Plaintext cookies (including those marked httpOnly) from the session could be exposed due to a TLS compression vulnerability.
The problem affects the Distributed IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:
- IBM HTTP Server versions 184.108.40.206 to 220.127.116.11, and 18.104.22.168.
Note: The SSL transport in the WebSphere Application Server is not affected. Only the bundled IBM HTTP Server is affected.
- IBM HTTP Server on z/OS, i5/OS, or IBM i operating systems.
- IBM HTTP Server versions 7.0, 6.1, 6.0, 2.0.x, or 1.3.x on any operating system.
IBM HTTP Server 8.0, and later, supports TLS compression, and inadvertently has it enabled by default.
Due to a vulnerability in TLS compression, IBM HTTP Server with SSL enabled could potentially expose plaintext cookies (including those marked httpOnly) from the session to an attacker.
For affected versions of IBM HTTP Server:
For V22.214.171.124 through 8.0.x.x and V126.96.36.199:
- Add “SSLAttributeSet 445 1” to any context in the IHS configuration file that already has the “SSLEnable” directive
- Apply APAR Interim Fix APAR PM72915
- Apply the appropriate Fix Pack for your version of IBM HTTP Server:
- Fix Pack 5 (188.8.131.52) or later.
- Fix pack 1 (184.108.40.206) or later.
For additional details and information on WebSphere Application Server product updates:
- For Distributed, see Recommended fixes for WebSphere Application Server.
- 22 Oct 2012: Changed "plaintext httpOnly cookies" to "plaintext cookies (including those marked httpOnly)" for clarity.
|Application Servers||WebSphere Application Server Hypervisor Edition||General||AIX, Linux||8.0||All Editions|