Note: This is an archival copy of Security Sun Alert 200690 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000544.1.
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
Several vulnerabilities in the Apache 2.0 web server prior to version 2.0.55 may allow a local or remote unprivileged user to cause a Denial of Service (DoS) to the Apache 2 HTTP process, or may allow a local user who is able to write to directories served by the web server to execute arbitrary code with the privileges of the Apache 2 process. The Apache 2 HTTP process normally runs as the unprivileged user "webservd" (uid 80).
Additional vulnerabilities may prevent certain configured security features from being applied to specific HTTP transactions or to allow local unprivileged users to gain access to sensitive information.
These vulnerabilities are described at the following URLs:
The Change Log for Apache 2.0, at http://www.apache.org/dist/httpd/CHANGES_2.0
CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' " http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
CAN-2005-2491: "overflow[...] in Perl Compatible Regular Expressions" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
CAN-2005-2088: "HTTP Request Smuggling" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088
CAN-2005-2728: "denial of service" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728
CAN-2005-1268: "Certificate Revocation List[...] buffer overflow" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268
CAN-2004-0942: "denial of service" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942
CAN-2004-0885: "'SSLCipherSuite'[...] bypass intended restrictions" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
CAN-2004-1834 "allow local users to gain sensitive information" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1834
These issues can occur in the following releases:
Note 1: The Apache 2.0 web server is not bundled with releases prior to Solaris 10. However, customers who have built and/or installed a vulnerable version of Apache on any version of Solaris are at risk.
Note 2: A system is only vulnerable to these issues if the Apache 2.0 web server has been configured and is running on the system. The following SMF command can be used to see if the Apache web server service is enabled:
$ svcs svc:/network/http:apache2 STATE STIME FMRI disabled Feb_02 svc:/network/http:apache2
If the output asserts that the pattern doesn't match any instances, or if the STATE is 'disabled' then the host is not vulnerable.
Note 3: The vulnerabilities CAN-2005-2700, CAN-2005-2491, CAN-2005-2728, CAN-2005-2088, and CAN-2005-1268 are present in Apache2 version 2.0 to 2.0.54. The vulnerabilities CAN-2004-0942 and CAN-2004-1834 are present in Apache2 version 2.0 to 2.0.52. The vulnerability CAN-2004-0885 is present in Apache2 version 2.0.35 to 2.0.52.
To determine the version of the Apache 2.0 web server installed on a host, the following command can be run:
$ /usr/apache2/bin/httpd -v Server version: Apache/2.0.52 Server built: Jan 22 2006 02:10:22
Note 4: Apache 1.3 ships with Solaris 8, 9, and 10, and is impacted by some of the issues referenced in this Sun Alert. For details on the impact to Apache 1.3 see Sun Alert 102197.
If the described issues have been exploited to cause a Denial of Service (DoS) condition, the Apache Web Server may be slow to respond to requests or may not respond at all.
There are no predictable symptoms that would indicate any of the described issues have been exploited to gain unauthorized access to a host or its data.
There is no workaround to this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
This solution has no attachment