Uočen je sigurnosni nedostatak vezan uz IBM HTTP Server koji udaljenom napadaču omogućuje izvođenje napada uskraćivanjem usluge (DoS).
| Paket: |
IBM HTTP Server 6.0.x, IBM HTTP Server 6.1.x, IBM HTTP Server 7.0.x, IBM HTTP Server 8.x |
| Operacijski sustavi: |
HP-UX 11.x, IBM AIX 5.x, IBM AIX 6.x, IBM AIX 7.x, IBM z/OS 1.x, Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008, Microsoft Windows 7, Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, Sun Solaris 9, Sun Solaris 10, SUSE Linux Enterprise Desktop 10, SUSE Linux Enterprise Server (SLES) 9, SUSE Linux Enterprise Server (SLES) 10, SUSE Linux Enterprise Server (SLES) 11 |
| Kritičnost: |
7 |
| Problem: |
pogreška u programskoj komponenti |
| Iskorištavanje: |
udaljeno |
| Posljedica: |
uskraćivanje usluga (DoS) |
| Rješenje: |
zaobilazno rješenje (workaround) |
| CVE: |
CVE-2011-3192 |
| Izvorni ID preporuke: |
1512087 |
| Izvor: |
IBM |
| |
| Problem: |
Nedostatak je vezan uz neodgovarajuće upravljanje HTTP zaglavljima tipa "Range" kod Apache poslužitelja.
|
| Posljedica: |
Uspješna zlouporaba ranjivosti može uzrokovati značajnu potrošnju memorije i CPU resursa, a njeno kontinuirano iskorištavanje može rezultirati DoS stanjem.
|
| Rješenje: |
Korisnicima se savjetuje primjena zaobilaznog rješenja prema uputama u tekstu izvorne preporuke.
|
Izvorni tekst preporuke
Potential security exposure with IBM HTTP Server 8.0 and earlier (PM46234) (CVE-2011-3192)
Flash (Alert)
Abstract
Crafted range requests can result in potential denial of service with IBM HTTP Server (IHS).
Content
Versions affected:
Affected:
IBM HTTP Server (IHS) Versions 2.0 (2.0.42 and 2.0.47), 6.0 through 6.0.2.43, 6.1 through 6.1.0.39, 7.0 through 7.0.0.17, and 8.0 are affected.
All WebSphere Application Server product Versions, using these affected IHS versions, are affected.
All WebSphere Application Server Hypervisors, using these affected IHS versions, are affected.
IBM HTTP Server for z/OS (powered by Apache) Versions 6.1, 7.0 and 8.0 are affected.
Not Affected:
IBM HTTP Server Version 1.3.x is not affected.
However, due to issues in the handling of its range requests, we strongly recommend upgrading to an in-service Version of IBM HTTP Server.
Version 1.3.26 is no longer is service (ended September 2006).
Version 1.3.28 is no longer is service (ended September 2008).
IBM HTTP Server for z/OS Version 530 is not affected.
Problem Description:
Potential denial of service from attack using crafted range requests (CVE Reference: CVE-2011-3192).
Circumvention/Solution:
Note: Circumvention may be applied to affected WebSphere Application Server and Websphere Application Server Hypervisor environments.
For Circumvention:
For IBM HTTP Server for all operating systems:
For IBM HTTP Server 7.0 and later:
This workaround treats requests for 25 or more ranges as requests for the entire file.
Make sure mod_headers and mod_setenvif are loaded/uncommented.
Append the following to the bottom of httpd.conf:
SetEnvIf Range (?:,.*?){25,25} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
For IBM HTTP Server 6.1, 6.0, and 2.0.47:
Two workarounds are available, implementing one is sufficient.
Option 1:
The first option ignores all Range requests and returns the full page instead (the HTTP RFC says servers may simply ignore Range requests).
Make sure mod_headers is loaded/uncommented.
Append the following to the bottom of httpd.conf:
RequestHeader unset Range
RequestHeader unset Request-Range
Option 2:
This alternative workaround rejects requests with 25 or more ranges and should only be used if the above has a negative impact.
Make sure mod_rewrite and mod_headers is loaded/uncommented.
Add the following to the bottom of httpd.conf (but before any other RewriteRule directives) and to the top of each <VirtualHost> stanza (before any other RewriteRule directives):
# Reject request when more than 25 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:Range} (?:,[^,]+){25} [NC]
RewriteRule .* - [F]
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
Note:
All ifixes and their respective availability dates are listed below.
Please check back here for the ifixes at the posted projected availability dates.
For Long-Term Solution (ifixes):
Applying Interim Fix APAR PM46234, or a Fix Pack containing this APAR, resolves this issue.
For IBM HTTP Server for distributed operating systems:
For Version 8.0:
Apply Interim Fix APAR PM46234 (projected to be available 9 September 2011).
--OR--
Apply Fix Pack 1, or later (8.0.0.1) (projected to be available 26 September 2011).
For Versions 7.0 and 7.0.0.19:
Apply Fix Pack 17 or Fix Pack 19 (7.0.0.17 or 7.0.0.19) (Fix Pack 19 is projected to be available 12 September 2011) , if not already at that level, then
Apply Interim Fix APAR PM46234
(Interim Fix APAR for 7.0.0.17 projected to be available 2 September 2011).
(Interim Fix APAR for 7.0.0.19 projected to be available 12 September 2011).
--OR--
Apply Fix Pack 21, or later (7.0.0.21) (projected to be available 1 September 2011).
For Versions 6.1 through 6.1.0.39:
Apply Fix Pack 39 (6.1.0.39), if not already at that level, then
Apply Interim Fix APAR PM46234 (projected to be available 1 September 2011).
--OR--
Apply Fix Pack 41, or later (6.1.0.41) (projected to be available 17 November 2011).
For Versions 6.0 through 6.0.2.42:
Apply Fix Pack 43 (6.0.2.43), if not already at that level, then
Apply Interim Fix APAR PM46234 (projected to be available 7 September 2011).
Note:
IBM HTTP Server Version 6.0.x was provided with WebSphere Application Server Version 6.0, which is no longer in service (ended September 2010).
Additional assistance will only be provided if you have a support extension contract in place, or with the purchase of a support extension contract.
For Versions 2.0 (2.0.42 and 2.0.47):
Contact IBM Technical Support for a PM46234 cumulative ifix (projected to be available 16 September 2011).
IBM HTTP Version 2.0.42 was provided with WebSphere Application Server Version 5.0, and IBM HTTP Server Version 2.0.47 was provided with WebSphere Application Server Version 5.1.
WebSphere App Server Version 5.0 is no longer in service (ended September 2006).
WebSphere App Server Version 5.1 is no longer in service (ended September 2008).
Additional assistance will only be provided if you have a support extension contract in place, or with the purchase of a support extension contract.
For IBM HTTP Server for z/OS (powered by Apache):
For V8.0.0.0:
Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 8.0.0.1, or later (targeted to be available September 2011).
For V7.0.0.0 through 7.0.0.18:
Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 7.0.0.19, or later (targeted to be available September 2011).
For V6.1.0.0 through 6.1.0.39:
Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 6.1.0.41, or later (targeted to be available November 2011).
Note: Customers may chose to follow the directions "For Circumvention" as a temporary solution, or while waiting for the Cumulative APAR containing this solution.
For IBM WebSphere Application Server Hypervisor Edition:
For Version 7.0:
This fix will be embedded into IBM WebSphere Application Server Hypervisor Edition version 7.0.0.21 (projected to be available Jan 2012)
For versions prior to 7.0.0.21, please follow the directions for 'IBM HTTP Server Versions 7.0 and 7.0.0.19'
For Version 6.1:
This fix will be embedded into IBM WebSphere Application Server Hypervisor Edition version 6.1.0.41 (projected to be available Nov 2011)
For versions prior to 6.1.0.41, please follow the directions for 'IBM HTTP Server Versions 6.1 and 6.1.0.39'
Note: Since it takes several weeks after a Fix Pack is released before a refreshed WebSphere Application Server Hypervisor Edition virtual image becomes available, customers may choose to apply the IBM HTTP Server Fix Pack or Interim Fix listed in the Long-Term Solution section "For IBM HTTP Server for distributed operating systems" directly within their running instances rather than waiting for the updated virtual image.
Additional documentation:
For additional details on IBM HTTP Server product updates, please refer to:
IBM HTTP Server Recommended Fixes.
For additional details on WebSphere Application Server product updates, please refer to:
For distributed operating systems, Recommended fixes for WebSphere Application Server.
For IBM i operating systems, see WebSphere Application Server for IBM i.
For z/OS operating systems, see WebSphere Application Server for z/OS
Cross Reference information Segment Product Component Platform Version Edition
Application Servers IBM HTTP Server Not Applicable AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS 8.0, 7.0, 6.1, 6.0, 2.0
Application Servers WebSphere Application Server for z/OS Not Applicable z/OS, OS/390 8.0, 7.0, 6.1, 6.0.2, 6.0.1, 6.0, 5.1
Application Servers WebSphere Application Server Hypervisor Edition General AIX, Linux 7.0, 6.1 All Editions
Posljednje sigurnosne preporuke