Apache 2.x servers are vulnerable to several threats and should be updated to the latest version. Some of the flaws reside in the Apache software itself, and one flaw exists in the ModSecurity 1.7.4 intrusion detection software. Yet another vulnerability, which can give an attacker access to authentication credentials, is known but hasn’t been patched in the latest released version of Apache (at press time).
S-Quadra Security Research has published information about a vulnerability in the open source ModSecurity intrusion detection software, which functions as an Apache module. The researcher reportedly notified ModSecurity at the beginning of February and held off on a public announcement (in BugTraq) until now, when ModSecurity version 1.7.5 became available.
A different vulnerability involves a rare condition affecting Apache 2.0.48 and earlier on some versions of AIX, Solaris, and Tru64, but not Windows, Linux, or FreeBSD platforms. See the vendor’s advisory and release announcement for version 2.0.49 for more information.
The vulnerability CAN-2004-0113 refers to a memory leak in mod_ssl. The vulnerability CAN-2003-0020 can allow “exploits of certain terminal emulators.”
Unfortunately, another new vulnerability has been reported in Apache versions 2.0.49 (the current version) and prior 2.x versions. This threat relates to mod_disk_cache and can give an attacker access to authentication credentials. The discoverer, Andreas Steinmetz, says he reported the defect to the Apache team on March 2, 2004, and hasn’t heard back from Apache since March 7. In his BugTraq note of March 20, Steinmetz says that the vulnerability hasn’t been addressed in the latest release, version 2.0.49, and therefore he has published details of the threat.
See the Apache advisory for details on a few other threats. You should also note that some Apache DoS threats have been addressed by the newest release, Apache HTTP Server version 2.0.49.
Applicability
All of these flaws affect Apache versions 2.x.
Risk level—high
One vulnerability has a potential of allowing an attacker to run arbitrary code on an Apache Web server using ModSecurity software. Most of the other flaws are less important but can still trigger DoS events. The unpatched threat that I mentioned can allow for the theft of credentials.
Mitigating factors
Any organisations that have stayed with Apache version 1.3.x are probably safe from all of these threats, which appear to affect only version 2.x releases.
Fix
For all except the mod_disk_cache threat, upgrading to the latest version of Apache will solve these problems. There is no workaround for the three vulnerabilities recently fixed by the release of Apache 2.0.49. The Apache advisory recommends disabling mod_disk_cache until a fix is found for that flaw. Steinmetz has published a possible patch that he also forwarded to the Apache team.
Final word
Apache administrators may also be interested in taking a look at the details of Reasoning Inc.’s Apache code inspection project.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2004 TechRepublic, Inc.
7%
3%
