[NEWS] WebSphere Edge Server DoS Through JunctionRewrite Directive
From: SecuriTeam (support_at_securiteam.com)
Date: 07/07/04
- Previous message: SecuriTeam: "[NEWS] SCI Photo Chat Server Cross Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 7 Jul 2004 16:16:54 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WebSphere Edge Server DoS Through JunctionRewrite Directive
------------------------------------------------------------------------
SUMMARY
<http://www-306.ibm.com/software/info1/websphere/index.jsp> WebSphere
Edge Component Caching Proxy, part of WebSphere Application Sever, is "a
reverse proxy designed to reduce bandwidth use and improve a Web site's
speed and reliability by providing a point-of-presence node for one or
more back-end content servers. It is built to work with content provided
by one or more backend WebSphere Application Servers".
If the JunctionRewrite directive is active, WebSphere's caching proxy
component is vulnerable to a denial of service through the use of a simple
HTTP GET request.
DETAILS
Vulnerable Systems:
* WebSphere Edge Components Caching Proxy version 5.02 using
JunctionRewrite with UseCookiedirective, apparently all platforms
Immune Systems:
* WebSphere Edge Components Caching Proxy version 5.00
* WebSphere Edge Components Caching Proxy version 5.02 NOT using
JunctionRewrite with UseCookie directive
The vulnerability discovered allows a remote attacker to generate a denial
of service condition against the WebSphere Edge Component Caching Proxy.
If the reverse proxy is configured with the JunctionRewrite directive
being active, a remote attacker can trivially cause a denial of service by
executing the GET HTTP method without parameters:
$ echo GET | nc <victim_host_ip> <proxy_port>
Vendor Status:
IBM has been notified and a patch was out after two week. The patch is for
clients with support level 2 or 3. In addition, the upcoming version of
the server (5.0.3) will be immune to the vulnerability. As a workaround it
is possible to disable the directive if not needed, or the UseCookie
option of the directive. Both of these conditions will prevent the denial
of service.
ADDITIONAL INFORMATION
The information has been provided by <mailto:lmeiners@cybsec.com> Leandro
Meiners - CYBSEC.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] SCI Photo Chat Server Cross Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
