[18475] in bugtraq
Re: def-2001-02: IBM Websphere 3.52 Kernel Leak DoS
daemon@ATHENA.MIT.EDU (Rodrick Brown)
Mon Jan 8 18:35:57 2001
Mime-Version: 1.0
Content-Type: multipart/mixed;
Boundary="0__=uaJZhEuvEsv7BFy5Hq7OmLutrdGL9zOp3RsHRxqtO3W79oGVul05Xq6b"
Content-Disposition: inline
Message-Id: <852569CE.00628643.00@Email.NewYorkLife.com>
Date: Mon, 8 Jan 2001 12:55:50 -0500
Reply-To: Rodrick Brown <Rodrick_Brown@NEWYORKLIFE.COM>
From: Rodrick Brown <Rodrick_Brown@NEWYORKLIFE.COM>
X-To: Peter Gr=?iso-8859-1?Q?=FCndl?= <peter.grundl@DEFCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
--0__=uaJZhEuvEsv7BFy5Hq7OmLutrdGL9zOp3RsHRxqtO3W79oGVul05Xq6b
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline
From your advisory it seems this is not an issue with IBM WebSphere , On
Installation of WebSphere it gives you the option to install plugins for
other WebServers this seems to be a problem with the IBM module written
for the apache based HTTPD distributed with WebSphere, this problem does
not seem to exist on our WebSphere 3.5.2 systems with netscape enterprise
WebServer on NT or Solaris.
Doing a GET / HTTP/1.0\r\nuser-agent: 20000xnull\r\n\r\n does not match
the rule in the rules.properties file so no connection with WebSphere is
initilized, so calling this advisory a IBM WebSphere 3.52 Kernel Leak DOS
is incorrect.
- Rodrick Brown
- Systems Engineer
- NewYorkLife.com
Peter Gr
--0__=uaJZhEuvEsv7BFy5Hq7OmLutrdGL9zOp3RsHRxqtO3W79oGVul05Xq6b
Content-type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-transfer-encoding: quoted-printable
=FCndl <peter.grundl@DEFCOM.COM> on 01/08/2001 06:50:01 AM
Please respond to Peter Gr=FCndl <peter.grundl@DEFCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
cc: (bcc: Rodrick Brown/NYLIC)
Subject: def-2001-02: IBM Websphere 3.52 Kernel Leak DoS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Defcom Labs Advisory def-2001-02
IBM Websphere 3.52 Kernel Leak DoS
Author: Peter Gr=FCndl <peter.grundl@defcom.com>
Release Date: 2001-01-08
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
------------------------=3D[Brief Description]=3D----------------------=
---
The Apfa cache in the IBM HTTP Server, which Websphere is built on,
has problems handling certain types of URL requests. The result of
such a URL is a kernel leak, which will eventually end up consuming
all available kernel memory and rendering the host useless.
------------------------=3D[Affected Systems]=3D-----------------------=
---
- IBM WebSphere 3.52 (IBM HTTP Server 1.3.12) for Windows NT
----------------------=3D[Detailed Description]=3D---------------------=
---
Sending a continous stream of HTTP requests resulting in "bad request"
will cause a kernel leak in Windows NT. There are many ways to trigger
the bad request result that triggers the leak,
eg. GET / HTTP/1.0\r\nuser-agent: 20000xnull\r\n\r\n
---------------------------=3D[Workaround]=3D--------------------------=
---
Comment out the three lines beginning with "Apfa" in the httpd.conf
file (located in the conf directory in the web server folder).
-------------------------=3D[Vendor Response]=3D-----------------------=
---
This issue was brought to the vendor's attention on the 8th of
December, 2000. A workaround was received from the vendor on the 5th
of January, 2001.
"This issue is caused by a problem in the AfpaCache module of the IBM
HTTP Server. The only workaround at this time is to disable the
AfpaCache. IBM Development is working on fixing this issue, but it is
not yet known when a fix will be available."
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
--0__=uaJZhEuvEsv7BFy5Hq7OmLutrdGL9zOp3RsHRxqtO3W79oGVul05Xq6b--
