the WebSphere Application Server for distributed operating systems products, Customers may also download any of these fixes from the alternate, Fix Central, download location at link."

20 Sep 2011:
* Under "Versions affected" heading, updated Versions 7.0 through 7.0.0.17 to Versions 7.0 through V7.0.0.19, to correspond to the failing releases as documented in the the "For Long Term Solution (ifixes)" section.
* Updated all PM46234 links to point directly to the Interim Fix APAR download document for PM46234, which contains direct download links.
* Added links to the CVE document and the IBM Security Systems (ISS) X-Force documents for this PM46234.
* Added the following FMIDs to IBM HTTP Server for z/OS (powered by Apache): HBBO800 for V8.0, HHAP700 for V7.0, JIWO610 for V6.1.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.0;7.0;6.1;6.0;2.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF035","label":"z\/OS"},{"code":"","label":"OS\/390"}],"Version":"8.0;7.0;6.1;6.0.2;6.0.1;6.0;5.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSCKBL","label":"WebSphere Application Server Hypervisor Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"7.0;6.1","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Security Bulletin: Potential security exposure with IBM HTTP Server 8.0 and earlier (PM46234) (CVE-2011-3192)