Potential information disclosure vulnerability in TLS compression with IBM HTTP Server (APAR PM72915)

Flash (Alert)


Abstract

Plaintext cookies (including those marked httpOnly) from the session could be exposed due to a TLS compression vulnerability.

Content

Affected Versions:
The problem affects the Distributed IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:

  • IBM HTTP Server versions 8.0.0.0 to 8.0.0.4, and 8.5.0.0.

Note: The SSL transport in the WebSphere Application Server is not affected. Only the bundled IBM HTTP Server is affected.
The problem does not occur on the following versions:
  • IBM HTTP Server on z/OS, i5/OS, or IBM i operating systems.
  • IBM HTTP Server versions 7.0, 6.1, 6.0, 2.0.x, or 1.3.x on any operating system.

Problem Description:
IBM HTTP Server 8.0, and later, supports TLS compression, and inadvertently has it enabled by default.
Due to a vulnerability in TLS compression, IBM HTTP Server with SSL enabled could potentially expose plaintext cookies (including those marked httpOnly) from the session to an attacker.

Solution:
For affected versions of IBM HTTP Server:
    For V8.0.0.0 through 8.0.x.x and V8.5.0.0:
    • Add “SSLAttributeSet 445 1” to any context in the IHS configuration file that already has the “SSLEnable” directive
    --OR--
    • Apply APAR Interim Fix APAR PM72915
    --OR--
    • Apply the appropriate Fix Pack for your version of IBM HTTP Server:
      • Fix Pack 5 (8.0.0.5) or later.
      • Fix pack 1 (8.5.0.1) or later.

Additional documentation:
For additional details and information on WebSphere Application Server product updates:
Change History:
  • 22 Oct 2012: Changed "plaintext httpOnly cookies" to "plaintext cookies (including those marked httpOnly)" for clarity.


Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server Hypervisor Edition General AIX, Linux 8.0 All Editions

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Application Server
IBM HTTP Server

Software version:

8.0, 8.5

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

Base, Developer, Enterprise, Express, Network Deployment

Reference #:

1611881

Modified date:

2014-09-15

Translate my page

Machine Translation

Content navigation