IBM Support

Security Bulletin: Potential Security vulnerability in IBM HTTP Server CVE-2013-6747

Security Bulletin


Summary

Potential security exposure in IBM HTTP Server for WebSphere Application Server.

Vulnerability Details

CVE ID: CVE-2013-6747

DESCRIPTION:
IBM HTTP Server may be vulnerable to a denial of service, caused by an error in the GSKit component. By initiating an SSL/TLS connection using a malformed certificate chain, a remote attacker could exploit this vulnerability to cause the server process to hang or crash.

CVSS:

CVSS Base Score: 7.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/89863 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and all products that bundle WebSphere Application Server:
· Version 8.5.5

· Version 8.5
· Version 8
· Version 7
· Version 6.1

Remediation/Fixes

The recommended solution is to apply the Fix Pack for each named product as soon as practical.

Fix:Apply a Fix Pack containing this APAR PI09443, as noted below:

For affected IBM HTTP Server for WebSphere Application Server:

For V8.5.0.0 through 8.5.5.1 Full Profile:

--OR--
  • Apply Fix Pack 8.5.5.2 or later

For V8.0 through 8.0.0.8:
--OR--
  • Apply Fix Pack 8.0.0.9 or later.

For V7.0.0.0 through 7.0.0.31:
WARNING: If you downloaded the interim fix for PI09443 prior to 06/10/2014, then after applying the interim fix, you should restore file ownership of directories as described below.

- Confirm the permissions of the gsk7/ subdirectory matches the rest of
your IHS installation, and update as necessary recursively. A typical
owner is usually root:root.

For Unix:
chown -R root:root gsk7

For Windows
Use explorer.exe

- Confirm the permissions of the IHS installation root matches the rest of
your IHS installation, and update as necessary.

For Unix:
chown root:root .

For Windows
Use explorer.exe

Note: If your server was not originally installed under the root id, check a reference file such as bin/httpd or bin/httpd.exe for the appropriate ownership.


--OR--
  • Apply Fix Pack 7.0.0.33 or later.

For V6.1.0.0 through 6.1.0.47:
  • Apply Interim Fix PI09443

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

11 February 2014: Original publish
5 June 2014: Added additional information for Version 7 users for command that must be run
6 June 2014: updated Unix command
10 June 2014: updated warning section

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: WebSphere Application Server
IBM HTTP Server

Software version: 6.1, 7.0, 8.0, 8.5, 8.5.5

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Software edition: Base, Developer, Express, Network Deployment

Reference #: 1663941

Modified date: 15 September 2014