Plaintext cookies (including those marked httpOnly) from the session could be exposed due to a TLS compression vulnerability.
The problem affects the Distributed IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:
- IBM HTTP Server versions 18.104.22.168 to 22.214.171.124, and 126.96.36.199.
Note: The SSL transport in the WebSphere Application Server is not affected. Only the bundled IBM HTTP Server is affected.
- IBM HTTP Server on z/OS, i5/OS, or IBM i operating systems.
- IBM HTTP Server versions 7.0, 6.1, 6.0, 2.0.x, or 1.3.x on any operating system.
IBM HTTP Server 8.0, and later, supports TLS compression, and inadvertently has it enabled by default.
Due to a vulnerability in TLS compression, IBM HTTP Server with SSL enabled could potentially expose plaintext cookies (including those marked httpOnly) from the session to an attacker.
For affected versions of IBM HTTP Server:
For V188.8.131.52 through 8.0.x.x and V184.108.40.206:
- Add “SSLAttributeSet 445 1” to any context in the IHS configuration file that already has the “SSLEnable” directive
- Apply APAR Interim Fix APAR PM72915
- Apply the appropriate Fix Pack for your version of IBM HTTP Server:
- Fix Pack 5 (220.127.116.11) or later (targeted to be available mid November 2012).
- Fix pack 1 (18.104.22.168) or later (targeted to be available late October 2012).
For additional details and information on WebSphere Application Server product updates:
- For Distributed, see Recommended fixes for WebSphere Application Server.
- 22 Oct 2012: Changed "plaintext httpOnly cookies" to "plaintext cookies (including those marked httpOnly)" for clarity.
|Application Servers||WebSphere Application Server Hypervisor Edition||General||AIX, Linux||8.0||All Editions|
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.