[VulnWatch] KPMG-2002035: IBM Websphere Large Header DoS

From: Peter Gründl (pgrundl@kpmg.dk)
Date: 09/19/02 

From: Peter Gründl <pgrundl@kpmg.dk>
To: "vulnwatch" <vulnwatch@vulnwatch.org>
Date: Thu, 19 Sep 2002 10:51:20 +0200

--------------------------------------------------------------------

Title: IBM Websphere Large Header DoS

BUG-ID: 2002035
Released: 19th Sep 2002
--------------------------------------------------------------------

Problem:
========
A malicious user can issue a malformed HTTP request and cause the
webserver to crash.

Vulnerable:
===========
- IBM Websphere 4.0.3 on Windows 2000 Server

Details:
========
The application does not perform proper bounds check on large HTTP
headers, and as a result the application can be crashed by a remote
user. It could not be established if this could lead to code execu-
tion.

If a request is made for a .jsp ressource (the .jsp file does not
need to exist), and the HTTP field "Host" contains 796 characters or
more, the web service will crash. Other HTTP fields are also
vulnerable if the size is increased to 4K.

The web service sometimes recovers on it's own.

Vendor URL:
===========
You can visit the vendor webpage here: http://www.ibm.com

Vendor response:
================
The vendor was notified on the 4th of June, 2002. On the 12th of July
the vendor sent us a patch for the problem. On the 19th of September
we confirmed that the patch was officially released.

Corrective action:
==================
Install PQ62144 (supercedes PQ62249). The URL is wrapped:

http://www-1.ibm.com/support/docview.wss?
rs=180&context=SSEQTP&q=PQ62144&uid=swg24001610

Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Relevant Pages

  • KPMG-2002035: IBM Websphere Large Header DoS
    ... A malicious user can issue a malformed HTTP request and cause the ... The application does not perform proper bounds check on large HTTP ... the web service will crash. ... You can visit the vendor webpage here: http://www.ibm.com ...
    (Bugtraq)
  • [Full-Disclosure] KPMG-2002035: IBM Websphere Large Header DoS
    ... A malicious user can issue a malformed HTTP request and cause the ... The application does not perform proper bounds check on large HTTP ... the web service will crash. ... You can visit the vendor webpage here: http://www.ibm.com ...
    (Full-Disclosure)
  • [Full-disclosure] Googles Blogger.com classic HTTP response splitting vulnerability
    ... Blogger's personal page redirection mechanism contains a classic HTTP ... response splitting vulnerability in the "Location" HTTP header. ... Vendor notified. ...
    (Full-Disclosure)
  • HTTP ?
    ... I have to send an XML file to a vendor via HTTP. ... me the order rejection, or ship advice (I will use correleation and set up ...
    (microsoft.public.biztalk.general)
  • Re: KB942367 Problems
    ... went to Tools> Internet Options> Advanced & ... gmail.com doesn't crash it. ... How did you think of not using HTTP 1.1? ... BTW, here's an article on the differences between ...
    (alt.sys.pc-clone.dell)