ISS X-Force Database: ibm-edge-caching-dos(16607): IBM Edge Server Caching Proxy component denial of service

IBM Edge Server Caching Proxy component denial of service

ibm-edge-caching-dos (16607)

Medium Risk

Description:

IBM Edge Server Caching Proxy component (formerly Web Traffic Express (WTE)) is vulnerable to a denial of service attack. If the JunctionRewrite and UseCookie directives are enabled, a remote attacker could send a specially crafted HTTP GET request without parameters to cause a denial of service.

Consequences:

Denial of Service

Remedy:

Upgrade to the latest version of IBM Edge Server Caching Proxy component (5.0.3 or later), when it becomes available from the IBM Web site. See References.

"OR"

Apply the patch, which is available to customers with Support Level 2 and 3.

As a workaround, disable the JunctionRewrite or UseCookie directive.

For IBM WebSphere Application Server 5.x, 4.0.2.0 through 4.0.2.45, 5.0.0.2 through 5.0.2.20, 5.1.0.0 through 5.1.0.7:
Apply the appropriate fix pack or APAR, as listed in IBM Global Services Managed Security Services Outside Advisory MSS-OAR-E01-2004:1049.1. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Full-Disclosure Mailing List, Mon Jul 05 2004 - 07:25:23 CDT: CYBSEC - Security Advisory: Denial of Service in IBM WebSphere Edge Server.
IBM Web site: IBM United States.
BID-10651: IBM Websphere Edge Server Denial Of Service Vulnerability
CVE-2004-0684: WebSphere Edge Component Caching Proxy in WebSphere Edge Server 5.02, with the JunctionRewrite directive enabled, allows remote attackers to cause a denial of service via an HTTP GET request without any parameters.

Platforms Affected:

IBM WebSphere Caching Proxy Server 5.0.2
IBM WebSphere Edge Server Caching Proxy 5.0.2

Reported:

Jul 05, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page