Fixes are available
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for Solaris
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for HP-UX
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for Linux
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for Linux
6.1.0.3: WebSphere Application Server V6.1.0 Fix Pack 3 for Linux
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for Windows
6.1.0.3: WebSphere Application Server V6.1.0 Fix Pack 3 for Windows
6.1.0.7 WebSphere Application Server V6.1 Fix Pack 7 for AIX
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for AIX
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for i5/OS
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for i5/OS
6.1.0.3: WebSphere Application Server V6.1.0 Fix Pack 3 for HP-UX
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for HP-UX
6.1.0.3: WebSphere Application Server V6.1.0 Fix Pack 3 for i5/OS
6.1.0.3: WebSphere Application Server V6.1.0 Fix Pack 3 for AIX
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for Windows
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
6.1.0.3: WebSphere Application Server V6.1.0 Fix Pack 3 for Solaris
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for Solaris
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Solaris
APAR status
Closed as program error.
Error description
mod_rewrite has a defect which, on the Windows platform with IBM HTTP Server 6.x, can result in a web server child process crash in configurations with mod_rewrite active. The crash can be triggered by a client request. The Apache HTTP Server project has assigned CVE-2006-3747 to this problem. For IBM HTTP Server 6.x, CVE-2006-3747 applies only to the Windows platform.
Local fix
Problem summary
mod_rewrite had a loop control defect in ldap scheme handling which allowed a memory overlay with certain URLs from the client. This can only occur if mod_rewrite is activated, if certain types of rewrite rules are enabled, and a client sends a malicious request. On most platforms, the memory overlay does not cause any ill side-effect. With IBM HTTP Server 6.x on Windows, the memory overlay can cause a web server crash. Because the types of mod_rewrite directives which enable the vulnerability are common, it is strongly recommended that customers with IBM HTTP Server 6.x on Windows apply the fix. It is targeted for fix packs 6.1.0.3 and 6.0.2.15. See PK29156 and PK29157 for applicability to other releases.
Problem conclusion
The loop control defect in mod_rewrite was corrected, thus eliminating the possibility of a memory overlay when malicious requests were processed.
Temporary fix
Comments
APAR Information
APAR number
PK29154
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2006-08-01
Closed date
2006-08-14
Last modified date
2006-10-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60W PSN
UP
R61W PSN
UP
Document Information
Modified date:
07 September 2022