U radu programskog paketa Apache uočeni su višestruki sigurnosni propusti. Udaljenim napadačima omogućuju izvođenje DoS i XSS napada, neovlašten pristup, zaobilaženje postavljenih ograničenja i čitanje određenih podataka.

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03090723

Version: 1
HPSBUX02725 SSRT100627 rev.1 - HP-UX Apache Running Tomcat Servlet Engine, Remote Information Disclosure, Authentication Bypass, Cross-Site Scripting (XSS), Unauthorized Access, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2011-11-21

Last Updated: 2011-11-22

Potential Security Impact: Remote information disclosure, authentication bypass, cross-site scripting (XSS), unauthorized access, Denial of Service (DoS).

Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY

Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to disclose information, allow authentication bypass, allow cross-site scripting (XSS), gain unauthorized access, or create a Denial of Service (DoS). The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite.

References: CVE-2011-3190, CVE-2011-2729, CVE-2011-2526, CVE-2011-2204, CVE-2011-0013, CVE-2010-4476, CVE-2010-3718
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.19 or earlier
BACKGROUND

For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics

Reference
	
Base Vector
	
Base Score
CVE-2011-3190
	
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
	
7.5
CVE-2011-2729
	
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
	
5.0
CVE-2011-2526
	
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
	
4.4
CVE-2011-2204
	
(AV:L/AC:M/Au:N/C:P/I:N/A:N)
	
1.9
CVE-2011-0013
	
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
	
4.3
CVE-2010-4476
	
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
	
5.0
CVE-2010-3718
	
(AV:L/AC:H/Au:N/C:N/I:P/A:N)
	
1.2

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following software updates to resolve the vulnerabilities.
The updates are available for download from http://software.hp.com
Note: HP-UX Web Server Suite v3.20 contains HP-UX Tomcat-based Servlet Engine v5.5.34.01

Web Server Suite Version
	
Apache Depot name
HP-UX Web Server Suite v.3.20
	
HP-UX B.11.23 HPUXWS22ATW-B320-64.depot
HP-UX B.11.23 HPUXWS22ATW-B320-32.depot
HP-UX B.11.31 HPUXWS22ATW-B320-64.depot
HP-UX B.11.31 HPUXWS22ATW-B320-32.depot

MANUAL ACTIONS: Yes - Update
Install HP-UX Web Server Suite v3.20 or subsequent.

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

HP-UX Web Server Suite

HP-UX B.11.23
HP-UX B.11.31
==================
hpuxws22TOMCAT.TOMCAT
action: install revision B.5.5.34.01 or subsequent

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) - 21 November 2011 Initial release