Potential information disclosure vulnerability in TLS compression with IBM HTTP Server (APAR PM72915)

Affected Versions:

The problem affects the Distributed IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:

• IBM HTTP Server versions 8.0.0.0 to 8.0.0.4, and 8.5.0.0.

Note: The SSL transport in the WebSphere Application Server is not affected. Only the bundled IBM HTTP Server is affected.

The problem does not occur on the following versions:

• IBM HTTP Server on z/OS, i5/OS, or IBM i operating systems.
• IBM HTTP Server versions 7.0, 6.1, 6.0, 2.0.x, or 1.3.x on any operating system.

Problem Description:
IBM HTTP Server 8.0, and later, supports TLS compression, and inadvertently has it enabled by default.
Due to a vulnerability in TLS compression, IBM HTTP Server with SSL enabled could potentially expose plaintext cookies (including those marked httpOnly) from the session to an attacker.

Solution:
For affected versions of IBM HTTP Server:

For V8.0.0.0 through 8.0.x.x and V8.5.0.0:

• Add “SSLAttributeSet 445 1” to any context in the IHS configuration file that already has the “SSLEnable” directive
--OR--
• Apply APAR Interim Fix APAR PM72915
--OR--
• Apply the appropriate Fix Pack for your version of IBM HTTP Server:
  • Fix Pack 5 (8.0.0.5) or later (targeted to be available mid November 2012).
  • Fix pack 1 (8.5.0.1) or later (targeted to be available late October 2012).

Additional documentation:
For additional details and information on WebSphere Application Server product updates:

• For Distributed, see Recommended fixes for WebSphere Application Server.

Change History:

• 22 Oct 2012: Changed "plaintext httpOnly cookies" to "plaintext cookies (including those marked httpOnly)" for clarity.