Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

N

NW8oldtimer

17 Posts

6493

December 8th, 2010 15:00

Apache version in Networker

Our security identified a problem with older versions of Apache and wants me to upgrade to v2.2.15 or higher...

I took this opportunity to upgrade Networker to v7.6.SP1 (UNIX), but this only brought Apache (httpd) to v2.2.14...

How do I get it to meet our security needs?

AllanW1

334 Posts

December 9th, 2010 07:00

Hi Tom,

All security vulnerabilities for products (includes EMC, open source, embedded 3rd party) are reported to our product development teams through our Product Security Office.  The NetWorker team responded to a number of Apache related vulnerabilities.  We have quite a few responses detailed in at least one knowledge base article (esg111120).

Can you provide any details on the specific vulnerability that is in question?

There were a series of vulnerabilities (CVE-2009-3720, CVE-2009-3560, CVE-2009-1623 CVE-2009-2068, CVE-2009-1452) published against Apache in the last year with the recommendation that an upgrade to Apache 2.2.15 be made.  At this time, NetWorker is not exposed to any of these published vulnerabilities by our embedding of Apache Version 2.2.14 that we ship with NetWorker 7.5.3, or 7.6.1 and up.   The reason for this statement is that the affected modules of Apache noted in the vulnerabilities are not enabled by NetWorker (at least in the above stated versions).  We disable Apache mod_isapi which is where these vulnerabilities were reported.

If you happen to be on an earlier versions of NetWorker, you can follow the guidelines published in (esg111120) to disable mod_isapi. This precludes the need to upgrade to Apache 2.2.15.  Or upgrade to NetWorker 7.5.3, 7.5.4 or  7.6.1. Doing either option saves an upgrade to Apache 2.2.15.

Hope this helps!

Allan

AllanW1

334 Posts

December 9th, 2010 11:00

Yep- It is mentioned in esg111120.  Here's the link for others so you dont have to search: esg111120.

NW8oldtimer

17 Posts

December 9th, 2010 11:00

Thanks for the info (and prompt response!)…

The vulnerability we are concerned with is CVE-2010-0434

AllanW1

334 Posts

December 9th, 2010 13:00

It's Powerlink fun!

itApache Security Vulnerabilities and details on potential impact to NMC.
ID: esg111120
Use Count: 7
Solve Count: 0
Date Created: 02/03/2010
Date Modified: 12/07/2010
Related SRs: 36830598, 35505232, 34327528, 34272988, 33940570, 33584900, 33119994
Product(s): NetWorker Management Console, NetWorker Management Console for UNIX, NetWorker Management Console for Windows
Category(ies): Documentation, Security
Status: Approved
Creator: Dunn, Debbie
Last Modifier: Dunn, Debbie
Related Bugs:
SOLUTION

Symptom

What are the Apache Security Vulnerabilities and the potential impact to NetWorker Management Console (NMC)?

Resolution

NetWorker Management Console (NMC) currently embeds the Apache 2.2 httpd server software on Windows, Solaris, Linux, AIX and HP-UX.

NetWorker Version     Apache httpd version embedded     Operating System

7.5                                2.2.8                                                  HP-UX

7.5 SP1                          2.2.8                                                  HP-UX

7.5                                2.2.9                                                  Windows, Solaris, Linux, AIX

7.5 SP1                          2.2.9                                                  Windows, Solaris, Linux, AIX

7.5 SP2, SP3                  2.2.9                                                  Windows, Linux, AIX and HP-UX

7.5 SP2, SP3                 2.2.14                                                 Solaris

7.6                                 2.2.9                                                  Windows, Linux, AIX and HP-UX

7.6                                 2.2.14                                                Solaris

7.6 SP1                          2.2.13                                                Windows, Linux, AIX and HP-UX

7.6 SP1                          2.2.14                                                Solaris

The following security vunerability list identifies each Apache server release that is embedded with NMC and includes statements that detail the potential impact of each vunerabiliy to NMC.

For more imformation about each vunerability, refer to the Apache web site at:  http://httpd.apache.org/security/vulnerabilities_22.html

Apache Version: 2.2.8

CVE-2009-3720:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-3560:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-1623:  apr_bridage_split_line DoS

Impact: No Impact

Rating: Low

Analysis:   mod_reqtimeout is not loaded by Apache httpd embedded in NMC. Since the httpd server is used in a very limited way by NMC, it should not be impacted as per our analysis

CVE-2009-2068:  detection flaw (mod_proxy_http)

Impact: No impact

Rating: Low

Analysis:   mod_proxy_http  is not loaded by Apache httpd embedded in NMC.

CVE-2009-1452:  mod_cache and mod_dav DoS

Impact: No Impact

Rating: Low

Analysis:   mod_cache and mod_dav are not loaded by Apache httpd embedded in NMC.

Apache Version: 2.2.9

esg11284 for details and the necessary Apache hotfix to resolve this issue.

CVE-2009-3094: mod_proxy_ftp DoS

Impact: No Impact
Rating: Low

Analysis: mod_proxy is not loaded by the httpd packaged in NMC.

CVE-2009-3095: mod_proxy_ftp FTP command injection

Impact: No Impact
Rating: Low

Analysis: mod_proxy is not loaded by the httpd packaged in NMC.

CVE-2009-2412: APR apr_palloc heap overflow

Impact: No Impact
Rating: Low

Analysis: NMC only uses Apache HTTP Server itself, and does not make any apr_palloc() calls.

CVE-2009-1890: mod_proxy reverse proxy DoS

Impact: No Impact
Rating: Important

Analysis: mod_proxy is not loaded by the httpd packaged in NMC.

CVE-2009-1191: mod_proxy_ajp information disclosure

Impact: No Impact
Rating: Important

Analysis: mod_proxy_ajp is not loaded by the httpd packaged in NMC.

CVE-2009-1891: mod_deflate DoS

Impact: No Impact

Rating: Low

Analysis: mod_deflate is not loaded by the httpd packaged in NMC.

CVE-2009-1195: AllowOverride Options handling bypass
Impact: No Impact

Rating: Low

Analysis: This only happens when the configuration file has "AllowOverride" arguments with certain "Options=" arguments.
The httpd configuration file packaged by NMC does NOT include "Options=" arguments for the "AllowOverride" directive.

CVE-2009-1955: APR-util XML DoS
Impact: No Impact

Rating: Moderate

Analysis: The DoS can be caused by using mod_dav and mod_dav_svn to craft a specifically formatted xml document.
mod_dav and mod_dav_svn are not loaded by httpd embedded by NMC.

CVE-2009-1956: APR-util off-by-one overflow

Impact: No Impact

Rating: Moderate

Analysis: This might occur if the APR-util  library is used by mod_dav_svn or mod_dav or thorugh server configuration files.
These modules are not loaded by the httpd packaged with NMC.

CVE-2009-0023: APR-util heap underwrite

Impact: No Impact

Rating: Moderate

Analysis: This can cause httpd to crash when a crafted input is sent via either of the following:
1) .htaccess file

2) mod_dav_svn module

3) mod_apreq2

4) Application that uses libapreq2 library. httd packaged in NMC does not do not use these input mechanisms.

CVE-2008-2939: mod_proxy_ftp globbing XSS

Impact: No Impact
Rating: Low

Analysis: mod_proxy_ftp is not loaded by httpd packaged in NMC.

CVE-2009-3720:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-3560:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-1623:  apr_bridage_split_line DoS

Impact: No Impact

Rating: Low

Analysis:   mod_reqtimeout is not loaded by Apache httpd embedded in NMC. Since the httpd server is used in a very limited way by NMC, it should not be impacted as per our analysis

CVE-2009-2068:  detection flaw (mod_proxy_http)

Impact: No impact

Rating: Low

Analysis:   mod_proxy_http  is not loaded by Apache httpd embedded in NMC.

CVE-2009-1452:  mod_cache and mod_dav DoS

Impact: No Impact

Rating: Low

Analysis:   mod_cache and mod_dav are not loaded by Apache httpd embedded in NMC.

Apache Version: 2.2.14

             NMC version:  7.5 SP2, 7.5 SP3, 7.6

             Operating Systems:  Solaris

CVE-2010-2068 mod_proxy_http - httpd Timeout detection flaw

Impact: No impact

Rating: low

CVE-2010-0408:  mod_proxy_ajp DoS

Impact: No Impact

Rating: Moderate

Analysis:   mod_proxy_ajp is not loaded by Apache httpd embedded in NMC.

CVE-2010-0434: Subrequest handling of request headers (mod_headers)

Impact: No Impact

Rating: Low

Analysis: mod_headers is not loaded by Apache httpd embedded in NMC.

CVE-2009-3720:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-3560:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-1623:  apr_bridage_split_line DoS

Impact: No Impact

Rating: Low

Analysis:   mod_reqtimeout is not loaded by Apache httpd embedded in NMC. Since the httpd server is used in a very limited way by NMC, it should not be impacted as per our analysis

CVE-2009-2068:  detection flaw (mod_proxy_http)

Impact: No impact

Rating: Low

Analysis:   mod_proxy_http  is not loaded by Apache httpd embedded in NMC.

CVE-2009-1452:  mod_cache and mod_dav DoS

Impact: No Impact

Rating: Low

Analysis:   mod_cache and mod_dav are not loaded by Apache httpd embedded in NMC.

NW8oldtimer

17 Posts

December 9th, 2010 13:00

Can’t seem to open that site or document…

NW8oldtimer

17 Posts

December 9th, 2010 13:00

Never mind – I got it!

Thanks!!

View More

View All

No Events found!

Top