From pgrundl@kpmg.dk Thu Sep 19 22:20:50 2002 From: "[iso-8859-1] Peter Gründl" To: "Full-Disclosure (netsys)" Date: Thu, 19 Sep 2002 10:51:07 +0200 Subject: [Full-Disclosure] KPMG-2002035: IBM Websphere Large Header DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -------------------------------------------------------------------- Title: IBM Websphere Large Header DoS BUG-ID: 2002035 Released: 19th Sep 2002 -------------------------------------------------------------------- Problem: ======== A malicious user can issue a malformed HTTP request and cause the webserver to crash. Vulnerable: =========== - IBM Websphere 4.0.3 on Windows 2000 Server Details: ======== The application does not perform proper bounds check on large HTTP headers, and as a result the application can be crashed by a remote user. It could not be established if this could lead to code execu- tion. If a request is made for a .jsp ressource (the .jsp file does not need to exist), and the HTTP field "Host" contains 796 characters or more, the web service will crash. Other HTTP fields are also vulnerable if the size is increased to 4K. The web service sometimes recovers on it's own. Vendor URL: =========== You can visit the vendor webpage here: http://www.ibm.com Vendor response: ================ The vendor was notified on the 4th of June, 2002. On the 12th of July the vendor sent us a patch for the problem. On the 19th of September we confirmed that the patch was officially released. Corrective action: ================== Install PQ62144 (supercedes PQ62249). The URL is wrapped: http://www-1.ibm.com/support/docview.wss? rs=180&context=SSEQTP&q=PQ62144&uid=swg24001610 Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. -------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html