• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches ‘Apache Killer’ DOS Vulnerability in IBM i

    September 13, 2011 Alex Woodie

    IBM this month issued two patches to fix a potentially dangerous denial of service (DOS) security vulnerability in HTTP Server for IBM i, which is based on the Apache Web server. The patch addresses the Apache HTTP Server ByteRange Filter Denial of Service Vulnerability, a security flaw dubbed the “Apache Killer” that was discovered in versions 1 and 2 in August, and which is currently being exploited in the wild. IBM patched the flaw for IBM i 6.1, and IBM i 7.1.

    IBM issued two Authorized Program Analysis Reports (APARs), numbers SE49334 and SE49333, on September 1 to address the newly discovered Apache vulnerability and its impact on the IBM i HTTP server. You can read the latest APAR updates at www-912.ibm.com/n_dir/nas4apar.nsf/ALLAPARS/SE49334 (for IBM i 6.1) and www-912.ibm.com/n_dir/nas4apar.nsf/ALLAPARS/SE49333 (for IBM i 7.1).

    The APARs ask users to apply Program Temporary Fix (PTF) numbers SI44631 and SI44630 to fix the Apache vulnerability in IBM i 6.1 and IBM i 7.1 respectively. The user must end and restart the HTTP server, or IPL the IBM i server, for the patch to take effect. The PTF cover letters, which contain other special instructions, can be read at www-912.ibm.com/a_dir/as4ptf.nsf/ALLPTFS/SI44631 and www-912.ibm.com/a_dir/as4ptf.nsf/ALLPTFS/SI44630.

    The Apache Foundation issued a patch for the vulnerability on August 31 with the release of Apache version 2.2.2. Apache version 1 releases are also susceptible, but those releases are no longer supported by Apache.

    A security researcher named Kingscope is credited with discovering the Apache HTTP Server ByteRange Filter DOS vulnerability in mid-August. The “Apache Killer” vulnerability can be activated by sending a maliciously crafted HTTP request with overlapping ranges, which subsequently exhausts all the memory on a target system, crashing not just the Web server but the entire machine. Secunia, which released exploit code for the vulnerability through its Full Disclosure mailing list, gives the vulnerability a “moderately critical” rating in Secunia Advisory SA45606, while eEye Security gave it a “high severity” rating.

    Security researchers blame the problem, which was identified several years ago, in part on poorly defined protocol used to handle Web page headers. Microsoft‘s IIS Web server was also said to suffer from the same problem, but has reportedly addressed the weakness with newer versions. While the vulnerability has been a not-so-secret problem in the security world for the last several years, it apparently did not gain the attention of Apache developers until Kingscope’s actions and the posting of exploit code on the Web.

    Despite the vulnerability in one of its integrated components, IBM i has a record of being one of the most secure commercial operating systems in the world. According to Secunia, IBM i 6.1 has had a total of 14 vulnerabilities from 2003 to 2011, none of which were highly or extremely critical and all of which were patched. i5/OS V5RX had an even better record, with just nine vulnerabilities (none super serious or unpatched) in the Secunia list. IBM i 7.1 does not yet have a listing on Secunia’s advisory list.

    The vast majority of these IBM i security flaws are the result of vulnerabilities discovered over the last three years in the open source Apache Web server, which IBM has no control over. A flaw in Java, which is pseudo open source and outside the direct control of IBM, is responsible for another patched IBM i security vulnerability.

    By comparison, Microsoft’s Windows Server 2003 Standard Edition has suffered from 479 vulnerabilities, 43 percent of which were either highly or extremely critical and 6 percent of which are still not patched. Red Hat‘s Enterprise Linux Server 6, meanwhile, has suffered from 484 vulnerabilities, 16 percent of which were highly critical, and all of which have been patched.

    RELATED STORIES

    Hackers Escalate Web Site Attacks, Despite Decline in Security Vulnerabilities

    IBM Patches Security Flaw in Quickr for i5/OS

    Security Vulnerability Reported in i5/OS



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    ARCAD Software

    [Webinar] Modern IBM i: It’s more than DevOps – It’s modernizing RPG, Database, Fields and SYNON
    September 21

    IBM i modernization can be a daunting and complicated task.  It involves many aspects from modern processes with DevOps to modernizing the backend – RPG fixed- to free-format, moving from DDS to DDL, field expansion, and if you’re SYNON, modernizing code that was created in the 70s with a code generator.  They are all important topics for protecting your IBM i investment and extending it into the future.

    Join us to learn:

    • Why Modernize?
    • Where to start and determine the key areas of focus.
    • How ARCAD can help in the journey.
    • ARCAD Software has the tools and services to get you started wherever you are starting from!

    Register Now!

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    PowerTech:  2011 Security Event of the Year. September 22–23 in Las Vegas. RVSP today!
    Botz & Associates, Inc.:  FREE Single Sign-On video tutorial and ROI Calculator
    ProData Computer Services:  Learn how to access remote data -- RDB Connect On-Demand Webinar

    IT Jungle Store Top Book Picks

    BACK IN STOCK: Easy Steps to Internet Programming for System i: List Price, $49.95

    The iSeries Express Web Implementer's Guide: List Price, $49.95
    The iSeries Pocket Database Guide: List Price, $59
    The iSeries Pocket SQL Guide: List Price, $59
    The iSeries Pocket WebFacing Primer: List Price, $39
    Migrating to WebSphere Express for iSeries: List Price, $49
    Getting Started with WebSphere Express for iSeries: List Price, $49
    The All-Everything Operating System: List Price, $35
    The Best Joomla! Tutorial Ever!: List Price, $19.95

    IBM Gives More Freebie Slices On SmartCloud Service Learn To Debug Authority Failures, Part 1

    Leave a Reply Cancel reply

Volume 11, Number 29 -- September 13, 2011
THIS ISSUE SPONSORED BY:

Maxava
Help/Systems
Profound Logic Software
Townsend Security
inFORM Decisions

Table of Contents

  • Ricoh Claims Breakthrough in PDF Processing
  • IBM Patches ‘Apache Killer’ DOS Vulnerability in IBM i
  • SAP Talks Up HANA In-Memory Database at TechEd 2011
  • iQ for Business Looks to Grow BI Market Share
  • Infor Hooks Up with Salesforce.com
  • Linoma Updates GoAnywhere Products
  • Lawson/Infor Buys Approva for Auditing Automation
  • Wavelink Widens Mobile Device Coverage
  • VAI Customers Streamline Operations, With Software
  • Rimini Gets ISO:9001 Certification

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • ARCAD’s Deal with IBM for DevOps In Merlin Is Exclusive
  • In The IBM i Trenches With: Maxava
  • Is The Cloud On Your IBM i Horizon?
  • Four Hundred Monitor, September 20
  • IBM i PTF Guide, Volume 25, Number 38
  • The Subscription Pricing For The IBM i Stack So Far
  • Facing The Challenges Of Upgrading Old Systems With The Cloud
  • Guru: Generating XML Using SQL – The Easy Way
  • Rocket Buys Data Integration Provider B.O.S.
  • IBM i PTF Guide, Volume 25, Number 37

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2023 IT Jungle