Skip to main content

Software  >  WebSphere  >  

PQ91084 - Possible Denial of Service within Caching Proxy
 Downloadable files
 
Abstract
Possible Denial of Service (DoS) within Caching Proxy with incomplete GET requests when JunctionRewrite and UseCookie directives are active.
 
Download Description
PQ91084 resolves the following problem.

PROBLEM:
This APAR is for Caching Proxy Versions 5.0.0.2 through 5.0.2.20, released with IBM® WebSphere® Application Server Version 5.0 with IBM WebSphere Edge Server Fix Pack 2, and all releases of IBM WebSphere Application Server Version 5.0.1 and 5.0.2 products. The Caching Proxy component fails to handle incomplete GET requests when the JunctionRewrite and UseCookie directives are active. Successful exploitation of this exposure can cause a Denial of Service condition.

LOCAL FIX:
Any valid HTTP request, which must include a URL, optional HTTP version and other HTTP headers, will not trigger this vulnerability. If you are using the JunctionRewrite plug-in with directive JunctionRewrite On, the vulnerability will not be triggered.

Instead of the UseCookie option for JunctionRewrite directive, use the Junction plug-in, by setting the JunctionRewrite On directive and the 2 JunctionRewrite plug-in entries to avoid this Denial of Service condition.

This APAR fix resolves the vulnerability in the junction rewrite module. After applying the fix, an error page will be returned when an attempt to exploit this vulnerability is made, and the connection between the client and the proxy will be closed.
 
Prerequisites
None
 
 
Installation Instructions
Please refer to the updates file for 5.0. This is applicable for both versions 5.0 and 5.1.
 
URL LANGUAGE SIZE(Bytes)
updates50English700000
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PQ91084 - 5.0.2.21 - All Platforms7/13/2004Language Independent130000000HTTPDD
 
Technical support
1-800-IBM-SERV (U.S. Only)
 
Cross Reference information
Segment Product Component Platform Version Edition
Application ServersWebSphere Application ServerEdge ComponentMulti-Platform5.0, 5.0.1, 5.0.2, 5.0.x
Problems (APARS) fixed
PQ91084
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Application Servers
 Distributed Application & Web Servers
 WebSphere Application Server
 Edge Component
 Operating system(s):
  AIX, HP-UX, Linux, Linux Red Hat - i/p Series, Linux Red Hat - zSeries, Multi-Platform, Solaris, Windows 2000, Windows NT
 Software version:
  Caching Proxy 5.0
 Software edition:
  Edition Independent
 Reference #:
  4007482
 IBM Group:
 Software Group
 Modified date:
 2004-07-26

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.