U radu programskog paketa Apache uočeno je nekoliko sigurnosnih propusta. Zlonamjerni ih korisnici mogu iskoristiti za izvođenje DoS napada i zaobilaženje postavljenih sigurnosnih ograničenja.
Propusti su posljedica neodgovarajućeg rukovanja pojedinim parametrima, nepravilne obrade hash vrijednosti te prihvaćanja znaka "\0" u imenu putanje. Za više detalja savjetuje se čitanje izvornog upozorenja.
Posljedica:
Napadaču omogućuju zaobilaženje postavljenih ograničenja i izvođenje DoS (eng. Denial of Service) napada.
Rješenje:
Korisnicima se preporuča instalacije odgovarajuće nadogradnje.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03183543
Version: 1
HPSBUX02741 SSRT100728 rev.1 - HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Access Restriction Bypass
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-02-06
Last Updated: 2012-02-06
Potential Security Impact: Remote Denial of Service (DoS), access restriction bypass
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to perform an access restriction bypass. The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite.
References: CVE-2006-7243, CVE-2011-4858, CVE-2011-4885, CVE-2012-0022
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.21 or earlier
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2006-7243
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
5.0
CVE-2011-4858
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2011-4885
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2012-0022
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following software updates to resolve the vulnerability.
The updates are available for download from
ftp://srt10728:Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
Note: HP-UX Web Server Suite v3.22 contains HP-UX Tomcat-based Servlet Engine v5.5.35.01
Web Server Suite Version
Apache Depot Name
HP-UX Web Server Suite v.3.22
HP-UX B.11.23 HPUXWS22ATW-B322-64.depot
HP-UX B.11.23 HPUXWS22ATW-B322-32.depot
HP-UX B.11.31 HPUXWS22ATW-B322-64.depot
HP-UX B.11.31 HPUXWS22ATW-B322-32.depot
MANUAL ACTIONS: Yes - Update
Install HP-UX Web Server Suite v3.22 or subsequent.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX Web Server Suite
HP-UX B.11.23
HP-UX B.11.31
==================
hpuxws22TOMCAT.TOMCAT
action: install revision B.5.5.35.01 or subsequent
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
action: install revision B.2.2.15.11 or subsequent
END AFFECTED VERSION
HISTORY
Version:1 (rev.1) - 06 February 2012 Initial release
Posljednje sigurnosne preporuke