Note: This is an archival copy of Security Sun Alert 200690 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000544.1.
Article ID : 1000544.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-09-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in the Apache 2 Web Server

Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6301799, 6378495

Date of Workaround Release
01-MAR-2006

Date of Resolved Release
08-SEP-2006

Impact

Several vulnerabilities in the Apache 2.0 web server prior to version 2.0.55 may allow a local or remote unprivileged user to cause a Denial of Service (DoS) to the Apache 2 HTTP process, or may allow a local user who is able to write to directories served by the web server to execute arbitrary code with the privileges of the Apache 2 process. The Apache 2 HTTP process normally runs as the unprivileged user "webservd" (uid 80).

Additional vulnerabilities may prevent certain configured security features from being applied to specific HTTP transactions or to allow local unprivileged users to gain access to sensitive information.

These vulnerabilities are described at the following URLs:

The Change Log for Apache 2.0, at http://www.apache.org/dist/httpd/CHANGES_2.0

CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' " http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700

CAN-2005-2491: "overflow[...] in Perl Compatible Regular Expressions" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491

CAN-2005-2088: "HTTP Request Smuggling" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088

CAN-2005-2728: "denial of service" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728

CAN-2005-1268: "Certificate Revocation List[...] buffer overflow" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268

CAN-2004-0942: "denial of service" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

CAN-2004-0885: "'SSLCipherSuite'[...] bypass intended restrictions" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885

CAN-2004-1834 "allow local users to gain sensitive information" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1834


Contributing Factors

These issues can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 120543-02

x86 Platform

  • Solaris 10 without patch 120544-02

Note 1: The Apache 2.0 web server is not bundled with releases prior to Solaris 10. However, customers who have built and/or installed a vulnerable version of Apache on any version of Solaris are at risk.

Note 2: A system is only vulnerable to these issues if the Apache 2.0 web server has been configured and is running on the system. The following SMF command can be used to see if the Apache web server service is enabled:

    $ svcs svc:/network/http:apache2
    STATE          STIME    FMRI
    disabled       Feb_02   svc:/network/http:apache2

If the output asserts that the pattern doesn't match any instances, or if the STATE is 'disabled' then the host is not vulnerable.

Note 3: The vulnerabilities CAN-2005-2700, CAN-2005-2491, CAN-2005-2728, CAN-2005-2088, and CAN-2005-1268 are present in Apache2 version 2.0 to 2.0.54. The vulnerabilities CAN-2004-0942 and CAN-2004-1834 are present in Apache2 version 2.0 to 2.0.52. The vulnerability CAN-2004-0885 is present in Apache2 version 2.0.35 to 2.0.52.

To determine the version of the Apache 2.0 web server installed on a host, the following command can be run:

    $ /usr/apache2/bin/httpd -v
    Server version: Apache/2.0.52
    Server built:   Jan 22 2006 02:10:22

Note 4: Apache 1.3 ships with Solaris 8, 9, and 10, and is impacted by some of the issues referenced in this Sun Alert. For details on the impact to Apache 1.3 see Sun Alert 102197.


Symptoms

If the described issues have been exploited to cause a Denial of Service (DoS) condition, the Apache Web Server may be slow to respond to requests or may not respond at all.

There are no predictable symptoms that would indicate any of the described issues have been exploited to gain unauthorized access to a host or its data.


Workaround

There is no workaround to this issue. Please see the Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 120543-02 or later

x86 Platform

  • Solaris 10 with patch 120544-02 or later


Modification History
Date: 12-APR-2006

12-Apr-2006:

  • Updated Relief/Workaround section

Date: 08-SEP-2006

08-Sep-2006:

  • Updated Contributing Factors and Resolution sections
  • State: Resolved


References

120543-02
120544-02




Attachments
This solution has no attachment