IBM Support

Security Bulletin: Potential Security vulnerability in IBM HTTP Server CVE-2013-6747

Security Bulletin


Potential security exposure in IBM HTTP Server for WebSphere Application Server.

Vulnerability Details

CVE ID: CVE-2013-6747

IBM HTTP Server may be vulnerable to a denial of service, caused by an error in the GSKit component. By initiating an SSL/TLS connection using a malformed certificate chain, a remote attacker could exploit this vulnerability to cause the server process to hang or crash.


CVSS Base Score: 7.1
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and all products that bundle WebSphere Application Server:
· Version 8.5.5
· Version 8.5
· Version 8
· Version 7
· Version 6.1


The recommended solution is to apply the Fix Pack for each named product as soon as practical.

Fix:Apply a Fix Pack containing this APAR PI09443, as noted below:

For affected IBM HTTP Server for WebSphere Application Server:

For V8.5.0.0 through Full Profile:

  • Apply Fix Pack or later

For V8.0 through
  • Apply Fix Pack or later.

For V7.0.0.0 through
WARNING: If you downloaded the interim fix for PI09443 prior to 06/10/2014, then after applying the interim fix, you should restore file ownership of directories as described below.

- Confirm the permissions of the gsk7/ subdirectory matches the rest of
your IHS installation, and update as necessary recursively. A typical
owner is usually root:root.

For Unix:
chown -R root:root gsk7

For Windows
Use explorer.exe

- Confirm the permissions of the IHS installation root matches the rest of
your IHS installation, and update as necessary.

For Unix:
chown root:root .

For Windows
Use explorer.exe

Note: If your server was not originally installed under the root id, check a reference file such as bin/httpd or bin/httpd.exe for the appropriate ownership.

  • Apply Fix Pack or later.

For V6.1.0.0 through
  • Apply Interim Fix PI09443

Workarounds and Mitigations


Get Notified about Future Security Bulletins



Change History

11 February 2014: Original publish
5 June 2014: Added additional information for Version 7 users for command that must be run
6 June 2014: updated Unix command
10 June 2014: updated warning section

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;8.5;8.0;7.0;6.1","Edition":"Base;Developer;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018