copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AU-2006.0033 -- AusCERT Update - [Solaris] - Security Vulnerabilities in the Apache 2 Web Server

Date: 11 September 2006
References: ESB-2004.0724  ESB-2005.0589  ESB-2005.0686  ESB-2005.0690  AU-2006.0033  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		AusCERT Update AU-2006.0033 - [Solaris]
	Security Vulnerabilities in the Apache 2 Web Server
			11 September 2006        

		      AusCERT Update Summary

		      ----------------------	

Product:              Apache 2
Publisher:            Sun Microsystems
Operating System:     Solaris 10
Impact:               Execute Arbitrary Code/Commands
                      Inappropriate Access
                      Denial of Service
                      Cross-site Scripting
Access:               Remote/Unauthenticated
CVE Names:            CAN-2005-2728 CAN-2005-2700 CAN-2005-2491
                      CAN-2005-2088 CAN-2005-1268 CAN-2004-1834
                      CAN-2004-0942 CAN-2004-0885

Ref:                  ESB-2004.0724
                      ESB-2005.0589
                      ESB-2005.0690
                      ESB-2005.0686
                      AU-2006.0033

Original Bulletin:    
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102198-1

Comment: Sun Microsystems have recently released patches fixing the issues
         referenced in the original advisory.

- --------------------------BEGIN INCLUDED TEXT--------------------

Sun(sm) Alert Notification
     * Sun Alert ID: 102198
     * Synopsis: Security Vulnerabilities in the Apache 2 Web Server
     * Category: Security
     * Product: Solaris 10 Operating System
     * BugIDs: 6301799, 6378495
     * Avoidance: Patch
     * State: Resolved
     * Date Released: 01-Mar-2006, 08-Sep-2006
     * Date Closed: 08-Sep-2006
     * Date Modified: 12-Apr-2006, 08-Sep-2006

1. Impact

   Several vulnerabilities in the Apache 2.0 web server prior to version
   2.0.55 may allow a local or remote unprivileged user to cause a Denial
   of Service (DoS) to the Apache 2 HTTP process, or may allow a local
   user who is able to write to directories served by the web server to
   execute arbitrary code with the privileges of the Apache 2 process.
   The Apache 2 HTTP process normally runs as the unprivileged user
   "webservd" (uid 80).

   Additional vulnerabilities may prevent certain configured security
   features from being applied to specific HTTP transactions or to allow
   local unprivileged users to gain access to sensitive information.

   These vulnerabilities are described at the following URLs:

   The Change Log for Apache 2.0, at
   http://www.apache.org/dist/httpd/CHANGES_2.0

   CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' "
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700

   CAN-2005-2491: "overflow[...] in Perl Compatible Regular Expressions"
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491

   CAN-2005-2088: "HTTP Request Smuggling"
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088

   CAN-2005-2728: "denial of service"
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728

   CAN-2005-1268: "Certificate Revocation List[...] buffer overflow"
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268

   CAN-2004-0942: "denial of service"
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

   CAN-2004-0885: "'SSLCipherSuite'[...] bypass intended restrictions"
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885

   CAN-2004-1834 "allow local users to gain sensitive information"
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1834

2. Contributing Factors

   These issues can occur in the following releases:

   SPARC Platform
     * Solaris 10 without patch 120543-02

   x86 Platform
     * Solaris 10 without patch 120544-02

   Note 1: The Apache 2.0 web server is not bundled with releases prior
   to Solaris 10. However, customers who have built and/or installed a
   vulnerable version of Apache on any version of Solaris are at risk.

   Note 2: A system is only vulnerable to these issues if the Apache 2.0
   web server has been configured and is running on the system. The
   following SMF command can be used to see if the Apache web server
   service is enabled:
    $ svcs svc:/network/http:apache2
    STATE          STIME    FMRI
    disabled       Feb_02   svc:/network/http:apache2

   If the output asserts that the pattern doesn't match any instances, or
   if the STATE is 'disabled' then the host is not vulnerable.

   Note 3: The vulnerabilities CAN-2005-2700, CAN-2005-2491,
   CAN-2005-2728, CAN-2005-2088, and CAN-2005-1268 are present in Apache2
   version 2.0 to 2.0.54. The vulnerabilities CAN-2004-0942 and
   CAN-2004-1834 are present in Apache2 version 2.0 to 2.0.52. The
   vulnerability CAN-2004-0885 is present in Apache2 version 2.0.35 to
   2.0.52.

   To determine the version of the Apache 2.0 web server installed on a
   host, the following command can be run:
    $ /usr/apache2/bin/httpd -v
    Server version: Apache/2.0.52
    Server built:   Jan 22 2006 02:10:22

   Note 4: Apache 1.3 ships with Solaris 8, 9, and 10, and is impacted by
   some of the issues referenced in this Sun Alert. For details on the
   impact to Apache 1.3 see Sun Alert 102197.

3. Symptoms

   If the described issues have been exploited to cause a Denial of
   Service (DoS) condition, the Apache Web Server may be slow to respond
   to requests or may not respond at all.

   There are no predictable symptoms that would indicate any of the
   described issues have been exploited to gain unauthorized access to a
   host or its data. 

4. Relief/Workaround

   There is no workaround to this issue. Please see the Resolution
   section below.

5. Resolution

   This issue is addressed in the following releases:

   SPARC Platform
     * Solaris 10 with patch 120543-02 or later

   x86 Platform
     * Solaris 10 with patch 120544-02 or later

Change History

   12-Apr-2006:
     * Updated Relief/Workaround section

   08-Sep-2006:
     * Updated Contributing Factors and Resolution sections
     * State: Resolved

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved
- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRQTOWSh9+71yA2DNAQJYjAP/Stl1horsWRQpZJwkgmWBtlT2xoZ23hIT
XXHUsRGmeKR8BlhzM+pCsW/ZHA5LAvcqQlULrKIuFzR2Gs1uzaaGu7oiwaOZDieB
cRtIg/nJya5VDdW1ruDooS8Y3OnLlp1rEnO/him5yQIUL26DI4rQwfV3wujftjSi
K0r+LOoKDRY=
=BD3K
-----END PGP SIGNATURE-----