• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches ‘Apache Killer’ DOS Vulnerability in IBM i

    September 13, 2011 Alex Woodie

    IBM this month issued two patches to fix a potentially dangerous denial of service (DOS) security vulnerability in HTTP Server for IBM i, which is based on the Apache Web server. The patch addresses the Apache HTTP Server ByteRange Filter Denial of Service Vulnerability, a security flaw dubbed the “Apache Killer” that was discovered in versions 1 and 2 in August, and which is currently being exploited in the wild. IBM patched the flaw for IBM i 6.1, and IBM i 7.1.

    IBM issued two Authorized Program Analysis Reports (APARs), numbers SE49334 and SE49333, on September 1 to address the newly discovered Apache vulnerability and its impact on the IBM i HTTP server. You can read the latest APAR updates at www-912.ibm.com/n_dir/nas4apar.nsf/ALLAPARS/SE49334 (for IBM i 6.1) and www-912.ibm.com/n_dir/nas4apar.nsf/ALLAPARS/SE49333 (for IBM i 7.1).

    The APARs ask users to apply Program Temporary Fix (PTF) numbers SI44631 and SI44630 to fix the Apache vulnerability in IBM i 6.1 and IBM i 7.1 respectively. The user must end and restart the HTTP server, or IPL the IBM i server, for the patch to take effect. The PTF cover letters, which contain other special instructions, can be read at www-912.ibm.com/a_dir/as4ptf.nsf/ALLPTFS/SI44631 and www-912.ibm.com/a_dir/as4ptf.nsf/ALLPTFS/SI44630.

    The Apache Foundation issued a patch for the vulnerability on August 31 with the release of Apache version 2.2.2. Apache version 1 releases are also susceptible, but those releases are no longer supported by Apache.

    A security researcher named Kingscope is credited with discovering the Apache HTTP Server ByteRange Filter DOS vulnerability in mid-August. The “Apache Killer” vulnerability can be activated by sending a maliciously crafted HTTP request with overlapping ranges, which subsequently exhausts all the memory on a target system, crashing not just the Web server but the entire machine. Secunia, which released exploit code for the vulnerability through its Full Disclosure mailing list, gives the vulnerability a “moderately critical” rating in Secunia Advisory SA45606, while eEye Security gave it a “high severity” rating.

    Security researchers blame the problem, which was identified several years ago, in part on poorly defined protocol used to handle Web page headers. Microsoft‘s IIS Web server was also said to suffer from the same problem, but has reportedly addressed the weakness with newer versions. While the vulnerability has been a not-so-secret problem in the security world for the last several years, it apparently did not gain the attention of Apache developers until Kingscope’s actions and the posting of exploit code on the Web.

    Despite the vulnerability in one of its integrated components, IBM i has a record of being one of the most secure commercial operating systems in the world. According to Secunia, IBM i 6.1 has had a total of 14 vulnerabilities from 2003 to 2011, none of which were highly or extremely critical and all of which were patched. i5/OS V5RX had an even better record, with just nine vulnerabilities (none super serious or unpatched) in the Secunia list. IBM i 7.1 does not yet have a listing on Secunia’s advisory list.

    The vast majority of these IBM i security flaws are the result of vulnerabilities discovered over the last three years in the open source Apache Web server, which IBM has no control over. A flaw in Java, which is pseudo open source and outside the direct control of IBM, is responsible for another patched IBM i security vulnerability.

    By comparison, Microsoft’s Windows Server 2003 Standard Edition has suffered from 479 vulnerabilities, 43 percent of which were either highly or extremely critical and 6 percent of which are still not patched. Red Hat‘s Enterprise Linux Server 6, meanwhile, has suffered from 484 vulnerabilities, 16 percent of which were highly critical, and all of which have been patched.

    RELATED STORIES

    Hackers Escalate Web Site Attacks, Despite Decline in Security Vulnerabilities

    IBM Patches Security Flaw in Quickr for i5/OS

    Security Vulnerability Reported in i5/OS



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    CYBRA

    The next generation of barcode labeling software is here

    MarkMagic X

    MarkMagic barcode labeling software is the easiest way to design and print the barcode labels, electronic forms, reports, and RFID tags you need to communicate with your customers and suppliers.

    MarkMagic X comes in two major editions – one for IBM i, and one for WIndows, Linux, UNIX, IBM AIX, and other major operating systems.

    Learn More About MarkMagic X

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    PowerTech:  2011 Security Event of the Year. September 22–23 in Las Vegas. RVSP today!
    Botz & Associates, Inc.:  FREE Single Sign-On video tutorial and ROI Calculator
    ProData Computer Services:  Learn how to access remote data -- RDB Connect On-Demand Webinar

    IT Jungle Store Top Book Picks

    BACK IN STOCK: Easy Steps to Internet Programming for System i: List Price, $49.95

    The iSeries Express Web Implementer's Guide: List Price, $49.95
    The iSeries Pocket Database Guide: List Price, $59
    The iSeries Pocket SQL Guide: List Price, $59
    The iSeries Pocket WebFacing Primer: List Price, $39
    Migrating to WebSphere Express for iSeries: List Price, $49
    Getting Started with WebSphere Express for iSeries: List Price, $49
    The All-Everything Operating System: List Price, $35
    The Best Joomla! Tutorial Ever!: List Price, $19.95

    IBM Gives More Freebie Slices On SmartCloud Service Learn To Debug Authority Failures, Part 1

    Leave a Reply Cancel reply

Volume 11, Number 29 -- September 13, 2011
THIS ISSUE SPONSORED BY:

Maxava
Help/Systems
Profound Logic Software
Townsend Security
inFORM Decisions

Table of Contents

  • Ricoh Claims Breakthrough in PDF Processing
  • IBM Patches ‘Apache Killer’ DOS Vulnerability in IBM i
  • SAP Talks Up HANA In-Memory Database at TechEd 2011
  • iQ for Business Looks to Grow BI Market Share
  • Infor Hooks Up with Salesforce.com
  • Linoma Updates GoAnywhere Products
  • Lawson/Infor Buys Approva for Auditing Automation
  • Wavelink Widens Mobile Device Coverage
  • VAI Customers Streamline Operations, With Software
  • Rimini Gets ISO:9001 Certification

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • 2021 Predictions for IBM i, Part 1
  • West Four Stands Out With On Demand Color Label Printing
  • HelpSystems Acquires Data Security, File Transfer Companies
  • Four Hundred Monitor, January 13
  • IBM i PTF Guide, Volume 23, Number 2
  • Seiden Group Unveils A PHP Distro For IBM i
  • Thoroughly Modern: DevOps Refactoring Of RPG Applications with RDi
  • Guru: Fall Brings New RPG Features, Part 2
  • More Vintage Power Systems Feature Withdrawals
  • IBM i PTF Guide, Volume 23, Number 1

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2021 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.