IBM Plugs DoS Server Holes

The company fixes a couple of denial-of-service vulnerabilities in its HTTP Server V2.0.

IBM has issued an interim fix for a pair of DoS (denial of service) vulnerabilities affecting its HTTP Server V2.0.

In an advisory posted Friday, the Armonk, N.Y.-based firm said the flaws are related to two known issues in the open-source Apache HTTP Server.

IBM said the first bug could allow a remote attacker to cause a DoS condition (CPU consumption) through an HTTP GET request bug in the Apache Web server V2.0.52.

That vulnerability is caused due to an error in the parsing routine for headers with a large amount of spaces. This can be exploited by sending some specially crafted requests with a large number of overly long headers containing only spaces.

A successful exploit could cause the server to become unreachable and use a large amount of CPU resources. It has been confirmed on Apache HTTP Server version 2.0.52 running Linux. Other versions may also be affected.

A fix for that bug has been added to version 2.0.53-dev.

IBM HTTP Server versions based on Apache HTTP Server V1.3 were not vulnerable. "There are no known data integrity issues associated with these exposures," company officials said.

/zimages/2/28571.gifClick here to read about a new two-factor authentication solution designed for the Apache Web server.

IBM also confirmed that users of its HTTP Server were vulnerable to a flaw in the Apache mod_dav module that could lead to a child process crash.

A malicious client could potentially exploit this to crash an httpd child process by sending a particular sequence of "lock" requests. Successful exploitation requires that the malicious client is allowed to use the lock method and that the threaded process model is used.

A fix for the mod_dav module flaw is available with Apache HTTP server version 2.0.51.

IBM said both issues have been resolved with an interim fix.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.