 |
Apache’s explanation of the other bug is that it is due to a bug in the configuration scripts that causes the apr_password_validate() function to fail. This, allows “remote attackers to create a denial of service, which causes valid usernames and passwords for Basic Authentication to fail.” In its explanation, Apache states that the foundation doesn't think this bug would allow access to protected resources.
Details
According to the Red Hat advisory, or the WebDAV flaw, successful exploitation “may allow execution of arbitrary code.” Apache describes the WebDAV vulnerability as follows: “This can be triggered remotely through mod_dav and possibly other mechanisms.” Mod_dav is the open source module that provides the Web Distributed Authoring and Versioning protocol to Apache Web servers. WebDAV is the set of HTTP extensions that allows administrators to perform remote editing and file management on servers.The Apache announcement page provides more details about the two major security flaws and the various bugs fixed by the new release.
A Red Hat notice that addresses these vulnerabilities, RHSA-2003:186-06, is also available. Red Hat says that this update affects Red Hat Linux versions 8.0 and 9. Secunia has also released a security bulletin for these vulnerabilities. And the CVE listings for the security vulnerabilities are CAN-2003-0189 and CAN-2003-0245.
Applicability
Apache versions 2.0.37 through 2.0.45 are affected by these bugs and should be updated to version 2.0.46. The WebDAV (mod_dav) vulnerability affects versions 2.0.37 through 2.0.45, while versions 2.0.40 through 2.0.45 are vulnerable to the basic authentication module DoS attack.
Risk level: Serious
Secunia rates this as “highly critical,” but most others aren’t reporting that they can be exploited to actually penetrate a system. Nevertheless, Apache and Red Hat both appear to view these two updates as serious and worthy of the attention of Apache administrators.
Fix: Update
Version 2.0.46 is available for immediate download at Apache. About 30 nonsecurity bugs and new features are also addressed in this revision of the software.
Final word
I’m certainly not picking on Apache, but it’s only fair to point out that like IIS, Apache has had a number of recent, serious security problems. In fact, this is the second urgent security update for Apache in the past two months.
The lesson to be learned is that, while open source software is often very good quality, it’s not immune to vulnerabilities simply because it’s open source. Security comes not from perfect software but from administrators keeping tabs on new vulnerabilities and protecting the systems under their control—no matter what software they run.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2003 TechRepublic, Inc.
4%
4%
