Note: This is an archival copy of Security Sun Alert 247666 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019856.1.
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
Security Vulnerabilities in the Apache 2.0 "mod_proxy_http" and "mod_proxy_ftp" modules:
Two security vulnerabilities have been found in the Apache HTTP server that affect the Apache 2.0 web server bundled with Solaris 10:
1. A Denial of Service (DoS) vulnerability in the "mod_proxy_http" Apache server module (CVE-2008-2364), may allow a remote unprivileged user who is in control of a web server to which requests may be proxied, to cause a denial of service to the Apache
"httpd" process (or potentially to the system as a whole as the application may consume excessive resources).
2. A Cross Site Scripting (CSS or XSS) vulnerability in the "mod_proxy_ftp" Apache server module (CVE-2008-2939), may allow a remote unprivileged user to inject arbitrary web script or HTML. This may allow the unprivileged user to bypass access control and gain access
to unauthorized data.
These issues are described in the following documents:
These issues can occur in the following releases:
Note 2: A system is only vulnerable to the described issues if the Apache 2.0 web server has been configured and is running on the system.
To determine if the Apache 2.0 web server is enabled, the following SMF command can be used:
$ svcs svc:/network/http:apache2Note 3: The "mod_proxy_http" vulnerability (CVE-2008-2364) only affects systems that enable a forward proxy. This feature is disabled by default and is very rarely used. To determine if the forward proxy is enabled, run the following command for all of the configuration files that define the running Apache 2.0 configuration:
$ grep "ProxyRequests" /etc/apache2/httpd.confNote 4: "The mod_proxy_ftp" vulnerability (CVE-2008-2939) only affects systems that enable FTP over HTTP proxying, and a forward proxy (see note 3) or a reverse proxy is enabled. To determine if the FTP over HTTP proxying is enabled, run the following command for all of the configuration files that define the running Apache 2.0 configuration:
$ grep "mod_proxy_ftp" /etc/apache2/httpd.confTo determine if the reverse proxy is enabled, run the following command for all of the configuration files that define the running Apache 2.0 configuration:
$ grep "ProxyPass" /etc/apache2/httpd.conf3. Symptoms
If the first issue (CVE-2008-2364) is exploited, the Apache 2.0 web server may be unresponsive, possibly consuming all available CPU or
Commands such as prstat(1M) can be used to determine the utilization of system resources:
$ prstat -s cpuThere are no predictable symptoms that would indicate that the second issue (CVE-2008-2939) has been exploited.
To work around the "mod_proxy_http" issue (CVE-2008-2364), make sure that the forward proxy is not enabled (see Note 3 in Section 2) in in the Apache 2 "httpd.conf" file.
To work around the "mod_proxy_ftp" issue (CVE-2008-2939), make sure that module "mod_proxy_ftp.so" is not loaded (see Note 4 in Section 2) in the Apache 2 "httpd.conf" file.
These issues are addressed in the following releases:
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
17-Dec-2008: Updated the Contributing Factors and Resolution sections. Resolved.
This solution has no attachment