PI42928: CVE-2015-3183 for IBM HTTP Server

Download

Abstract

CVE-2015-3183 for IBM HTTP Server

Download Description

PI42928 resolves the following problem:

ERROR DESCRIPTION:
An attacker sending a carefully crafted request to IBM HTTP Server could force intermediate caches to cache the wrong responses.

LOCAL FIX:

PROBLEM SUMMARY:
IBM HTTP Server is vulnerable to HTTP request smuggling, caused by a chunk header parsing flaw. A malicious attacker could cause intermediate caches to cache and send the wrong response for a given URL, bypass web application firewall protection, and possibly conduct XSS attacks.

PROBLEM CONCLUSION:
Mishandled chunked requests are now correctly handled.

This fix is targeted for IBM HTTP Server fix packs:
- 7.0.0.39
- 8.0.0.12
- 8.5.5.7

Prerequisites

UpdateInstaller is required for IHS 7.0 and 6.1 interim fixes.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

For IHS 8.0 and 8.5.5, the interim fix can be installed using Installation Manager (IM) with the Web-based ("live") repository provided by IBM. It might be necessary to de-select the "Show recommended only" option within IM and to expand "Only fixes for version 8.x.y.z" to see the fix listed.

The interim fix is also available from Fix Central at the link listed in the Download Package section below..

Download Package

The 6.1 version of this fix is included in the PI45596 cumulative interim fix.

          [{"DNLabel":"8.5.5.6 Distributed platforms","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"4473902","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.6-WS-WASIHS-MultiOS-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.6 z/OS","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"1441659","DNPlat":{"label":"z/OS","code":"PF035"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.6-WS-WASIHS-OS390-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.11 Distributed platforms","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"4247893","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.11-WS-WASIHS-MultiOS-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.11 z/OS","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"816633","DNPlat":{"label":"z/OS","code":"PF035"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.11-WS-WASIHS-OS390-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37 AixPPC32","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"232434","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-AixPPC32-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37 HpuxIA64","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"685081","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-HpuxIA64-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37 HpuxPaRISC","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"305703","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-HpuxPaRISC-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37 LinuxPPC32","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"219982","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-LinuxPPC32-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37 LinuxS390","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"229316","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-LinuxS390-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37 LinuxX32","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"205803","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-LinuxX32-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37 SolarisSparc","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"488709","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-SolarisSparc-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37 SolarisX64","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"219180","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-SolarisX64-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.37 WinX32","DNDate":"31 Aug 2015","DNLang":"US English","DNSize":"487650","DNPlat":{"label":"Windows","code":"PF033"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.37-WS-WASIHS-WinX32-IFPI42928&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null}]
          

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.6;8.0.0.11;7.0.0.37","Edition":"Advanced;Base;Enterprise;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PI42928

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24040620

Tips