COMMAND

	IBM Websphere remote buffer overflow via long .jsp request

SYSTEMS AFFECTED

	IBM Websphere 4.0.3 on Windows 2000 Server

PROBLEM

	In Peter Gründl [pgrundl@kpmg.dk] of  KPMG  Danemark  advisory  [BUG-ID:
	2002035] :
	

	The application does not perform  proper  bounds  check  on  large  HTTP
	headers, and as a result the application can  be  crashed  by  a  remote
	user. It could not be established if this  could  lead  to  code  execu-
	tion.
	

	If a request is made for a .jsp ressource (the .jsp file does  not  need
	to exist), and the HTTP field "Host" contains 796  characters  or  more,
	the web service will crash. Other HTTP fields  are  also  vulnerable  if
	the size is increased to 4K.
	

	The web service sometimes recovers on it's own.

SOLUTION

	Install PQ62144 (supercedes PQ62249) :
	

	http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ62144&uid=swg24001610