U radu Apache web poslužitelja ustanovljeno je i otklonjeno više sigurnosnih ranjivosti. Zlonamjerni korisnici su ih mogli iskoristiti za izvršavanje proizvoljnog programskog koda, DoS napad te stjecanje većih ovlasti.
Paket:
Apache 2.x
Operacijski sustavi:
HP-UX 11.x
Kritičnost:
6.9
Problem:
pogreška u programskoj funkciji, pogreška u programskoj komponenti
Iskorištavanje:
lokalno/udaljeno
Posljedica:
dobivanje većih privilegija, proizvoljno izvršavanje programskog koda, uskraćivanje usluga (DoS)
Uočene su greške u implementaciji programske komponente za učitavanje datoteka, u komponentama "envvars" i "sapi/cgi/cgi_main.c", funkcijama "zend_strndup" i "php_register_variable_ex".
Posljedica:
Potencijalni napadači mogu iskoristiti nedostatke za proizvoljno izvršavanje programskog koda, napad uskraćivanjem usluga (eng. Denial of Service, DoS) i dobivanje većih privilegija.
Rješenje:
Savjetuje se primjena službenih rješenja proizvođača.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03368475
Version: 1
HPSBUX02791 SSRT100856 rev.1 - HP-UX Apache Web Server running PHP, Remote Execution of Arbitrary Code, Privilege Elevation, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-06-14
Last Updated: 2012-06-14
Potential Security Impact: Remote execution of arbitrary code, privilege elevation, or Denial of Service (DoS).
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Apache Web Server running PHP. These vulnerabilities could be exploited remotely to execute arbitrary code, elevate privileges, or create a Denial of Service (DoS). PHP is contained in the HP-UX Apache Web Server Suite.
References: CVE-2011-4153, CVE-2012-0830, CVE-2012-0883, CVE-2012-1172, CVE-2012-1823, CVE-2012-2311
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.24 or earlier
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
Reference
Base Vector
Base Score
CVE-2011-4153
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2012-0830
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2012-0883
(AV:L/AC:M/Au:N/C:C/I:C/A:C)
6.9
CVE-2012-1172
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
5.8
CVE-2012-1823
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2012-2311
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following software updates to resolve the vulnerabilities.
The updates are available for download from http://software.hp.com
HP-UX Web Server Suite v.3.24 containing Apache v2.2.15.13 and PHP v5.2.17
HP-UX 11i Release
Apache Depot name
B.11.23 (32-bit)
HPUXWS22ATW-B324-32
B.11.23 (64-bit)
HPUXWS22ATW-B324-64
B.11.31 (32-bit)
HPUXWS22ATW-B324-32
B.11.31 (64-bit)
HPUXWS22ATW-B324-64
MANUAL ACTIONS: Yes - Update
Install HP-UX Web Server Suite v3.24 or subsequent.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
HP-UX Web Server Suite v3.24
AFFECTED VERSIONS
HP-UX B.11.23
==============
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
action: install revision B.2.2.15.13 or subsequent
HP-UX B.11.31
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
action: install revision B.2.2.15.13 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 14 June 2012 Initial release
Posljednje sigurnosne preporuke