IBM Support

Security Bulletin: Potential Denial of service vulnerability in IBM HTTP Server (CVE-2013-6329)

Security Bulletin


Summary

A potential denial of service vulnerability in SSL handshake processing in IBM HTTP Server (IHS).

Vulnerability Details

CVEID: CVE-2013-6329
Description: Potential denial of service in SSL handshake processing.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

VERSIONS AFFECTED: This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:
· Version 8.5.5
· Version 8.5
· Version 8
· Version 7
· Version 6.1

Remediation/Fixes

The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical

Fix:Apply a Fix Pack or PTF containing APAR PI05309, as noted below:

For affected IBM HTTP Server for WebSphere Application Server:

For V8.5.0.0 through 8.5.5.1 Full Profile:

--OR--
  • Apply Fix Pack 8.5.5.2 or later.

For V8.0 through 8.0.0.8: --OR--
  • Apply Fix Pack 8.0.0.9 or later.

For V7.0.0.0 through 7.0.0.31:
Due to a publishing issue with PI05309 for Version 7 only, apply PI09443 which supercedes the fix for PI05309 --OR--
  • Apply Fix Pack 7.0.0.33 or later.

For V6.1.0.0 through 6.1.0.47:

Workarounds and Mitigations

Disabling the SSLv3 Session cache will circumvent this issue, but may lead to higher CPU usage. To use the circumvention:


For Windows platforms, do one of the following:

  • Any Release:
    • Set the system wide environment variable 'GSK_V3_SIDCACHE_SIZE=0"
    • Restart the system

--OR--
  • For IBM HTTP Server Version 8.0.0.0 or later:
    • Set the following directive everywhere you use the 'SSLEnable' directive:
        • SSLAttributeSet 305 0 NUMERIC

For Other platforms, do one of the following:
  • Any Release:
    • Export the native environment variable 'GSK_V3_SIDCACHE_SIZE=0' in '$IHSROOT/bin/envvars'
    • Perform a full stop and start of the server.
    • Set "SSLCacheDisable" at the bottom of httpd.conf

--OR--
  • For IHS Version 8.0.0.0 or later:
    • Set the following directive everywhere you use the 'SSLEnable' directive:
        • SSLAttributeSet 305 0 NUMERIC
    • Set "SSLCacheDisable" at the bottom of httpd.conf

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off
Security Bulletin for PI09443

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

17 December 2013: original version published
14 February 2014: updated to supercede PI05309 for Version 7

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;8.5;8.0;7.0;6.1","Edition":"All Editions","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"IBM HTTP Server","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSCKBL","label":"WebSphere Application Server Hypervisor Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21659548

Page Feedback