-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0011 Title: Multiple vulnerabilities in Apache HTTP server [1] Version history: 01.02.2012 Initial publication Summary ================ The Apache Software Foundation has released a new version the Apache HTTP server that fixes multiple vulnerabilities [1]. These vulnerabilities can allow remote attackers to access sensitive information, cause a denial of service or allow local users to escalate privileges. CVE-2011-3607, CVE-2012-0021, CVE-2012-0031, CVE-2011-4317, CVE-2012-0053, CVE-2011-3368 These vulnerabilities are rated as "Low" to "Moderated" by the Vendor CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)[2]) Please see [1] for further details. Vulnerable systems ================== Versions 2.2.21 and earlier (see below for details). Original Details ================ * low: mod_setenvif .htaccess privilege escalation CVE-2011-3607 An integer overflow flaw was found which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 * low: mod_log_config crash CVE-2012-0021 A flaw was found in mod_log_config. If the '%{cookiename}C' log format string is in use, a remote attacker could send a specific cookie causing a crash. This crash would only be a denial of service if using a threaded MPM. Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17 * low: scoreboard parent DoS CVE-2012-0031 A flaw was found in the handling of the scoreboard. An unprivileged child process could cause the parent process to crash at shutdown rather than terminate cleanly. Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 * moderate: mod_proxy reverse proxy exposure CVE-2011-4317 An additional exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 * moderate: error responses can expose cookies CVE-2012-0053 A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified. Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 * moderate: mod_proxy reverse proxy exposure CVE-2011-3368 An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. Affected: 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 What can you do? ================ Affected users should upgrade to Apache HTTP server 2.2.22 [1]. Please refer to your vendor, Linux distributor, etc. for an update of your flavour of the software. What to tell your users? ======================== N/A More information ================ [1] http://httpd.apache.org/security/vulnerabilities_22.html [2] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPKRuROhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4Po/RAApbCj5K8/ fB4oLPNE9PBeBGWquyx4+j/79DOZzXRuyrSf/oLT71jbWcF46cpXNPq/ivcLeDah xNTmfPYT9yZxBwHAuj1e0ia6pY/eIIzeQk5Osko9ci3YhAlZXzXl9a8FaL2GPZfn kIHRGSOLCrsbwI5NEuyvQfRWs6/UZFmAvjuYkc275gZb2FTiHYsfQ8MeebQh/bq3 0PSIsi2D79nmv6Y4rvddEWty8QOGJ4qD2bevOLvQyZVkKtZqhVIOZbuX8sDhXIml IwUyM4du35tlAc6SSClj5lXNqQyEDe2iyD4Ad/ptft49LlZh52WvbecRP5ykMi6k eB2i5JgfeCLwf/FreknPimxEBo9qv4hPwWfh/zNrR53oRSk5eoB3/Un3k4mu19Vl 5hFWFD8aIVBpLpn3e7PN01lVll7uWhl7XU4dVwdT0zYV/BU70p+yNEcd5zSuz/8D Wgbn7ZLQzl1+qUTr3A6zUtDHYH3wBONu8jgCzHNKGLOgXivSMJlxYSE5rUGGdlxS NZgmkugeFd+wVMHTzRF1ltGmCIm7WeLTytElPgnz93KtSeZHWOqIINHajlVRNcYC 5FzKRDv7+viaYlhOU9U8jN2WWzWUsYKqst0UbTj/+ip4jO1U/6udUU/M8KzJdiLF 8Hx03nrYc8xjkPb24XwN1rkv1JJ46njS/R4= =XUGU -----END PGP SIGNATURE-----