IBM Support

Security Bulletin: Potential security exposure with IBM HTTP Server 8.0 and earlier (PM46234) (CVE-2011-3192)

Security Bulletin


Summary

Crafted range requests can result in potential denial of service with IBM HTTP Server (IHS).

Vulnerability Details

Potential denial of service from attack using crafted range requests (CVE Reference: CVE-2011-3192).

Affected Products and Versions

Affected:

  • IBM HTTP Server (IHS) Versions 2.0 (2.0.42 and 2.0.47), 6.0 through 6.0.2.43, 6.1 through 6.1.0.39, 7.0 through 7.0.0.19, and 8.0 are affected.
  • All WebSphere Application Server product Versions, using these affected IHS versions, are affected.
  • All WebSphere Application Server Hypervisors, using these affected IHS versions, are affected.
  • IBM HTTP Server for z/OS (powered by Apache) Versions 6.1, 7.0 and 8.0 are affected.


Not Affected:

  • IBM HTTP Server Version 1.3.x is not affected.
  • However, due to issues in the handling of its range requests, we strongly recommend upgrading to an in-service Version of IBM HTTP Server.
  • Version 1.3.26 is no longer is service (ended September 2006).
  • Version 1.3.28 is no longer is service (ended September 2008).
  • IBM HTTP Server for z/OS Version 530 is not affected.

Remediation/Fixes

Apply Interim Fix APAR PM46234, or a Fix Pack containing this APAR, resolves this issue.

For IBM HTTP Server for distributed operating systems:

For Version 8.0:

--OR--

  • Apply Fix Pack 1, or later (8.0.0.1) (projected to be available 26 September 2011).


For Versions 7.0 and 7.0.0.19:

--OR--

  • Apply Fix Pack 21, or later (7.0.0.21) (projected to be available 9 January 2012).


For Versions 6.1 through 6.1.0.39:

--OR--

  • Apply Fix Pack 41, or later (6.1.0.41) (projected to be available 17 November 2011).


For Versions 6.0 through 6.0.2.42:

Note:

  • IBM HTTP Server Version 6.0.x was provided with WebSphere Application Server Version 6.0, which is no longer in service (ended September 2010).
  • Additional assistance will only be provided if you have a support extension contract in place, with the purchase of a support extension contract, or if you are otherwise entitled to support through another product.


For Versions 2.0 (2.0.42 and 2.0.47):

  • Contact IBM Technical Support for a PM46234 cumulative ifix (projected to be available 16 September 2011).
  • IBM HTTP Version 2.0.42 was provided with WebSphere Application Server Version 5.0, and IBM HTTP Server Version 2.0.47 was provided with WebSphere Application Server Version 5.1.
  • WebSphere App Server Version 5.0 is no longer in service (ended September 2006).
  • WebSphere App Server Version 5.1 is no longer in service (ended September 2008).
  • Additional assistance will only be provided if you have a support extension contract in place, with the purchase of a support extension contract, or if you are otherwise entitled to support through another product.


For IBM HTTP Server for z/OS (powered by Apache):

For V8.0.0.0:

  • Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 8.0.0.1, or later (targeted to be available September 2011) (FMID: HBBO800)


For V7.0.0.0 through 7.0.0.18:

  • Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 7.0.0.19, or later (targeted to be available September 2011) (FMID: HHAP700)


For V6.1.0.0 through 6.1.0.39:

  • Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 6.1.0.41, or later (targeted to be available November 2011) (FMID: JIWO610)


Note: Customers may chose to follow the directions "For Circumvention" as a temporary solution, or while waiting for the Cumulative APAR containing this solution.


For IBM WebSphere Application Server Hypervisor Edition:

For Version 7.0:

  • This fix will be embedded into IBM WebSphere Application Server Hypervisor Edition version 7.0.0.21 (projected to be available Jan 2012)
  • For versions prior to 7.0.0.21, please follow the directions for 'IBM HTTP Server Versions 7.0 and 7.0.0.19'


For Version 6.1:

  • This fix will be embedded into IBM WebSphere Application Server Hypervisor Edition version 6.1.0.41 (projected to be available Nov 2011)
  • For versions prior to 6.1.0.41, please follow the directions for 'IBM HTTP Server Versions 6.1 and 6.1.0.39'


Note: Since it takes several weeks after a Fix Pack is released before a refreshed WebSphere Application Server Hypervisor Edition virtual image becomes available, customers may choose to apply the IBM HTTP Server Fix Pack or Interim Fix listed in the Long-Term Solution section "For IBM HTTP Server for distributed operating systems" directly within their running instances rather than waiting for the updated virtual image.

Workarounds and Mitigations

Note: Circumvention may be applied to affected WebSphere Application Server and WebSphere Application Server Hypervisor environments.

For IBM HTTP Server for all operating systems:

 

  • For IBM HTTP Server 7.0 and later:

This workaround treats requests for 25 or more ranges as requests for the entire file.

 

  1. Make sure mod_headers and mod_setenvif are loaded/uncommented.
  2. Add the following to the httpd.conf (anywhere in global scope of IHS configuration, conventionally this would be placed at the bottom of the file):


SetEnvIf Range (?:,.*?){25,25} bad-range=1
RequestHeader unset Range env=bad-range

# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

 

 

  • For IBM HTTP Server 6.1, 6.0, and 2.0.47:

Two workarounds are available, implementing any one is sufficient.

 

 

 

  • Option 1:

The first option ignores all Range requests and returns the full page instead (the HTTP RFC says servers may simply ignore Range requests).

 

 

  1. Make sure mod_headers is loaded/uncommented.
  2. Add the following to httpd.conf (anywhere in global scope of IHS configuration, conventionally this would be placed at the bottom of the file):


RequestHeader unset Range
RequestHeader unset Request-Range

 

 

  • Option 2:

This alternative workaround rejects requests with 100 or more ranges and should only be used if the above has a negative impact.

 

  1.  
  2. Make sure mod_rewrite and mod_headers is loaded/uncommented.
  3. Add the following towards the top of httpd.conf (specifically, preceding any other RewriteRule directives) and to the top of each <VirtualHost> stanza (specifically, preceding any other RewriteRule directives in that VirtualHost scope):
  4.  

# Reject request when more than 100 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:Range} (?:,[^,]*){100} [NC]
RewriteRule .* - [F]

# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range


Note:

  • All ifixes and their respective availability dates are listed below.
  • Please check back here for the ifixes at the posted projected availability dates.

Get Notified about Future Security Bulletins

References

Off


Additional documentation:
For additional details on IBM HTTP Server product updates, please refer to:

For additional details on WebSphere Application Server product updates, please refer to:

For additional information on this security exposures, see the following urls:

For all downloadable Interim Fix APARs for PM46234 for the WebSphere Application Server for distributed operating systems products, Customers may also download any of these fixes from the alternate, Fix Central, download location at this link.

Change History

1 Sept 2011: Initial publication of Flash.

2 Sept 2011:
* Removed System i and i5/OS from platforms. Not implicated.
* Under "For IBM HTTP Server for distributed operating systems:" section, the Fix Pack 21 (7.0.0.21) is projected to be available 9 January 2012 (not Sept 2011).

7 Sep 2011:
* Added download links for ifixes for Versions 6.1.0.35, 6.1.0.37, 6.1.0.39, 7.0.0.15, 7.0.0.17.
* Under "For Circumvention" section, under "Option 1", changed line:
RewriteCond %{HTTP:Range} (?:,[^,]+){25} [NC]
to
RewriteCond %{HTTP:Range} (?:,[^,]+){100} [NC]

8 Sep 2011:
*Elaborated on context/location of circumventions (order of RewriteRules matters)
* Changed descriptions of circumventions to use proper totals (25 -> 100)
* Updated regular expression use to count HTTP ranges to be more resilient (+->*)

16 Sep 2011:
* Added Interim Fix APAR download links for 6.0.2.43, 7.0.0.19, and 8.0.0 for PM46234. * This link is an alternate download location to the PM46234 APAR Download Document.
* Also added statement of, and link to, an alternate Interim Fix download location in Fix Central with the following general statement under "Additional Documentation":
"For all downloadable Interim Fix APARs for PM46234 for the WebSphere Application Server for distributed operating systems products, Customers may also download any of these fixes from the alternate, Fix Central, download location at link."

20 Sep 2011:
* Under "Versions affected" heading, updated Versions 7.0 through 7.0.0.17 to Versions 7.0 through V7.0.0.19, to correspond to the failing releases as documented in the the "For Long Term Solution (ifixes)" section.
* Updated all PM46234 links to point directly to the Interim Fix APAR download document for PM46234, which contains direct download links.
* Added links to the CVE document and the IBM Security Systems (ISS) X-Force documents for this PM46234.
* Added the following FMIDs to IBM HTTP Server for z/OS (powered by Apache): HBBO800 for V8.0, HHAP700 for V7.0, JIWO610 for V6.1.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.0;7.0;6.1;6.0;2.0","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF035","label":"z\/OS"},{"code":"","label":"OS\/390"}],"Version":"8.0;7.0;6.1;6.0.2;6.0.1;6.0;5.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSCKBL","label":"WebSphere Application Server Hypervisor Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"7.0;6.1","Edition":"All Editions","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
16 July 2018

UID

swg21512087