Fixes are available
PM09447: IBM HTTP Server - CVE-2010-0425 mod_isapi vulnerability
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
CVE-2010-0425 mod_isapi vulnerability
Local fix
Do not enable or use the optional mod_isapi module
Problem summary
**************************************************************** * USERS AFFECTED: IBM HTTP Server 6.0 or 6.1 users on the * * Windows operating system that have * * uncommented the the LoadModule * * directive for the "mod_isapi" module * * and Have configured it as a handler. * * * * mod_isapi is an esoteric module that * * allows Apache HTTP Server to call DLLs * * designed for use with Microsoft IIS. It is * * very rarely used with IBM HTTP Server and * * is not a part of 7.0 or later releases * **************************************************************** * PROBLEM DESCRIPTION: Repeated malicious requests to URLs * * configured to be handled by mod_isapi * * can cause errors, crashes, or remote * * execution. * **************************************************************** * RECOMMENDATION: Apply this fix if the "LoadModule" * * directive for "mod_isapi" is enabled in * * httpd.conf (this module is disabled by * * default). * **************************************************************** mod_isapi is provided only on Windows and only on IBM HTTP Server 6.1 and earlier. It is never enabled or configured by default.
Problem conclusion
The unloading of ISAPI DLL's in mid-request during error cases has been removed, which eliminates the chance for later phases of apache processing to call into the unloaded DLL. ISAPI DLL's are now only unloaded during the final cleanup of a request when no further callbacks are possible.
Temporary fix
Comments
APAR Information
APAR number
PM09447
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
61W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2010-03-09
Closed date
2010-03-15
Last modified date
2010-03-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60W PSY
UP
R61W PSY
UP
Document Information
Modified date:
07 September 2022