Security Bulletin: Potential security exposure with IBM HTTP Server 8.0 and earlier (PM46234) (CVE-2011-3192)

Summary

Crafted range requests can result in potential denial of service with IBM HTTP Server (IHS).

Vulnerability Details

Potential denial of service from attack using crafted range requests (CVE Reference: CVE-2011-3192).

Affected Products and Versions

Affected:

• IBM HTTP Server (IHS) Versions 2.0 (2.0.42 and 2.0.47), 6.0 through 6.0.2.43, 6.1 through 6.1.0.39, 7.0 through 7.0.0.19, and 8.0 are affected.
• All WebSphere Application Server product Versions, using these affected IHS versions**, are affected.** * All WebSphere Application Server Hypervisors, using these affected IHS versions,are affected.
• IBM HTTP Server for z/OS (powered by Apache) Versions 6.1, 7.0 and 8.0** are affected.**

Not Affected:

• IBM HTTP Server Version 1.3.x is not affected.
• However, due to issues in the handling of its range requests, we strongly recommend upgrading to an in-service Version of IBM HTTP Server.
• Version 1.3.26 is no longer is service (ended September 2006).
• Version 1.3.28 is no longer is service (ended September 2008).
• IBM HTTP Server for z/OS Version 530 is not affected.

Remediation/Fixes

Apply Interim Fix APAR PM46234, or a Fix Pack containing this APAR, resolves this issue.

For IBM HTTP Server for distributed operating systems:

For Version 8.0:

• Apply Interim Fix APAR PM46234.

--OR–

• Apply Fix Pack 1, or later (8.0.0.1) (projected to be available 26 September 2011).

For Versions 7.0 and 7.0.0.19:

• Apply Fix Pack 15, 17 or 19 (7.0.0.15, 7.0.0.17, 7.0.0.19), if not already at that level, then
• Apply Interim Fix APAR PM46234.

--OR–

• Apply Fix Pack 21, or later (7.0.0.21) (projected to be available 9 January 2012).

For Versions 6.1 through 6.1.0.39:

• Apply Fix Pack 35, 37 or 39 (6.1.0.35, 6.1.0.37, 6.1.0.39), if not already at that level, then
• Apply Interim Fix APAR PM46234.

--OR–

• Apply Fix Pack 41, or later (6.1.0.41) (projected to be available 17 November 2011).

For Versions 6.0 through 6.0.2.42:

• Apply Fix Pack 43 (6.0.2.43), if not already at that level, then
• Apply Interim Fix APAR PM46234.

Note:

• IBM HTTP Server Version 6.0.x was provided with WebSphere Application Server Version 6.0, which is no longer in service (ended September 2010).
• Additional assistance will only be provided if you have a support extension contract in place, with the purchase of a support extension contract, or if you are otherwise entitled to support through another product.

For Versions 2.0 (2.0.42 and 2.0.47):

• Contact IBM Technical Support for a PM46234 cumulative ifix (projected to be available 16 September 2011).
• IBM HTTP Version 2.0.42 was provided with WebSphere Application Server Version 5.0, and IBM HTTP Server Version 2.0.47 was provided with WebSphere Application Server Version 5.1.
• WebSphere App Server Version 5.0 is no longer in service (ended September 2006).
• WebSphere App Server Version 5.1 is no longer in service (ended September 2008).
• Additional assistance will only be provided if you have a support extension contract in place, with the purchase of a support extension contract, or if you are otherwise entitled to support through another product.

For IBM HTTP Server for z/OS(powered by Apache):

For V8.0.0.0:

• Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 8.0.0.1, or later (targeted to be available September 2011) (FMID: HBBO800)

For V7.0.0.0 through 7.0.0.18:

• Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 7.0.0.19, or later (targeted to be available September 2011) (FMID: HHAP700)

For V6.1.0.0 through 6.1.0.39:

• Apply APAR PM46234 by way of the appropriate Cumulative APAR (Fix Pack) for 6.1.0.41, or later (targeted to be available November 2011) (FMID: JIWO610)

Note: Customers may chose to follow the directions “For Circumvention” as a temporary solution, or while waiting for the Cumulative APAR containing this solution.

For IBM WebSphere Application Server Hypervisor Edition:

For Version 7.0:

• This fix will be embedded into IBM WebSphere Application Server Hypervisor Edition version 7.0.0.21 (projected to be available Jan 2012)
• For versions prior to 7.0.0.21, please follow the directions for ‘IBM HTTP Server Versions 7.0 and 7.0.0.19’

For Version 6.1:

• This fix will be embedded into IBM WebSphere Application Server Hypervisor Edition version 6.1.0.41 (projected to be available Nov 2011)
• For versions prior to 6.1.0.41, please follow the directions for ‘IBM HTTP Server Versions 6.1 and 6.1.0.39’

Note: Since it takes several weeks after a Fix Pack is released before a refreshed WebSphere Application Server Hypervisor Edition virtual image becomes available, customers may choose to apply the IBM HTTP Server Fix Pack or Interim Fix listed in the Long-Term Solution section “For IBM HTTP Server for distributed operating systems” directly within their running instances rather than waiting for the updated virtual image.

Workarounds and Mitigations

Note: Circumvention may be applied to affected WebSphere Application Server and WebSphere Application Server Hypervisor environments.

For IBM HTTP Server for all operating systems:

• For IBM HTTP Server 7.0 and later:

This workaround treats requests for 25 or more ranges as requests for the entire file.

1. Make sure mod_headers and mod_setenvif are loaded/uncommented.
2. Add the following to the httpd.conf (anywhere in global scope of IHS configuration, conventionally this would be placed at the bottom of the file):

SetEnvIf Range (?:,.*?){25,25} bad-range=1
RequestHeader unset Range env=bad-range

# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

• For IBM HTTP Server 6.1, 6.0, and 2.0.47:

Two workarounds are available, implementing any one is sufficient.

• Option 1:

The first option ignores all Range requests and returns the full page instead (the HTTP RFC says servers may simply ignore Range requests).

1. Make sure mod_headers is loaded/uncommented.
2. Add the following to httpd.conf (anywhere in global scope of IHS configuration, conventionally this would be placed at the bottom of the file):

RequestHeader unset Range
RequestHeader unset Request-Range

• Option 2:

This alternative workaround rejects requests with 100 or more ranges and should only be used if the above has a negative impact.

1. 2. Make sure mod_rewrite and mod_headers is loaded/uncommented.
2. Add the following towards the topof httpd.conf (specifically, preceding any other RewriteRule directives) and to the topof each <VirtualHost> stanza (specifically, preceding any other RewriteRule directives in that VirtualHost scope):
3. # Reject request when more than 100 ranges in the Range: header.
   # CVE-2011-3192
   #
   RewriteEngine on
   RewriteCond %{HTTP:Range} (?:,[^,]*){100} [NC]
   RewriteRule .* - [F]

# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range

Note:

• All ifixes and their respective availability dates are listed below.
• Please check back here for the ifixes at the posted projected availability dates.