IBM Support

Remote Denial Of Service and Information Disclosure Vulnerability with IBM WebSphere Application Server Community Edition v2.1.1.4

Flashes (Alerts)


Abstract

IBM WebSphere Application Server Community Edition v2.1.1.4 does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service or obtain sensitive information by way of a crafted header.

Content

The Tomcat web container in WebSphere Application Server Community Edition v2.1.1.4 contains a vulnerability that might expose the server to remote denial of service attacks and potentially disclose information about applications running on the server. This vulnerability does not exist in WebSphere Application Server. Details of this vulnerability can be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227

This issue is fixed in Tomcat catalina library v6.0.28. The following JAR contains the patch for the Tomcat catalina library v6.0.26 which is used by WebSphere Application Server Community Edition v2.1.1.4. The fixed JAR can be replaced in WebSphere Application Server Community Edition v2.1.1.4 installations.

  1. Stop the server if it is running and replace the JAR as specified below:

  2. catalina-6.0.26.0_W20100402.jar

  3. Backup the existing one and replace with the new fix JAR from the following directory of the WebSphere Application Server Community Edition v2.1.1.4 installation:

  4. <WASCE_HOME>\repository\org\apache\geronimo\ext\tomcat\catalina\
    6.0.26.0_W20100402

catalina-6.0.26.0_W20100402.jar

[{"Product":{"code":"SS6JMN","label":"WebSphere Application Server Community Edition"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Tomcat","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"2.1.1.4","Edition":"Entry;Enhanced;Elite","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
25 September 2022

UID

swg21448032