IBM Support

PK50469: CVE-2007-3847 PROXY BUFFER OVER-READ VULNERABILITY

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Apache 2.0 mod_proxy has a defect in parsing dates returned by t
    This defect is a simple error in which heap memory beyond the en
    could be read if the date string has an invalid format.
    If the origin server returns maliciously-formatted dates and the
    improper date string resides at the end of a page of memory and
    next page is not mapped, the web server process could crash whil
    handling the proxy response.
    This could result in a denial of service, where other processing
    being performed by that web server process is terminated by the
    crash.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: IBM HTTP SERVER configurations with          *
    * mod_proxy configured as a forward proxy to untrusted hosts   *
    ****************************************************************
    * PROBLEM DESCRIPTION: mod_proxy might be forced to crash a    *
    * web server child process using a malicious Date header field *
    * in the response to IHS running as a proxy                    *
    ****************************************************************
    * RECOMMENDATION: Apply this fix if IHS is used as a forward   *
    * proxy to untrusted hosts.                                    *
    ****************************************************************
    When parsing the Date header returned from the origin server,
    mod_proxy could read memory beyond the end of the allocated
    buffer when the returned Date header is of an invalid format.
    If this memory was beyond the end of a range of addressable
    memory, a crash could result.
    If the memory was not beyond the end of a range of addressable
    memory, no problem would occur and mod_proxy would not be
    influenced by the contents of that memory.
    

Problem conclusion

  • mod_proxy was updated to more carefully handle invalid dates
    from the origin server.
    .
    This fix is targeted for:
    Fix pack 6.1.0.13.
    Fix pack 6.0.2.23.
    Cumulative e-fix PK53584 for 2.0.47.1
    Cumulative e-fix PK55141 for 1.3.28.1
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK50469

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    60A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2007-08-06

  • Closed date

    2007-09-04

  • Last modified date

    2007-11-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R60A PSN

       UP

  • R60H PSN

       UP

  • R60P PSN

       UP

  • R60I PSN

       UP

  • R60S PSN

       UP

  • R60W PSN

       UP

  • R60Z PSN

       UP

  • R61A PSN

       UP

  • R61H PSN

       UP

  • R61P PSN

       UP

  • R61I PSN

       UP

  • R61S PSN

       UP

  • R61W PSN

       UP

  • R61Z PSN

       UP



Document information

More support for: IBM HTTP Server
Runtime

Software version: 6.0

Reference #: PK50469

Modified date: 16 November 2007


Translate this page: