All security vulnerabilities for products (includes EMC, open source, embedded 3rd party) are reported to our product development teams through our Product Security Office. The NetWorker team responded to a number of Apache related vulnerabilities. We have quite a few responses detailed in at least one knowledge base article (esg111120).
Can you provide any details on the specific vulnerability that is in question?
There were a series of vulnerabilities (CVE-2009-3720, CVE-2009-3560, CVE-2009-1623 CVE-2009-2068, CVE-2009-1452) published against Apache in the last year with the recommendation that an upgrade to Apache 2.2.15 be made. At this time, NetWorker is not exposed to any of these published vulnerabilities by our embedding of Apache Version 2.2.14 that we ship with NetWorker 7.5.3, or 7.6.1 and up. The reason for this statement is that the affected modules of Apache noted in the vulnerabilities are not enabled by NetWorker (at least in the above stated versions). We disable Apache mod_isapi which is where these vulnerabilities were reported.
If you happen to be on an earlier versions of NetWorker, you can follow the guidelines published in (esg111120) to disable mod_isapi. This precludes the need to upgrade to Apache 2.2.15. Or upgrade to NetWorker 7.5.3, 7.5.4 or 7.6.1. Doing either option saves an upgrade to Apache 2.2.15.
NetWorker Management Console, NetWorker Management Console for UNIX, NetWorker Management Console for Windows
Category(ies):
Documentation, Security
Status:
Approved
Creator:
Dunn, Debbie
Last Modifier:
Dunn, Debbie
Related Bugs:
SOLUTION
Symptom
What are the Apache Security Vulnerabilities and the potential impact to NetWorker Management Console (NMC)?
Resolution
NetWorker Management Console (NMC) currently embeds the Apache 2.2 httpd server software on Windows, Solaris, Linux, AIX and HP-UX.
NetWorker Version Apache httpd version embedded Operating System
7.5 2.2.8 HP-UX
7.5 SP1 2.2.8 HP-UX
7.5 2.2.9 Windows, Solaris, Linux, AIX
7.5 SP1 2.2.9 Windows, Solaris, Linux, AIX
7.5 SP2, SP3 2.2.9 Windows, Linux, AIX and HP-UX
7.5 SP2, SP3 2.2.14 Solaris
7.6 2.2.9 Windows, Linux, AIX and HP-UX
7.6 2.2.14 Solaris
7.6 SP1 2.2.13 Windows, Linux, AIX and HP-UX
7.6 SP1 2.2.14 Solaris
The following security vunerability list identifies each Apache server release that is embedded with NMC and includes statements that detail the potential impact of each vunerabiliy to NMC.
Analysis: mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.
CVE-2009-3560: expat DoS
Impact: No impact
Rating: Low
Analysis: mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.
CVE-2009-1623: apr_bridage_split_line DoS
Impact: No Impact
Rating: Low
Analysis: mod_reqtimeout is not loaded by Apache httpd embedded in NMC. Since the httpd server is used in a very limited way by NMC, it should not be impacted as per our analysis
CVE-2009-2068: detection flaw (mod_proxy_http)
Impact: No impact
Rating: Low
Analysis: mod_proxy_http is not loaded by Apache httpd embedded in NMC.
CVE-2009-1452: mod_cache and mod_dav DoS
Impact: No Impact
Rating: Low
Analysis: mod_cache and mod_dav are not loaded by Apache httpd embedded in NMC.
Apache Version: 2.2.9
esg11284 for details and the necessary Apache hotfix to resolve this issue.
CVE-2009-3094: mod_proxy_ftp DoS
Impact: No Impact Rating: Low
Analysis: mod_proxy is not loaded by the httpd packaged in NMC.
Analysis: mod_proxy is not loaded by the httpd packaged in NMC.
CVE-2009-2412: APR apr_palloc heap overflow
Impact: No Impact Rating: Low
Analysis: NMC only uses Apache HTTP Server itself, and does not make any apr_palloc() calls.
CVE-2009-1890: mod_proxy reverse proxy DoS
Impact:No Impact Rating: Important
Analysis: mod_proxy is not loaded by the httpd packaged in NMC.
CVE-2009-1191: mod_proxy_ajp information disclosure
Impact: No Impact Rating: Important
Analysis: mod_proxy_ajp is not loaded by the httpd packaged in NMC.
CVE-2009-1891: mod_deflate DoS
Impact: No Impact
Rating: Low
Analysis: mod_deflate is not loaded by the httpd packaged in NMC.
CVE-2009-1195: AllowOverride Options handling bypass Impact: No Impact
Rating: Low
Analysis: This only happens when the configuration file has "AllowOverride" arguments with certain "Options=" arguments. The httpd configuration file packaged by NMC does NOT include "Options=" arguments for the "AllowOverride" directive.
CVE-2009-1955: APR-util XML DoS Impact: No Impact
Rating: Moderate
Analysis: The DoS can be caused by using mod_dav and mod_dav_svn to craft a specifically formatted xml document. mod_dav and mod_dav_svn are not loaded by httpd embedded by NMC.
CVE-2009-1956: APR-util off-by-one overflow
Impact: No Impact
Rating: Moderate
Analysis: This might occur if the APR-util library is used by mod_dav_svn or mod_dav or thorugh server configuration files. These modules are not loaded by the httpd packaged with NMC.
CVE-2009-0023: APR-util heap underwrite
Impact: No Impact
Rating: Moderate
Analysis: This can cause httpd to crash when a crafted input is sent via either of the following: 1) .htaccess file
2) mod_dav_svn module
3) mod_apreq2
4) Application that uses libapreq2 library. httd packaged in NMC does not do not use these input mechanisms.
CVE-2008-2939: mod_proxy_ftp globbing XSS
Impact:No Impact Rating: Low
Analysis: mod_proxy_ftp is not loaded by httpd packaged in NMC.
CVE-2009-3720: expat DoS
Impact: No impact
Rating: Low
Analysis: mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.
CVE-2009-3560: expat DoS
Impact: No impact
Rating: Low
Analysis: mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.
CVE-2009-1623: apr_bridage_split_line DoS
Impact: No Impact
Rating: Low
Analysis: mod_reqtimeout is not loaded by Apache httpd embedded in NMC. Since the httpd server is used in a very limited way by NMC, it should not be impacted as per our analysis
CVE-2009-2068: detection flaw (mod_proxy_http)
Impact: No impact
Rating: Low
Analysis: mod_proxy_http is not loaded by Apache httpd embedded in NMC.
CVE-2009-1452: mod_cache and mod_dav DoS
Impact: No Impact
Rating: Low
Analysis: mod_cache and mod_dav are not loaded by Apache httpd embedded in NMC.
Analysis: mod_proxy_ajp is not loaded by Apache httpd embedded in NMC.
CVE-2010-0434: Subrequest handling of request headers (mod_headers)
Impact: No Impact
Rating: Low
Analysis: mod_headers is not loaded by Apache httpd embedded in NMC.
CVE-2009-3720: expat DoS
Impact: No impact
Rating: Low
Analysis: mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.
CVE-2009-3560: expat DoS
Impact: No impact
Rating: Low
Analysis: mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.
CVE-2009-1623: apr_bridage_split_line DoS
Impact: No Impact
Rating: Low
Analysis: mod_reqtimeout is not loaded by Apache httpd embedded in NMC. Since the httpd server is used in a very limited way by NMC, it should not be impacted as per our analysis
CVE-2009-2068: detection flaw (mod_proxy_http)
Impact: No impact
Rating: Low
Analysis: mod_proxy_http is not loaded by Apache httpd embedded in NMC.
CVE-2009-1452: mod_cache and mod_dav DoS
Impact: No Impact
Rating: Low
Analysis: mod_cache and mod_dav are not loaded by Apache httpd embedded in NMC.
AllanW1
334 Posts
0
December 9th, 2010 07:00
Hi Tom,
All security vulnerabilities for products (includes EMC, open source, embedded 3rd party) are reported to our product development teams through our Product Security Office. The NetWorker team responded to a number of Apache related vulnerabilities. We have quite a few responses detailed in at least one knowledge base article (esg111120).
Can you provide any details on the specific vulnerability that is in question?
There were a series of vulnerabilities (CVE-2009-3720, CVE-2009-3560, CVE-2009-1623 CVE-2009-2068, CVE-2009-1452) published against Apache in the last year with the recommendation that an upgrade to Apache 2.2.15 be made. At this time, NetWorker is not exposed to any of these published vulnerabilities by our embedding of Apache Version 2.2.14 that we ship with NetWorker 7.5.3, or 7.6.1 and up. The reason for this statement is that the affected modules of Apache noted in the vulnerabilities are not enabled by NetWorker (at least in the above stated versions). We disable Apache mod_isapi which is where these vulnerabilities were reported.
If you happen to be on an earlier versions of NetWorker, you can follow the guidelines published in (esg111120) to disable mod_isapi. This precludes the need to upgrade to Apache 2.2.15. Or upgrade to NetWorker 7.5.3, 7.5.4 or 7.6.1. Doing either option saves an upgrade to Apache 2.2.15.
Hope this helps!
Allan
AllanW1
334 Posts
0
December 9th, 2010 11:00
Yep- It is mentioned in esg111120. Here's the link for others so you dont have to search: esg111120.
NW8oldtimer
17 Posts
0
December 9th, 2010 11:00
Thanks for the info (and prompt response!)…
The vulnerability we are concerned with is CVE-2010-0434
AllanW1
334 Posts
0
December 9th, 2010 13:00
It's Powerlink fun!
Symptom
What are the Apache Security Vulnerabilities and the potential impact to NetWorker Management Console (NMC)?
Resolution
NetWorker Management Console (NMC) currently embeds the Apache 2.2 httpd server software on Windows, Solaris, Linux, AIX and HP-UX.
NetWorker Version Apache httpd version embedded Operating System
7.5 2.2.8 HP-UX
7.5 SP1 2.2.8 HP-UX
7.5 2.2.9 Windows, Solaris, Linux, AIX
7.5 SP1 2.2.9 Windows, Solaris, Linux, AIX
7.5 SP2, SP3 2.2.9 Windows, Linux, AIX and HP-UX
7.5 SP2, SP3 2.2.14 Solaris
7.6 2.2.9 Windows, Linux, AIX and HP-UX
7.6 2.2.14 Solaris
7.6 SP1 2.2.13 Windows, Linux, AIX and HP-UX
7.6 SP1 2.2.14 Solaris
The following security vunerability list identifies each Apache server release that is embedded with NMC and includes statements that detail the potential impact of each vunerabiliy to NMC.
For more imformation about each vunerability, refer to the Apache web site at: http://httpd.apache.org/security/vulnerabilities_22.html
Apache Version: 2.2.8
Apache Version: 2.2.9
Apache Version: 2.2.14
NMC version: 7.5 SP2, 7.5 SP3, 7.6
Operating Systems: Solaris
NW8oldtimer
17 Posts
0
December 9th, 2010 13:00
Can’t seem to open that site or document…
NW8oldtimer
17 Posts
0
December 9th, 2010 13:00
Never mind – I got it!
Thanks!!