Objavljena je revizija sigurnosnog upozorenja s oznakom HPSBUX02702 vezanog uz Apache Web poslužitelj. U izvornom upozorenju navedeni su propusti koji su napadačima omogućavali pokretanje napada uskraćivanja usluge. Revizija je objavljena zbog osvježenih podataka o ranjivim proizvodima i rješenju problema.
Paket:
Apache 2.x
Operacijski sustavi:
HP-UX 11.x
Kritičnost:
7
Problem:
neodgovarajuće rukovanje memorijom, pogreška u programskoj funkciji
Iskorištavanje:
udaljeno
Posljedica:
uskraćivanje usluga (DoS)
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-3192, CVE-2011-0419
Izvorni ID preporuke:
HPSBUX02702
Izvor:
Hewlett Packard
Problem:
Uočeni nedostaci javljaju se zbog pogreške u filteru raspona bitova Apache HTTP poslužitelja te pogreške u upravljanju rada sa stogom kod funkcije "apr_fnmatch.c". Revizija je objavljena zbog novih informacija o ranjivim proizvodima i rješenju problema.
Posljedica:
Udaljeni, zlonamjerni korisnici mogu iskoristiti ovaj nedostatak za DoS (eng. Denial of Service) napad.
Rješenje:
Objavljena je nadogradnja koja uočene probleme rješava pa se svim korisnicima savjetuje njena primjena.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02997184
Version: 2
HPSBUX02702 SSRT100606 rev.2 - HP-UX Apache Web Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-09-08
Last Updated: 2011-09-08
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache Web Server. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS).
References: CVE-2011-3192, CVE-2011-0419
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.17 containing Apache v2.2.15.07 or earlier
HP-UX B.11.11 running HP-UX Apache Web Server Suite v2.33 containing Apache v2.0.64.01 or earlier
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2011-3192
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
7.8
CVE-2011-0419
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
4.3
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
This bulletin will be revised when additional information becomes available.
HP has provided the following software update to resolve these vulnerabilities.
The update is available for download from the following location
ftp://srt10606:P2xg=Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
or https://ftp.usa.hp.com/hprc/home with
username srt10606 and password P2xg=AD5
HP-UX Web Server Suite (WSS) v.3.18 containing Apache v2.2.15.08
HP-UX 11i Release
Apache Depot name
B.11.23 (32-bit)
Apache-CVE-2011-3192-Fix-IA-PA-32.depot
B.11.23 (64-bit)
Apache-CVE-2011-3192-Fix-IA-PA-64.depot
B.11.31 (32-bit)
Apache-CVE-2011-3192-Fix-IA-PA-32.depot
B.11.31 (64-bit)
Apache-CVE-2011-3192-Fix-IA-PA-64.depot
HP-UX Web Server Suite (WSS) v.2.33 containing Apache v2.0.64.01 and earlier
HP-UX 11i Release
Apache Depot name
B.11.11
Use work around suggested below
B.11.23 (32 & 64-bit)
No longer supported. Upgrade to WSS v 3.18
B.11.31 (32 & 64-bit)
No longer supported. Upgrade to WSS v 3.18
Alternatives to Installing the Preliminary Patch
The Apache Software Foundation has documented work arounds. For customers not wanting to install the preliminary patch, the following are recommended.
Note : that no patch is available for Apache 2.0.64.01.
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.
2) Limit the size of the request field to a few hundred bytes.
3) Use mod_headers to completely disallow the use of Range headers.
Please refer to the Apache advisory for details. http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.%3e Non-HP site
MANUAL ACTIONS: Yes - Update
Install HP-UX Web Server Suite v3.18 or subsequent.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX Web Server Suite v3.18
HP-UX B.11.23
HP-UX B.11.31
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
action: install revision B.2.2.15.08 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 8 September 2011 Initial release
Version:2 (rev.2) - 8 September 2011 Updated affectivity, recommendations, typos
Posljednje sigurnosne preporuke