IBM Support

PM53930: Collisions in HashTable May Cause DoS Vulnerability

Download


Abstract

Potential Denial of Service (Dos) security exposure when using Web based applications due to JavaHashTable implementation vulnerability.

Download Description

PROBLEM DESCRIPTION:
Customers who have Web based applications are impacted by this vulnerability which can cause performance or Denial of Service (DoS) issues.

USERS AFFECTED:
All users of IBM WebSphere Application Server versions 6.0, 6.1, 7.0 and 8.0

RECOMMENDATION:
Install Interim Fix APAR PM53930 (or a ++APAR for WebSphere Application Server for z/OS), or a Fix Pack containing this APAR. Interim Fix for a specific release can be downloaded from the Dowload package section of this document. The fix for this APAR is currently targeted for inclusion in fix packs 6.1.0.43, 7.0.0.23, 8.0.0.3.


Note: If you use the Web-based ("live") repository provided by IBM, Install Manager (IM) will, by default, pick up any recommended iFixes when installing WebSphere Application Server V8 or any WebSphere Application Server V8 Service Fix Packs. PM53930 is a recommended fix, and as a result, may already be installed. If you are unsure as to whether or not it is installed, you can check using the IM command line "imcl listInstalledPackages -long".

PROBLEM CONCLUSION:
WebContainer code has been updated to mitigate this vulnerability.

There is a new property that can be used in conjunction with this fix:


com.ibm.ws.webcontainer.maxParamPerRequest

You can use this property to change the maximum number of parameters allowed in your inbound requests, based on your applications and environment. The maximum number of parameters allowed per inbound request (GET or POST) defaults to 10000.

You can set this property to -1 if you do not want to limit the number of parameters that can be included in a request.


To specify web container custom properties:
1. In the administrative console click
Servers > Server Types > WebSphere application servers > server_name > Web Container Settings > Web container .
2. Under Additional Properties select Custom Properties.
3. On the Custom Properties page, click New.
4. On the settings page, enter the name of the custom property that you want to configure in the Name field and the value that you want to set it to in the Value field.
5. Click Apply or OK.
6. Click Save on the console task bar to save your configuration changes.
7. Restart the server.



Security bulletins are posted here:
http://www.ibm.com/support/docview.wss?uid=swg21368398

The PM53930 Flash is posted here:
http://www.ibm.com/support/docview.wss?uid=swg21577532

The fix for this APAR is currently targeted for inclusion in fix packs 6.1.0.43, 7.0.0.23, 8.0.0.3. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?uid=swg27004980

Prerequisites

None

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"3215","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/readme.txt"}]
On
[{"DNLabel":"Interim Fix for 8.0.0.1","DNDate":"13 Jan 2012","DNLang":"US English","DNSize":"268829","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=8.0.0.1-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ","DDURL":null},{"DNLabel":"Interim Fix for 8.0.0.2","DNDate":"13 Jan 2012","DNLang":"US English","DNSize":"268831","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=8.0.0.2-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.19-7.0.0.21","DNDate":"16 Jan 2012","DNLang":"US English","DNSize":"9415","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.19-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.19-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.17","DNDate":"17 Jan 2012","DNLang":"US English","DNSize":"9186","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.17-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.17-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 6.1.0.25-6.1.0.41","DNDate":"17 Jan 2012","DNLang":"US English","DNSize":"8916","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.25-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/6.1.0.25-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 6.0.2.11-6.0.2.43","DNDate":"17 Jan 2012","DNLang":"US English","DNSize":"11682","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.11-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/6.0.2.11-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.5-7.0.0.13","DNDate":"17 Jan 2012","DNLang":"US English","DNSize":"9196","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.5-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.5-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.15","DNDate":"18 Jan 2012","DNLang":"US English","DNSize":"43966","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.15-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.15-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.3","DNDate":"18 Jan 2012","DNLang":"US English","DNSize":"8981","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.3-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.3-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 6.1.0.15-6.1.0.23","DNDate":"19 Jan 2012","DNLang":"US English","DNSize":"8925","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.15-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/6.1.0.15-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 6.1.0.11-6.1.0.13","DNDate":"19 Jan 2012","DNLang":"US English","DNSize":"8713","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.11-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/6.1.0.11-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 6.1.0.3-6.1.0.9","DNDate":"24 Jan 2012","DNLang":"US English","DNSize":"8711","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.3-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/6.1.0.3-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.1","DNDate":"24 Jan 2012","DNLang":"US English","DNSize":"9158","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.1-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.1-WS-WAS-IFPM53930.pak","DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Servlet Engine\/Web Container","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.0.0.2;8.0.0.1;7.0.0.9;7.0.0.7;7.0.0.5;7.0.0.3;7.0.0.21;7.0.0.19;7.0.0.17;7.0.0.15;7.0.0.13;7.0.0.11;7.0.0.1;6.1.0.9;6.1.0.7;6.1.0.5;6.1.0.41;6.1.0.39;6.1.0.37;6.1.0.35;6.1.0.33;6.1.0.31;6.1.0.3;6.1.0.29;6.1.0.27;6.1.0.25;6.1.0.23;6.1.0.21;6.1.0.19;6.1.0.17;6.1.0.15;6.1.0.13;6.1.0.11;6.0.2.43;6.0.2.41;6.0.2.39;6.0.2.37;6.0.2.35;6.0.2.33;6.0.2.31;6.0.2.29;6.0.2.27;6.0.2.25;6.0.2.23;6.0.2.21;6.0.2.19;6.0.2.17;6.0.2.15;6.0.2.13;6.0.2.11","Edition":"Base;Developer;Express;Network Deployment","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24031821