PM09447: CVE-2010-0425 MOD_ISAPI VULNERABILITY

Fixes are available

APAR status

Closed as program error.

Error description

```
CVE-2010-0425 mod_isapi vulnerability
```

Local fix

Do not enable or use the optional mod_isapi module

Problem summary

****************************************************************
* USERS AFFECTED:  IBM HTTP Server 6.0 or 6.1 users on the     *
*                  Windows operating system that have          *
*                  uncommented the the LoadModule              *
*                  directive for the "mod_isapi"  module       *
*                  and Have configured it as a handler.        *
*                                                              *
*                  mod_isapi is an esoteric module that        *
*                  allows Apache HTTP Server to call DLLs      *
*                  designed for use with Microsoft IIS. It is  *
*                  very rarely used with IBM HTTP Server and   *
*                  is not a part of 7.0 or later releases      *
****************************************************************
* PROBLEM DESCRIPTION: Repeated malicious requests to URLs     *
*                      configured to be handled by mod_isapi   *
*                      can cause errors,  crashes, or remote   *
*                      execution.                              *
****************************************************************
* RECOMMENDATION:  Apply this fix if the "LoadModule"          *
*                  directive  for "mod_isapi" is enabled in    *
*                  httpd.conf (this module is disabled by      *
*                  default).                                   *
****************************************************************
mod_isapi is provided only on Windows and only on IBM HTTP
Server 6.1 and earlier. It is never enabled or configured by
default.

Problem conclusion

The unloading of ISAPI DLL's in mid-request during error cases
has been removed, which eliminates the chance for later phases
of apache processing to call into the unloaded DLL.

ISAPI DLL's are now only unloaded during the final cleanup of a
request when no further callbacks are possible.

Temporary fix

Comments

APAR Information

APAR number
PM09447
Reported component name
IBM HTTP SERVER
Reported component ID
5724J0801
Reported release
61W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2010-03-09
Closed date
2010-03-15
Last modified date
2010-03-19

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
IBM HTTP SERVER
Fixed component ID
5724J0801

Applicable component levels

R60W PSY
UP
R61W PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022

Tips

PM09447: CVE-2010-0425 MOD_ISAPI VULNERABILITY

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R60W PSY

R61W PSY

Document Information

Share your feedback

Need support?