IBM Patches ‘Apache Killer’ DOS Vulnerability in IBM i

September 13, 2011 Alex Woodie

IBM this month issued two patches to fix a potentially dangerous denial of service (DOS) security vulnerability in HTTP Server for IBM i, which is based on the Apache Web server. The patch addresses the Apache HTTP Server ByteRange Filter Denial of Service Vulnerability, a security flaw dubbed the “Apache Killer” that was discovered in versions 1 and 2 in August, and which is currently being exploited in the wild. IBM patched the flaw for IBM i 6.1, and IBM i 7.1.

IBM issued two Authorized Program Analysis Reports (APARs), numbers SE49334 and SE49333, on September 1 to address the newly discovered Apache vulnerability and its impact on the IBM i HTTP server. You can read the latest APAR updates at www-912.ibm.com/n_dir/nas4apar.nsf/ALLAPARS/SE49334 (for IBM i 6.1) and www-912.ibm.com/n_dir/nas4apar.nsf/ALLAPARS/SE49333 (for IBM i 7.1).

The APARs ask users to apply Program Temporary Fix (PTF) numbers SI44631 and SI44630 to fix the Apache vulnerability in IBM i 6.1 and IBM i 7.1 respectively. The user must end and restart the HTTP server, or IPL the IBM i server, for the patch to take effect. The PTF cover letters, which contain other special instructions, can be read at www-912.ibm.com/a_dir/as4ptf.nsf/ALLPTFS/SI44631 and www-912.ibm.com/a_dir/as4ptf.nsf/ALLPTFS/SI44630.

The Apache Foundation issued a patch for the vulnerability on August 31 with the release of Apache version 2.2.2. Apache version 1 releases are also susceptible, but those releases are no longer supported by Apache.

A security researcher named Kingscope is credited with discovering the Apache HTTP Server ByteRange Filter DOS vulnerability in mid-August. The “Apache Killer” vulnerability can be activated by sending a maliciously crafted HTTP request with overlapping ranges, which subsequently exhausts all the memory on a target system, crashing not just the Web server but the entire machine. Secunia, which released exploit code for the vulnerability through its Full Disclosure mailing list, gives the vulnerability a “moderately critical” rating in Secunia Advisory SA45606, while eEye Security gave it a “high severity” rating.

Security researchers blame the problem, which was identified several years ago, in part on poorly defined protocol used to handle Web page headers. Microsoft‘s IIS Web server was also said to suffer from the same problem, but has reportedly addressed the weakness with newer versions. While the vulnerability has been a not-so-secret problem in the security world for the last several years, it apparently did not gain the attention of Apache developers until Kingscope’s actions and the posting of exploit code on the Web.

Despite the vulnerability in one of its integrated components, IBM i has a record of being one of the most secure commercial operating systems in the world. According to Secunia, IBM i 6.1 has had a total of 14 vulnerabilities from 2003 to 2011, none of which were highly or extremely critical and all of which were patched. i5/OS V5RX had an even better record, with just nine vulnerabilities (none super serious or unpatched) in the Secunia list. IBM i 7.1 does not yet have a listing on Secunia’s advisory list.

The vast majority of these IBM i security flaws are the result of vulnerabilities discovered over the last three years in the open source Apache Web server, which IBM has no control over. A flaw in Java, which is pseudo open source and outside the direct control of IBM, is responsible for another patched IBM i security vulnerability.

By comparison, Microsoft’s Windows Server 2003 Standard Edition has suffered from 479 vulnerabilities, 43 percent of which were either highly or extremely critical and 6 percent of which are still not patched. Red Hat‘s Enterprise Linux Server 6, meanwhile, has suffered from 484 vulnerabilities, 16 percent of which were highly critical, and all of which have been patched.