Note: This is an archival copy of Security Sun Alert 200690 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000544.1.
Article ID : 1000544.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-09-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in the Apache 2 Web Server


Release Phase

Solaris 10 Operating System

Bug Id
6301799, 6378495

Date of Workaround Release

Date of Resolved Release


Several vulnerabilities in the Apache 2.0 web server prior to version 2.0.55 may allow a local or remote unprivileged user to cause a Denial of Service (DoS) to the Apache 2 HTTP process, or may allow a local user who is able to write to directories served by the web server to execute arbitrary code with the privileges of the Apache 2 process. The Apache 2 HTTP process normally runs as the unprivileged user "webservd" (uid 80).

Additional vulnerabilities may prevent certain configured security features from being applied to specific HTTP transactions or to allow local unprivileged users to gain access to sensitive information.

These vulnerabilities are described at the following URLs:

The Change Log for Apache 2.0, at

CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' "

CAN-2005-2491: "overflow[...] in Perl Compatible Regular Expressions"

CAN-2005-2088: "HTTP Request Smuggling"

CAN-2005-2728: "denial of service"

CAN-2005-1268: "Certificate Revocation List[...] buffer overflow"

CAN-2004-0942: "denial of service"

CAN-2004-0885: "'SSLCipherSuite'[...] bypass intended restrictions"

CAN-2004-1834 "allow local users to gain sensitive information"

Contributing Factors

These issues can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 120543-02

x86 Platform

  • Solaris 10 without patch 120544-02

Note 1: The Apache 2.0 web server is not bundled with releases prior to Solaris 10. However, customers who have built and/or installed a vulnerable version of Apache on any version of Solaris are at risk.

Note 2: A system is only vulnerable to these issues if the Apache 2.0 web server has been configured and is running on the system. The following SMF command can be used to see if the Apache web server service is enabled:

    $ svcs svc:/network/http:apache2
    STATE          STIME    FMRI
    disabled       Feb_02   svc:/network/http:apache2

If the output asserts that the pattern doesn't match any instances, or if the STATE is 'disabled' then the host is not vulnerable.

Note 3: The vulnerabilities CAN-2005-2700, CAN-2005-2491, CAN-2005-2728, CAN-2005-2088, and CAN-2005-1268 are present in Apache2 version 2.0 to 2.0.54. The vulnerabilities CAN-2004-0942 and CAN-2004-1834 are present in Apache2 version 2.0 to 2.0.52. The vulnerability CAN-2004-0885 is present in Apache2 version 2.0.35 to 2.0.52.

To determine the version of the Apache 2.0 web server installed on a host, the following command can be run:

    $ /usr/apache2/bin/httpd -v
    Server version: Apache/2.0.52
    Server built:   Jan 22 2006 02:10:22

Note 4: Apache 1.3 ships with Solaris 8, 9, and 10, and is impacted by some of the issues referenced in this Sun Alert. For details on the impact to Apache 1.3 see Sun Alert 102197.


If the described issues have been exploited to cause a Denial of Service (DoS) condition, the Apache Web Server may be slow to respond to requests or may not respond at all.

There are no predictable symptoms that would indicate any of the described issues have been exploited to gain unauthorized access to a host or its data.


There is no workaround to this issue. Please see the Resolution section below.


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 120543-02 or later

x86 Platform

  • Solaris 10 with patch 120544-02 or later

Modification History
Date: 12-APR-2006


  • Updated Relief/Workaround section

Date: 08-SEP-2006


  • Updated Contributing Factors and Resolution sections
  • State: Resolved



This solution has no attachment