On May 24, 2012 13:05 , Luke Lozier <luke@xxxxxxxxxxxxxxx> wrote:
One of the PCI scanning companies is demanding an upgrade to 2.4.2 due
to the issues described in this CVE:
Changes with Apache 2.2.23
*) SECURITY: CVE-2012-0883 (cve.mitre.org <http://cve.mitre.org>)
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs. [Stefan Fritsch]
Is there any idea when 2.2.23 will be released? I'd rather not upgrade
to 2.4.2
The actual text is, "envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl."
And envvars-std (envvars) appears to only be used by apachectl. So, instead of upgrading, what about changing the owner of apachectl to root and the permissions to 700? Then tell your auditor that you have implemented a compensating control for CVE-2012-0883 such that apachectl can only be run by the trusted root user.
Am I misunderstanding the vulnerability?Or, alternatively, edit /usr/sbin/envvars and/or apachectl to fix LD_LIBRARY_PATH, if it is in fact being handled insecurely on your system (it appeared to be fine on the two older systems where I checked for this vulnerability).
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|