Summary
Crafted range requests can result in potential denial of service with IBM HTTP Server (IHS).
Vulnerability Details
Potential denial of service from attack using crafted range requests (CVE Reference: CVE-2011-3192).
Affected Products and Versions
Affected:
- IBM HTTP Server (IHS) Versions 2.0 (2.0.42 and 2.0.47), 6.0 through 6.0.2.43, 6.1 through 6.1.0.39, 7.0 through 7.0.0.19, and 8.0 are affected.
- All WebSphere Application Server product Versions, using these affected IHS versions**, are affected.** * All WebSphere Application Server Hypervisors, using these affected IHS versions,are affected.
- IBM HTTP Server for z/OS (powered by Apache) Versions 6.1, 7.0 and 8.0** are affected.**
Not Affected:
- IBM HTTP Server Version 1.3.x is not affected.
- However, due to issues in the handling of its range requests, we strongly recommend upgrading to an in-service Version of IBM HTTP Server.
- Version 1.3.26 is no longer is service (ended September 2006).
- Version 1.3.28 is no longer is service (ended September 2008).
- IBM HTTP Server for z/OS Version 530 is not affected.
Remediation/Fixes
Apply Interim Fix APAR PM46234, or a Fix Pack containing this APAR, resolves this issue.
For IBM HTTP Server for distributed operating systems:
For Version 8.0:
--ORโ
- Apply Fix Pack 1, or later (8.0.0.1) (projected to be available 26 September 2011).
For Versions 7.0 and 7.0.0.19:
--ORโ
- Apply Fix Pack 21, or later (7.0.0.21) (projected to be available 9 January 2012).
For Versions 6.1 through 6.1.0.39:
--ORโ
- Apply Fix Pack 41, or later (6.1.0.41) (projected to be available 17 November 2011).
For Versions 6.0 through 6.0.2.42:
- Apply Fix Pack 43 (6.0.2.43), if not already at that level, then
- Apply Interim Fix APAR PM46234.
Note:
- IBM HTTP Server Version 6.0.x was provided with WebSphere Application Server Version 6.0, which is no longer in service (ended September 2010).
- Additional assistance will only be provided if you have a support extension contract in place, with the purchase of a support extension contract, or if you are otherwise entitled to support through another product.
For Versions 2.0 (2.0.42 and 2.0.47):
- Contact IBM Technical Support for a PM46234 cumulative ifix (projected to be available 16 September 2011).
- IBM HTTP Version 2.0.42 was provided with WebSphere Application Server Version 5.0, and IBM HTTP Server Version 2.0.47 was provided with WebSphere Application Server Version 5.1.
- WebSphere App Server Version 5.0 is no longer in service (ended September 2006).
- WebSphere App Server Version 5.1 is no longer in service (ended September 2008).
- Additional assistance will only be provided if you have a support extension contract in place, with the purchase of a support extension contract, or if you are otherwise entitled to support through another product.
For IBM HTTP Server for z/OS(powered by Apache):
For V8.0.0.0:
- Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 8.0.0.1, or later (targeted to be available September 2011) (FMID: HBBO800)
For V7.0.0.0 through 7.0.0.18:
- Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 7.0.0.19, or later (targeted to be available September 2011) (FMID: HHAP700)
For V6.1.0.0 through 6.1.0.39:
- Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 6.1.0.41, or later (targeted to be available November 2011) (FMID: JIWO610)
Note: Customers may chose to follow the directions โFor Circumventionโ as a temporary solution, or while waiting for the Cumulative APAR containing this solution.
For IBM WebSphere Application Server Hypervisor Edition:
For Version 7.0:
- This fix will be embedded into IBM WebSphere Application Server Hypervisor Edition version 7.0.0.21 (projected to be available Jan 2012)
- For versions prior to 7.0.0.21, please follow the directions for โIBM HTTP Server Versions 7.0 and 7.0.0.19โ
For Version 6.1:
- This fix will be embedded into IBM WebSphere Application Server Hypervisor Edition version 6.1.0.41 (projected to be available Nov 2011)
- For versions prior to 6.1.0.41, please follow the directions for โIBM HTTP Server Versions 6.1 and 6.1.0.39โ
Note: Since it takes several weeks after a Fix Pack is released before a refreshed WebSphere Application Server Hypervisor Edition virtual image becomes available, customers may choose to apply the IBM HTTP Server Fix Pack or Interim Fix listed in the Long-Term Solution section โFor IBM HTTP Server for distributed operating systemsโ directly within their running instances rather than waiting for the updated virtual image.
Workarounds and Mitigations
Note: Circumvention may be applied to affected WebSphere Application Server and WebSphere Application Server Hypervisor environments.
For IBM HTTP Server for all operating systems:
- For IBM HTTP Server 7.0 and later:
This workaround treats requests for 25 or more ranges as requests for the entire file.
- Make sure mod_headers and mod_setenvif are loaded/uncommented.
- Add the following to the httpd.conf (anywhere in global scope of IHS configuration, conventionally this would be placed at the bottom of the file):
SetEnvIf Range (?:,.*?){25,25} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
- For IBM HTTP Server 6.1, 6.0, and 2.0.47:
Two workarounds are available, implementing any one is sufficient.
The first option ignores all Range requests and returns the full page instead (the HTTP RFC says servers may simply ignore Range requests).
- Make sure mod_headers is loaded/uncommented.
- Add the following to httpd.conf (anywhere in global scope of IHS configuration, conventionally this would be placed at the bottom of the file):
RequestHeader unset Range
RequestHeader unset Request-Range
This alternative workaround rejects requests with 100 or more ranges and should only be used if the above has a negative impact.
-
- Make sure mod_rewrite and mod_headers is loaded/uncommented.
- Add the following towards the topof httpd.conf (specifically, preceding any other RewriteRule directives) and to the topof each <VirtualHost> stanza (specifically, preceding any other RewriteRule directives in that VirtualHost scope):
- # Reject request when more than 100 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:Range} (?:,[^,]*){100} [NC]
RewriteRule .* - [F]
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
Note:
- All ifixes and their respective availability dates are listed below.
- Please check back here for the ifixes at the posted projected availability dates.