IBM Support

Security Bulletin: Potential Security vulnerability in IBM HTTP Server CVE-2013-6747

Security Bulletin


Summary

Potential security exposure in IBM HTTP Server for WebSphere Application Server.

Vulnerability Details

CVE ID: CVE-2013-6747

DESCRIPTION: IBM HTTP Server may be vulnerable to a denial of service, caused by an error in the GSKit component. By initiating an SSL/TLS connection using a malformed certificate chain, a remote attacker could exploit this vulnerability to cause the server process to hang or crash.

CVSS:

CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89863 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and all products that bundle WebSphere Application Server:
· Version 8.5.5
· Version 8.5
· Version 8
· Version 7
· Version 6.1

Remediation/Fixes

The recommended solution is to apply the Fix Pack for each named product as soon as practical.

Fix:Apply a Fix Pack containing this APAR PI09443, as noted below:

For affected IBM HTTP Server for WebSphere Application Server:

For V8.5.0.0 through 8.5.5.1 Full Profile:

--OR--
  • Apply Fix Pack 8.5.5.2 or later

For V8.0 through 8.0.0.8: --OR--
  • Apply Fix Pack 8.0.0.9 or later.

For V7.0.0.0 through 7.0.0.31:
WARNING: If you downloaded the interim fix for PI09443 prior to 06/10/2014, then after applying the interim fix, you should restore file ownership of directories as described below.

- Confirm the permissions of the gsk7/ subdirectory matches the rest of
your IHS installation, and update as necessary recursively. A typical
owner is usually root:root.

For Unix:
chown -R root:root gsk7

For Windows
Use explorer.exe

- Confirm the permissions of the IHS installation root matches the rest of
your IHS installation, and update as necessary.

For Unix:
chown root:root .

For Windows
Use explorer.exe

Note: If your server was not originally installed under the root id, check a reference file such as bin/httpd or bin/httpd.exe for the appropriate ownership.


--OR--
  • Apply Fix Pack 7.0.0.33 or later.

For V6.1.0.0 through 6.1.0.47:
  • Apply Interim Fix PI09443

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off
Recommended Fix List for IBM WebSphere Application Server

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

11 February 2014: Original publish
5 June 2014: Added additional information for Version 7 users for command that must be run
6 June 2014: updated Unix command
10 June 2014: updated warning section

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;8.5;8.0;7.0;6.1","Edition":"Base;Developer;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21663941

Page Feedback