Date: 11 September 2006
References: ESB-2004.0724 ESB-2005.0589 ESB-2005.0686 ESB-2005.0690 AU-2006.0033
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AusCERT Update AU-2006.0033 - [Solaris]
Security Vulnerabilities in the Apache 2 Web Server
11 September 2006
AusCERT Update Summary
----------------------
Product: Apache 2
Publisher: Sun Microsystems
Operating System: Solaris 10
Impact: Execute Arbitrary Code/Commands
Inappropriate Access
Denial of Service
Cross-site Scripting
Access: Remote/Unauthenticated
CVE Names: CAN-2005-2728 CAN-2005-2700 CAN-2005-2491
CAN-2005-2088 CAN-2005-1268 CAN-2004-1834
CAN-2004-0942 CAN-2004-0885
Ref: ESB-2004.0724
ESB-2005.0589
ESB-2005.0690
ESB-2005.0686
AU-2006.0033
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102198-1
Comment: Sun Microsystems have recently released patches fixing the issues
referenced in the original advisory.
- --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102198
* Synopsis: Security Vulnerabilities in the Apache 2 Web Server
* Category: Security
* Product: Solaris 10 Operating System
* BugIDs: 6301799, 6378495
* Avoidance: Patch
* State: Resolved
* Date Released: 01-Mar-2006, 08-Sep-2006
* Date Closed: 08-Sep-2006
* Date Modified: 12-Apr-2006, 08-Sep-2006
1. Impact
Several vulnerabilities in the Apache 2.0 web server prior to version
2.0.55 may allow a local or remote unprivileged user to cause a Denial
of Service (DoS) to the Apache 2 HTTP process, or may allow a local
user who is able to write to directories served by the web server to
execute arbitrary code with the privileges of the Apache 2 process.
The Apache 2 HTTP process normally runs as the unprivileged user
"webservd" (uid 80).
Additional vulnerabilities may prevent certain configured security
features from being applied to specific HTTP transactions or to allow
local unprivileged users to gain access to sensitive information.
These vulnerabilities are described at the following URLs:
The Change Log for Apache 2.0, at
http://www.apache.org/dist/httpd/CHANGES_2.0
CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' "
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
CAN-2005-2491: "overflow[...] in Perl Compatible Regular Expressions"
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
CAN-2005-2088: "HTTP Request Smuggling"
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088
CAN-2005-2728: "denial of service"
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728
CAN-2005-1268: "Certificate Revocation List[...] buffer overflow"
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268
CAN-2004-0942: "denial of service"
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942
CAN-2004-0885: "'SSLCipherSuite'[...] bypass intended restrictions"
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
CAN-2004-1834 "allow local users to gain sensitive information"
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1834
2. Contributing Factors
These issues can occur in the following releases:
SPARC Platform
* Solaris 10 without patch 120543-02
x86 Platform
* Solaris 10 without patch 120544-02
Note 1: The Apache 2.0 web server is not bundled with releases prior
to Solaris 10. However, customers who have built and/or installed a
vulnerable version of Apache on any version of Solaris are at risk.
Note 2: A system is only vulnerable to these issues if the Apache 2.0
web server has been configured and is running on the system. The
following SMF command can be used to see if the Apache web server
service is enabled:
$ svcs svc:/network/http:apache2
STATE STIME FMRI
disabled Feb_02 svc:/network/http:apache2
If the output asserts that the pattern doesn't match any instances, or
if the STATE is 'disabled' then the host is not vulnerable.
Note 3: The vulnerabilities CAN-2005-2700, CAN-2005-2491,
CAN-2005-2728, CAN-2005-2088, and CAN-2005-1268 are present in Apache2
version 2.0 to 2.0.54. The vulnerabilities CAN-2004-0942 and
CAN-2004-1834 are present in Apache2 version 2.0 to 2.0.52. The
vulnerability CAN-2004-0885 is present in Apache2 version 2.0.35 to
2.0.52.
To determine the version of the Apache 2.0 web server installed on a
host, the following command can be run:
$ /usr/apache2/bin/httpd -v
Server version: Apache/2.0.52
Server built: Jan 22 2006 02:10:22
Note 4: Apache 1.3 ships with Solaris 8, 9, and 10, and is impacted by
some of the issues referenced in this Sun Alert. For details on the
impact to Apache 1.3 see Sun Alert 102197.
3. Symptoms
If the described issues have been exploited to cause a Denial of
Service (DoS) condition, the Apache Web Server may be slow to respond
to requests or may not respond at all.
There are no predictable symptoms that would indicate any of the
described issues have been exploited to gain unauthorized access to a
host or its data.
4. Relief/Workaround
There is no workaround to this issue. Please see the Resolution
section below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 10 with patch 120543-02 or later
x86 Platform
* Solaris 10 with patch 120544-02 or later
Change History
12-Apr-2006:
* Updated Relief/Workaround section
08-Sep-2006:
* Updated Contributing Factors and Resolution sections
* State: Resolved
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRQTOWSh9+71yA2DNAQJYjAP/Stl1horsWRQpZJwkgmWBtlT2xoZ23hIT
XXHUsRGmeKR8BlhzM+pCsW/ZHA5LAvcqQlULrKIuFzR2Gs1uzaaGu7oiwaOZDieB
cRtIg/nJya5VDdW1ruDooS8Y3OnLlp1rEnO/him5yQIUL26DI4rQwfV3wujftjSi
K0r+LOoKDRY=
=BD3K
-----END PGP SIGNATURE-----
|