Potential Denial of Service (Dos) security exposure when using Web based applications due to JavaHashTable implementation vulnerability.
PROBLEM DESCRIPTION:
Customers who have Web based applications are impacted by this vulnerability which can cause performance or Denial of Service (DoS) issues.
USERS AFFECTED:
All users of IBM WebSphere Application Server versions 6.0, 6.1, 7.0 and 8.0
RECOMMENDATION:
Install Interim Fix APAR PM53930 (or a ++APAR for WebSphere Application Server for z/OS), or a Fix Pack containing this APAR. Interim Fix for a specific release can be downloaded from the Dowload package section of this document. The fix for this APAR is currently targeted for inclusion in fix packs 6.1.0.43, 7.0.0.23, 8.0.0.3.
Note: If you use the Web-based ("live") repository provided by IBM, Install Manager (IM) will, by default, pick up any recommended iFixes when installing WebSphere Application Server V8 or any WebSphere Application Server V8 Service Fix Packs. PM53930 is a recommended fix, and as a result, may already be installed. If you are unsure as to whether or not it is installed, you can check using the IM command line "imcl listInstalledPackages -long".
PROBLEM CONCLUSION:
WebContainer code has been updated to mitigate this vulnerability.
There is a new property that can be used in conjunction with this fix:
com.ibm.ws.webcontainer.maxParamPerRequest
You can use this property to change the maximum number of parameters allowed in your inbound requests, based on your applications and environment. The maximum number of parameters allowed per inbound request (GET or POST) defaults to 10000.
You can set this property to -1 if you do not want to limit the number of parameters that can be included in a request.
To specify web container custom properties:
1. In the administrative console click
Servers >
Server Types >
WebSphere application servers >
server_name >
Web Container Settings >
Web container .
2. Under
Additional Properties select
Custom Properties.
3. On the Custom Properties page, click
New.
4. On the settings page, enter the name of the custom property that you want to configure in the
Name field and the value that you want to set it to in the
Value field.
5. Click
Apply or
OK.
6. Click
Save on the console task bar to save your configuration changes.
7. Restart the server.
Security bulletins are posted here:
http://www.ibm.com/support/docview.wss?uid=swg21368398
The PM53930 Flash is posted here:
http://www.ibm.com/support/docview.wss?uid=swg21577532
The fix for this APAR is currently targeted for inclusion in fix packs 6.1.0.43, 7.0.0.23, 8.0.0.3. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?uid=swg27004980
Please review the readme.txt for detailed installation instructions.
[{"INLabel":"Readme","INLang":"US English","INSize":"3215","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/readme.txt"}]
On
[{"DNLabel":"Interim Fix for 8.0.0.1","DNDate":"13 Jan 2012","DNLang":"US English","DNSize":"268829","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=8.0.0.1-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ","DDURL":null},{"DNLabel":"Interim Fix for 8.0.0.2","DNDate":"13 Jan 2012","DNLang":"US English","DNSize":"268831","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=8.0.0.2-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.19-7.0.0.21","DNDate":"16 Jan 2012","DNLang":"US English","DNSize":"9415","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.19-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.19-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.17","DNDate":"17 Jan 2012","DNLang":"US English","DNSize":"9186","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.17-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.17-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 6.1.0.25-6.1.0.41","DNDate":"17 Jan 2012","DNLang":"US English","DNSize":"8916","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.25-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/6.1.0.25-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 6.0.2.11-6.0.2.43","DNDate":"17 Jan 2012","DNLang":"US English","DNSize":"11682","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.11-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":" ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/6.0.2.11-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.5-7.0.0.13","DNDate":"17 Jan 2012","DNLang":"US English","DNSize":"9196","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.5-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.5-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.15","DNDate":"18 Jan 2012","DNLang":"US English","DNSize":"43966","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.15-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.15-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.3","DNDate":"18 Jan 2012","DNLang":"US English","DNSize":"8981","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.3-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.3-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 6.1.0.15-6.1.0.23","DNDate":"19 Jan 2012","DNLang":"US English","DNSize":"8925","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.15-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/6.1.0.15-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 6.1.0.11-6.1.0.13","DNDate":"19 Jan 2012","DNLang":"US English","DNSize":"8713","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.11-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/6.1.0.11-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 6.1.0.3-6.1.0.9","DNDate":"24 Jan 2012","DNLang":"US English","DNSize":"8711","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.3-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/6.1.0.3-WS-WAS-IFPM53930.pak","DDURL":null},{"DNLabel":"Interim Fix for 7.0.0.1","DNDate":"24 Jan 2012","DNLang":"US English","DNSize":"9158","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.1-WS-WAS-IFPM53930&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/7.0.0.1-WS-WAS-IFPM53930.pak","DDURL":null}]
[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Servlet Engine\/Web Container","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.0.0.2;8.0.0.1;7.0.0.9;7.0.0.7;7.0.0.5;7.0.0.3;7.0.0.21;7.0.0.19;7.0.0.17;7.0.0.15;7.0.0.13;7.0.0.11;7.0.0.1;6.1.0.9;6.1.0.7;6.1.0.5;6.1.0.41;6.1.0.39;6.1.0.37;6.1.0.35;6.1.0.33;6.1.0.31;6.1.0.3;6.1.0.29;6.1.0.27;6.1.0.25;6.1.0.23;6.1.0.21;6.1.0.19;6.1.0.17;6.1.0.15;6.1.0.13;6.1.0.11;6.0.2.43;6.0.2.41;6.0.2.39;6.0.2.37;6.0.2.35;6.0.2.33;6.0.2.31;6.0.2.29;6.0.2.27;6.0.2.25;6.0.2.23;6.0.2.21;6.0.2.19;6.0.2.17;6.0.2.15;6.0.2.13;6.0.2.11","Edition":"Base;Developer;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]