TomConway1
1 Copper

Apache version in Networker

Our security identified a problem with older versions of Apache and wants me to upgrade to v2.2.15 or higher...

I took this opportunity to upgrade Networker to v7.6.SP1 (UNIX), but this only brought Apache (httpd) to v2.2.14...

How do I get it to meet our security needs?

Labels (1)
Tags (3)
0 Kudos
6 Replies
AllanW1
3 Argentium

Re: Apache version in Networker

Hi Tom,

All security vulnerabilities for products (includes EMC, open source, embedded 3rd party) are reported to our product development teams through our Product Security Office.  The NetWorker team responded to a number of Apache related vulnerabilities.  We have quite a few responses detailed in at least one knowledge base article (esg111120).

Can you provide any details on the specific vulnerability that is in question?

There were a series of vulnerabilities (CVE-2009-3720, CVE-2009-3560, CVE-2009-1623 CVE-2009-2068, CVE-2009-1452) published against Apache in the last year with the recommendation that an upgrade to Apache 2.2.15 be made.  At this time, NetWorker is not exposed to any of these published vulnerabilities by our embedding of Apache Version 2.2.14 that we ship with NetWorker 7.5.3, or 7.6.1 and up.   The reason for this statement is that the affected modules of Apache noted in the vulnerabilities are not enabled by NetWorker (at least in the above stated versions).  We disable Apache mod_isapi which is where these vulnerabilities were reported.

If you happen to be on an earlier versions of NetWorker, you can follow the guidelines published in (esg111120) to disable mod_isapi. This precludes the need to upgrade to Apache 2.2.15.  Or upgrade to NetWorker 7.5.3, 7.5.4 or  7.6.1. Doing either option saves an upgrade to Apache 2.2.15.

Hope this helps!

Allan

0 Kudos
TomConway1
1 Copper

Re: Apache version in Networker

Thanks for the info (and prompt response!)…

The vulnerability we are concerned with is CVE-2010-0434

0 Kudos
AllanW1
3 Argentium

Re: Apache version in Networker

Yep- It is mentioned in esg111120.  Here's the link for others so you dont have to search: esg111120.

0 Kudos
TomConway1
1 Copper

Re: Apache version in Networker

Can’t seem to open that site or document…

0 Kudos
Highlighted
TomConway1
1 Copper

Re: Apache version in Networker

Never mind – I got it!

Thanks!!

0 Kudos
AllanW1
3 Argentium

Re: Apache version in Networker

It's Powerlink fun!

itApache Security Vulnerabilities and details on potential impact to NMC.
ID:esg111120
Use Count:7
Solve Count:0
Date Created:02/03/2010
Date Modified:12/07/2010
Related SRs:36830598, 35505232, 34327528, 34272988, 33940570, 33584900, 33119994
Product(s):NetWorker Management Console, NetWorker Management Console for UNIX, NetWorker Management Console for Windows
Category(ies):Documentation, Security
Status:Approved
Creator:Dunn, Debbie
Last Modifier:Dunn, Debbie
Related Bugs:
SOLUTION

Symptom

What are the Apache Security Vulnerabilities and the potential impact to NetWorker Management Console (NMC)?

Resolution

NetWorker Management Console (NMC) currently embeds the Apache 2.2 httpd server software on Windows, Solaris, Linux, AIX and HP-UX.

NetWorker Version     Apache httpd version embedded     Operating System

7.5                                2.2.8                                                  HP-UX

7.5 SP1                          2.2.8                                                  HP-UX

7.5                                2.2.9                                                  Windows, Solaris, Linux, AIX

7.5 SP1                          2.2.9                                                  Windows, Solaris, Linux, AIX

7.5 SP2, SP3                  2.2.9                                                  Windows, Linux, AIX and HP-UX

7.5 SP2, SP3                 2.2.14                                                 Solaris

7.6                                 2.2.9                                                  Windows, Linux, AIX and HP-UX

7.6                                 2.2.14                                                Solaris

7.6 SP1                          2.2.13                                                Windows, Linux, AIX and HP-UX

7.6 SP1                          2.2.14                                                Solaris

The following security vunerability list identifies each Apache server release that is embedded with NMC and includes statements that detail the potential impact of each vunerabiliy to NMC.

For more imformation about each vunerability, refer to the Apache web site at:  http://httpd.apache.org/security/vulnerabilities_22.html

Apache Version: 2.2.8

NMC version: 7.5, 7.5 SP1

Operating Systems: HP-UX

CVE-2007-6420: mod_proxy_balancer CSRF

Impact: No Impact

Rating: Low

Analysis:  mod_proxy is not loaded by the httpd packaged in NMC.

CVE-2008-2364: mod_proxy_http DoS

Impact: No Impact
Rating: Moderate

Analysis: mod_proxy is not loaded by the httpd packaged in NMC.

Note: The Apache 2.2.8 server also includes the vulnerabilities listed under Apache Version 2.2.9.

CVE-2009-3720:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-3560:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-1623:  apr_bridage_split_line DoS

Impact: No Impact

Rating: Low

Analysis:   mod_reqtimeout is not loaded by Apache httpd embedded in NMC. Since the httpd server is used in a very limited way by NMC, it should not be impacted as per our analysis

CVE-2009-2068:  detection flaw (mod_proxy_http)

Impact: No impact

Rating: Low

Analysis:   mod_proxy_http  is not loaded by Apache httpd embedded in NMC.

CVE-2009-1452:  mod_cache and mod_dav DoS

Impact: No Impact

Rating: Low

Analysis:   mod_cache and mod_dav are not loaded by Apache httpd embedded in NMC.

Apache Version: 2.2.9

NMC version: 7.5, 7.5 SP1, 7.5 SP2, 7.5 SP3

Operating Systems: Windows, Linux, AIX

                                   Solaris (7.5 & 7.5 SP1 only).

CVE-2010-2068 mod_proxy_http - httpd Timeout detection flaw

Impact: No impact

Rating: low

Analysis: mod_proxy is not loaded by the httpd packaged in NMC

CVE-2010-0408:  mod_proxy_ajp DoS

Impact: No Impact

Rating: Moderate

Analysis:   mod_proxy_ajp is not loaded by Apache httpd embedded in NMC.

CVE-2010-0434: Subrequest handling of request headers (mod_headers)

Impact: No Impact

Rating: Low

Analysis: mod_headers is not loaded by Apache httpd embedded in NMC.

CVE-2010-0425: mod_isapi module unload flaw

Impact: No impact

Rating: Important

**Note: this vulnerability applies to Windows servers only and does not apply to 7.5 SP3 which disables mod_isapi by default.

Analysis: mod_isapi is loaded by Apache httpd embedded in NMC Windows but no ISAPI extensions are loaded by NMC. The embedded Httpd in NMC is not  affected. This issue has been resolved in Apache version 2.2.15.  If desired upgrade the Apache server to 2.2.15 or alternately, NMC's apache httpd can be configured to not load mod_isapi through the following steps:

1. Stop the EMC gstd web server via the Services panel.

2. Open the <NMC install dir>\apache\conf\httpd.conf  (c:\Program Files\Legato\Management\GST\apache\conf\httpd.conf by default) file in notepad.
4. Comment the line:

LoadModule isapi_module modules/mod_isapi.so

by putting '#' in front ,   E.g.     #LoadModule isapi_module modules/mod_isapi.so
5. Save the file and start the NMC server's EMC gstd we bservice service.

CVE-2009-2699: mod_proxy_ftp DoS

Impact: Yes - Solaris Only

Rating: Low

Analysis: Refer to esg11284 for details and the necessary Apache hotfix to resolve this issue.

CVE-2009-3094: mod_proxy_ftp DoS

Impact: No Impact
Rating: Low

Analysis: mod_proxy is not loaded by the httpd packaged in NMC.

CVE-2009-3095: mod_proxy_ftp FTP command injection

Impact: No Impact
Rating: Low

Analysis: mod_proxy is not loaded by the httpd packaged in NMC.

CVE-2009-2412: APR apr_palloc heap overflow

Impact: No Impact
Rating: Low

Analysis: NMC only uses Apache HTTP Server itself, and does not make any apr_palloc() calls.

CVE-2009-1890: mod_proxy reverse proxy DoS

Impact: No Impact
Rating: Important

Analysis: mod_proxy is not loaded by the httpd packaged in NMC.

CVE-2009-1191: mod_proxy_ajp information disclosure

Impact: No Impact
Rating: Important

Analysis: mod_proxy_ajp is not loaded by the httpd packaged in NMC.

CVE-2009-1891: mod_deflate DoS

Impact: No Impact

Rating: Low

Analysis: mod_deflate is not loaded by the httpd packaged in NMC.

CVE-2009-1195: AllowOverride Options handling bypass
Impact: No Impact

Rating: Low

Analysis: This only happens when the configuration file has "AllowOverride" arguments with certain "Options=" arguments.
The httpd configuration file packaged by NMC does NOT include "Options=" arguments for the "AllowOverride" directive.

CVE-2009-1955: APR-util XML DoS
Impact: No Impact

Rating: Moderate

Analysis: The DoS can be caused by using mod_dav and mod_dav_svn to craft a specifically formatted xml document.
mod_dav and mod_dav_svn are not loaded by httpd embedded by NMC.

CVE-2009-1956: APR-util off-by-one overflow

Impact: No Impact

Rating: Moderate

Analysis: This might occur if the APR-util  library is used by mod_dav_svn or mod_dav or thorugh server configuration files.
These modules are not loaded by the httpd packaged with NMC.

CVE-2009-0023: APR-util heap underwrite

Impact: No Impact

Rating: Moderate

Analysis: This can cause httpd to crash when a crafted input is sent via either of the following:
1) .htaccess file

2) mod_dav_svn module

3) mod_apreq2

4) Application that uses libapreq2 library. httd packaged in NMC does not do not use these input mechanisms.

CVE-2008-2939: mod_proxy_ftp globbing XSS

Impact: No Impact
Rating: Low

Analysis: mod_proxy_ftp is not loaded by httpd packaged in NMC.

CVE-2009-3720:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-3560:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-1623:  apr_bridage_split_line DoS

Impact: No Impact

Rating: Low

Analysis:   mod_reqtimeout is not loaded by Apache httpd embedded in NMC. Since the httpd server is used in a very limited way by NMC, it should not be impacted as per our analysis

CVE-2009-2068:  detection flaw (mod_proxy_http)

Impact: No impact

Rating: Low

Analysis:   mod_proxy_http  is not loaded by Apache httpd embedded in NMC.

CVE-2009-1452:  mod_cache and mod_dav DoS

Impact: No Impact

Rating: Low

Analysis:   mod_cache and mod_dav are not loaded by Apache httpd embedded in NMC.

Apache Version: 2.2.14

             NMC version:  7.5 SP2, 7.5 SP3, 7.6

             Operating Systems:  Solaris

CVE-2010-2068 mod_proxy_http - httpd Timeout detection flaw

Impact: No impact

Rating: low

Analysis: mod_proxy is not loaded by the httpd packaged in NMC

CVE-2010-0408:  mod_proxy_ajp DoS

Impact: No Impact

Rating: Moderate

Analysis:   mod_proxy_ajp is not loaded by Apache httpd embedded in NMC.

CVE-2010-0434: Subrequest handling of request headers (mod_headers)

Impact: No Impact

Rating: Low

Analysis: mod_headers is not loaded by Apache httpd embedded in NMC.

CVE-2009-3720:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-3560:  expat DoS

Impact: No impact

Rating: Low

Analysis:   mod_dav is not loaded by Apache httpd embedded in NMC. NMC's Apache httpd is used only for downloading the jar files and no untrusted xml documents are parsed by the httpd server.

CVE-2009-1623:  apr_bridage_split_line DoS

Impact: No Impact

Rating: Low

Analysis:   mod_reqtimeout is not loaded by Apache httpd embedded in NMC. Since the httpd server is used in a very limited way by NMC, it should not be impacted as per our analysis

CVE-2009-2068:  detection flaw (mod_proxy_http)

Impact: No impact

Rating: Low

Analysis:   mod_proxy_http  is not loaded by Apache httpd embedded in NMC.

CVE-2009-1452:  mod_cache and mod_dav DoS

Impact: No Impact

Rating: Low

Analysis:   mod_cache and mod_dav are not loaded by Apache httpd embedded in NMC.

0 Kudos