IBM Support

PM09447: CVE-2010-0425 MOD_ISAPI VULNERABILITY

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • CVE-2010-0425 mod_isapi vulnerability
    

Local fix

  • Do not enable or use the optional mod_isapi module
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM HTTP Server 6.0 or 6.1 users on the     *
    *                  Windows operating system that have          *
    *                  uncommented the the LoadModule              *
    *                  directive for the "mod_isapi"  module       *
    *                  and Have configured it as a handler.        *
    *                                                              *
    *                  mod_isapi is an esoteric module that        *
    *                  allows Apache HTTP Server to call DLLs      *
    *                  designed for use with Microsoft IIS. It is  *
    *                  very rarely used with IBM HTTP Server and   *
    *                  is not a part of 7.0 or later releases      *
    ****************************************************************
    * PROBLEM DESCRIPTION: Repeated malicious requests to URLs     *
    *                      configured to be handled by mod_isapi   *
    *                      can cause errors,  crashes, or remote   *
    *                      execution.                              *
    ****************************************************************
    * RECOMMENDATION:  Apply this fix if the "LoadModule"          *
    *                  directive  for "mod_isapi" is enabled in    *
    *                  httpd.conf (this module is disabled by      *
    *                  default).                                   *
    ****************************************************************
    mod_isapi is provided only on Windows and only on IBM HTTP
    Server 6.1 and earlier. It is never enabled or configured by
    default.
    

Problem conclusion

  • The unloading of ISAPI DLL's in mid-request during error cases
    has been removed, which eliminates the chance for later phases
    of apache processing to call into the unloaded DLL.
    
    ISAPI DLL's are now only unloaded during the final cleanup of a
    request when no further callbacks are possible.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM09447

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    61W

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2010-03-09

  • Closed date

    2010-03-15

  • Last modified date

    2010-03-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R60W PSY

       UP

  • R61W PSY

       UP



Document information

More support for: IBM HTTP Server
Runtime

Software version: 6.1

Reference #: PM09447

Modified date: 19 March 2010


Translate this page: