Security Bulletin
Summary
A potential denial of service vulnerability in SSL handshake processing in IBM HTTP Server (IHS).
Vulnerability Details
CVEID: CVE-2013-6329
Description: Potential denial of service in SSL handshake processing.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Affected Products and Versions
VERSIONS AFFECTED: This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:
· Version 8.5.5
· Version 8.5
· Version 8
· Version 7
· Version 6.1
Remediation/Fixes
The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:Apply a Fix Pack or PTF containing APAR PI05309, as noted below:
For affected IBM HTTP Server for WebSphere Application Server:
For V8.5.0.0 through 8.5.5.1 Full Profile:
- Apply Interim Fix PI05309
- Apply Fix Pack 8.5.5.2 or later.
For V8.0 through 8.0.0.8:
- Apply Interim Fix PI05309
- Apply Fix Pack 8.0.0.9 or later.
For V7.0.0.0 through 7.0.0.31:
Due to a publishing issue with PI05309 for Version 7 only, apply PI09443 which supercedes the fix for PI05309
- Apply Interim Fix PI09443
- Apply Fix Pack 7.0.0.33 or later.
For V6.1.0.0 through 6.1.0.47:
- Apply Interim Fix PI05309
Workarounds and Mitigations
Disabling the SSLv3 Session cache will circumvent this issue, but may lead to higher CPU usage. To use the circumvention:
For Windows platforms, do one of the following:
--OR--
- For IBM HTTP Server Version 8.0.0.0 or later:
- Set the following directive everywhere you use the 'SSLEnable' directive:
- SSLAttributeSet 305 0 NUMERIC
For Other platforms, do one of the following:
- Any Release:
--OR--
- For IHS Version 8.0.0.0 or later:
- Set the following directive everywhere you use the 'SSLEnable' directive:
- Set "SSLCacheDisable" at the bottom of httpd.conf
- SSLAttributeSet 305 0 NUMERIC
Get Notified about Future Security Bulletins
References
Change History
17 December 2013: original version published
14 February 2014: updated to supercede PI05309 for Version 7
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
07 September 2022
UID
swg21659548