Re: Confirmation on Vulnerability Status of Apache HTTP V2.0.50 and when bundled with Brocade FOS V7.1.X

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The description Brocade is looking at is:
"protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script."

Which is different from the (more accurate) summary given by Pete - which is versionless. I suspect that whoever wrote the Brocade report simply "assumed" that 2.0.X was not affected because the CVE description only mentions 2.2.x-2.2.21.

So, I suggest you inform Brocade that your "routine Vulnerability Assessment scan" disagrees and you would like an updated/upgraded version of HTTPD bundled to correct their incorrect assumption.


On Sun, Jul 6, 2014 at 2:21 PM, Pete Houston <ph1@xxxxxxxxxxxxxxxx> wrote:
On Tue, Jun 24, 2014 at 12:45:19AM -0400, Kee, Siokkwan wrote:
> We have an issue currently where documentation released from Brocade indicates Apache HTTP V 2.0.50 is listed as non-vulnerable when bundled together with Brocade FOS V7.1.1.
> As Brocade has listed this as a non-vulnerability, the latest version of the FOS is currently still bundled with Apache HTTP V 2.0.50.

Version 2.0.50 has just celebrated its 10th birthday. In server software
terms that is incredibly old. There have been 15 point releases within
the 2.0 branch since then and the entire 2.0 branch is now retired. I
don't see why any software shipped today would be bundled with such an
old version of Apache.

> (Please refer to the attached listed CVE-2012-0053 in Page 15 onwards on the Vulnerability explanation from Brocade.)
>
> However, during the routine Vulnerability Assessment scan, the Apache HTTP V 2.0.50 reflects that this is a vulnerable version.
> The same is reflected in the Apache HTTP website that this version is vulnerable.
>
> Would appreciate advise from Apache.Org team on comments listed by Brocade (whether is it possible for Apache HTTP V2.0.50 not to be vulnerable when bundled with Brocade FOS) so that we may be able to move forward.

A quick read of the changelog for v2.0.65 reveals:

  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
     Fix an issue in error responses that could expose "httpOnly" cookies
     when no custom ErrorDocument is specified for status code 400.

which seems fairly clear and from which we can infer a simple workaround.

But don't do that - just upgrade Apache instead.

Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux