Security Bulletin
Summary
Potential security exposure in IBM HTTP Server for WebSphere Application Server.
Vulnerability Details
CVE ID: CVE-2013-6747
DESCRIPTION: IBM HTTP Server may be vulnerable to a denial of service, caused by an error in the GSKit component. By initiating an SSL/TLS connection using a malformed certificate chain, a remote attacker could exploit this vulnerability to cause the server process to hang or crash.
CVSS:
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89863 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Affected Products and Versions
This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and all products that bundle WebSphere Application Server:
· Version 8.5.5
· Version 8.5
· Version 8
· Version 7
· Version 6.1
Remediation/Fixes
The recommended solution is to apply the Fix Pack for each named product as soon as practical.
Fix:Apply a Fix Pack containing this APAR PI09443, as noted below:
For affected IBM HTTP Server for WebSphere Application Server:
For V8.5.0.0 through 8.5.5.1 Full Profile:
- Apply Interim Fix PI09443
- Apply Fix Pack 8.5.5.2 or later
For V8.0 through 8.0.0.8:
- Apply Interim Fix PI09443
- Apply Fix Pack 8.0.0.9 or later.
For V7.0.0.0 through 7.0.0.31:
- Apply Interim Fix PI09443
WARNING: If you downloaded the interim fix for PI09443 prior to 06/10/2014, then after applying the interim fix, you should restore file ownership of directories as described below.
- Confirm the permissions of the gsk7/ subdirectory matches the rest of
your IHS installation, and update as necessary recursively. A typical
owner is usually root:root.
For Unix:
chown -R root:root gsk7
For Windows
Use explorer.exe
- Confirm the permissions of the IHS installation root matches the rest of
your IHS installation, and update as necessary.
For Unix:
chown root:root .
For Windows
Use explorer.exe
Note: If your server was not originally installed under the root id, check a reference file such as bin/httpd or bin/httpd.exe for the appropriate ownership.
--OR--
- Apply Fix Pack 7.0.0.33 or later.
For V6.1.0.0 through 6.1.0.47:
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
11 February 2014: Original publish
5 June 2014: Added additional information for Version 7 users for command that must be run
6 June 2014: updated Unix command
10 June 2014: updated warning section
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21663941