Date: 11 September 2006
References: ESB-2004.0724 ESB-2005.0589 ESB-2005.0686 ESB-2005.0690 AU-2006.0033
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AusCERT Update AU-2006.0033 - [Solaris]
Security Vulnerabilities in the Apache 2 Web Server
11 September 2006
AusCERT Update Summary
Product: Apache 2
Publisher: Sun Microsystems
Operating System: Solaris 10
Impact: Execute Arbitrary Code/Commands
Denial of Service
CVE Names: CAN-2005-2728 CAN-2005-2700 CAN-2005-2491
CAN-2005-2088 CAN-2005-1268 CAN-2004-1834
Comment: Sun Microsystems have recently released patches fixing the issues
referenced in the original advisory.
- --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102198
* Synopsis: Security Vulnerabilities in the Apache 2 Web Server
* Category: Security
* Product: Solaris 10 Operating System
* BugIDs: 6301799, 6378495
* Avoidance: Patch
* State: Resolved
* Date Released: 01-Mar-2006, 08-Sep-2006
* Date Closed: 08-Sep-2006
* Date Modified: 12-Apr-2006, 08-Sep-2006
Several vulnerabilities in the Apache 2.0 web server prior to version
2.0.55 may allow a local or remote unprivileged user to cause a Denial
of Service (DoS) to the Apache 2 HTTP process, or may allow a local
user who is able to write to directories served by the web server to
execute arbitrary code with the privileges of the Apache 2 process.
The Apache 2 HTTP process normally runs as the unprivileged user
"webservd" (uid 80).
Additional vulnerabilities may prevent certain configured security
features from being applied to specific HTTP transactions or to allow
local unprivileged users to gain access to sensitive information.
These vulnerabilities are described at the following URLs:
The Change Log for Apache 2.0, at
CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' "
CAN-2005-2491: "overflow[...] in Perl Compatible Regular Expressions"
CAN-2005-2088: "HTTP Request Smuggling"
CAN-2005-2728: "denial of service"
CAN-2005-1268: "Certificate Revocation List[...] buffer overflow"
CAN-2004-0942: "denial of service"
CAN-2004-0885: "'SSLCipherSuite'[...] bypass intended restrictions"
CAN-2004-1834 "allow local users to gain sensitive information"
2. Contributing Factors
These issues can occur in the following releases:
* Solaris 10 without patch 120543-02
* Solaris 10 without patch 120544-02
Note 1: The Apache 2.0 web server is not bundled with releases prior
to Solaris 10. However, customers who have built and/or installed a
vulnerable version of Apache on any version of Solaris are at risk.
Note 2: A system is only vulnerable to these issues if the Apache 2.0
web server has been configured and is running on the system. The
following SMF command can be used to see if the Apache web server
service is enabled:
$ svcs svc:/network/http:apache2
STATE STIME FMRI
disabled Feb_02 svc:/network/http:apache2
If the output asserts that the pattern doesn't match any instances, or
if the STATE is 'disabled' then the host is not vulnerable.
Note 3: The vulnerabilities CAN-2005-2700, CAN-2005-2491,
CAN-2005-2728, CAN-2005-2088, and CAN-2005-1268 are present in Apache2
version 2.0 to 2.0.54. The vulnerabilities CAN-2004-0942 and
CAN-2004-1834 are present in Apache2 version 2.0 to 2.0.52. The
vulnerability CAN-2004-0885 is present in Apache2 version 2.0.35 to
To determine the version of the Apache 2.0 web server installed on a
host, the following command can be run:
$ /usr/apache2/bin/httpd -v
Server version: Apache/2.0.52
Server built: Jan 22 2006 02:10:22
Note 4: Apache 1.3 ships with Solaris 8, 9, and 10, and is impacted by
some of the issues referenced in this Sun Alert. For details on the
impact to Apache 1.3 see Sun Alert 102197.
If the described issues have been exploited to cause a Denial of
Service (DoS) condition, the Apache Web Server may be slow to respond
to requests or may not respond at all.
There are no predictable symptoms that would indicate any of the
described issues have been exploited to gain unauthorized access to a
host or its data.
There is no workaround to this issue. Please see the Resolution
This issue is addressed in the following releases:
* Solaris 10 with patch 120543-02 or later
* Solaris 10 with patch 120544-02 or later
* Updated Relief/Workaround section
* Updated Contributing Factors and Resolution sections
* State: Resolved
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
notification may only be used for the purposes contemplated by these
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----