Fixes are available
APAR status
Closed as program error.
Error description
Apache 2.0 on Unix/Linux potentially allows the web server parent (monitor) process to send signals to unintended processes on the system. The trigger for this is for a malicious program with the proper authority (running as root or running with the same authority as the web server child processes) to overwrite process ids in the web server shared memory with a different value. The parent process should sanity-check the process id value before sending the process a signal.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM HTTP SERVER configurations with * * malicious applications running in the web server or on the * * web server machine * **************************************************************** * PROBLEM DESCRIPTION: Applications running inside the web * * server or on systems with the web server, and having * * permission to update the shared memory used to communicate * * among the web server processes, may be able to modify that * * shared memory to cause the web server parent process to * * terminate the wrong processes. Such applications would need * * to run as root or as the web server user id. * **************************************************************** * RECOMMENDATION: Apply this fix to protect against some types * * of malicious applications. * **************************************************************** The web server parent process reads the shared memory "scoreboard" to determine which child processes to signal. A malicious application can store certain values in the scoreboard to cause the parent process to signal some processes that the malicious application would not otherwise be able to signal.
Problem conclusion
The worker MPM was updated to check the type of process id in the scoreboard before sending a signal. (Note that the fixes required for different Apache MPMs and releases differed. IHS is applying the appropriate fixes for its use of the Apache source code.) IHS 1.3.28 was modified to keep a list of child process ids, and not signal any other process ids which may be written to the scoreboard. This fix is targeted for: Fix pack 6.1.0.13. Fix pack 6.0.2.23. Cumulative e-fix PK53584 for 2.0.47.1 Cumulative e-fix PK55141 for 1.3.28.1
Temporary fix
Comments
APAR Information
APAR number
PK50467
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
60A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2007-08-06
Closed date
2007-09-04
Last modified date
2007-11-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801
Applicable component levels
R60A PSN
UP
R60H PSN
UP
R60P PSN
UP
R60I PSN
UP
R60S PSN
UP
R60Z PSN
UP
R61A PSN
UP
R61H PSN
UP
R61P PSN
UP
R61I PSN
UP
R61S PSN
UP
R61Z PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
07 September 2022