Security Bulletin: Potential Denial of service vulnerability in IBM HTTP Server (CVE-2013-6329)

2022-09-0800:26:26

www.ibm.com

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.015 Low

EPSS

Percentile

86.8%

JSON

Summary

A potential denial of service vulnerability in SSL handshake processing in IBM HTTP Server (IHS).

Vulnerability Details

CVEID: CVE-2013-6329
Description: Potential denial of service in SSL handshake processing.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

**VERSIONS AFFECTED:**This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:
· Version 8.5.5
· Version 8.5
· Version 8
· Version 7
· Version 6.1

Remediation/Fixes

The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical

**Fix:**Apply a Fix Pack or PTF containing APAR PI05309, as noted below:

For affected IBM HTTP Server for WebSphere Application Server:

For V8.5.0.0 through 8.5.5.1 Full Profile:

Apply Interim Fix PI05309
--OR–
Apply Fix Pack 8.5.5.2 or later.
**
For V8.0 through 8.0.0.8:**
Apply Interim Fix PI05309
--OR–
Apply Fix Pack 8.0.0.9 or later.

For V7.0.0.0 through 7.0.0.31:
Due to a publishing issue with PI05309 for Version 7 only, apply PI09443 which supercedes the fix for PI05309

Apply Interim Fix PI09443
--OR–
Apply Fix Pack 7.0.0.33 or later.
**
For V6.1.0.0 through 6.1.0.47:**
Apply Interim Fix PI05309

Workarounds and Mitigations

Disabling the SSLv3 Session cache will circumvent this issue, but may lead to higher CPU usage. To use the circumvention:

For Windows platforms, do one of the following:

Any Release:
- Set the system wide environment variable 'GSK_V3_SIDCACHE_SIZE=0"
- Restart the system

--OR–

For IBM HTTP Server Version 8.0.0.0 or later:
- Set the following directive everywhere you use the_ ‘SSLEnable’_ directive:
  _ SSLAttributeSet 305 0 NUMERIC _
  For Other platforms, do one of the following:
Any Release:
- Export the native environment variable ‘GSK_V3_SIDCACHE_SIZE=0’ in _‘$IHSROOT/bin/envvars’ _
- Perform a full stop and start of the server.
- Set “SSLCacheDisable” at the bottom of httpd.conf

--OR–

For IHS Version 8.0.0.0 or later:
- Set the following directive everywhere you use the_ ‘SSLEnable’_ directive:
  _SSLAttributeSet 305 0 NUMERIC _
- Set_ “SSLCacheDisable”_ at the bottom of httpd.conf

CPENameOperatorVersion
ibm http servereq8.5.5
ibm http servereq8.5
ibm http servereq8.0
ibm http servereq7.0
ibm http servereq6.1
websphere application servereqany
websphere application server hypervisor editioneqany

Name	Operator	Version
ibm http server	eq	8.5.5
ibm http server	eq	8.5
ibm http server	eq	8.0
ibm http server	eq	7.0
ibm http server	eq	6.1
websphere application server	eq	any
websphere application server hypervisor edition	eq	any