Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2010.0122 Cumulative Interim Fix Available for IBM HTTP Server 2.0.47 12 May 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM HTTP Server 2.0.47 Operating System: Windows Linux variants HP-UX Solaris AIX Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Cross-site Scripting -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Read-only Data Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2010-0434 CVE-2010-0425 CVE-2009-3555 CVE-2009-3095 CVE-2009-3094 CVE-2009-2412 CVE-2009-1956 CVE-2009-1955 CVE-2009-1891 CVE-2009-0023 CVE-2008-2939 CVE-2008-2364 CVE-2008-0005 Member content until: Friday, June 11 2010 Reference: ASB-2010.0112 ASB-2010.0087 ASB-2010.0081 ASB-2009.1081 ASB-2009.1045 ESB-2009.1314 AA-2008.0199 AA-2008.0183 AA-2008.0009 OVERVIEW IBM have released a cumulative interim fix for HTTP Server version 2.0.47, correcting multiple vulnerabilities. IMPACT The vendor has provided the following information regarding the vulnerabilities addressed in this fix [1]: - PM09447: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. - PM08939: CVE-2010-0434 (cve.mitre.org) core: potential memory misuse during subrequests - PM00675: CVE-2009-3555 (cve.mitre.org) Reject client-intitiated session renegotiation by default and introduce SSLRenegotiation directive. - PK96858: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp check authn credentials. - PK96858: CVE-2009-3094 (cve.mitre.org) Fix mod_proxy_ftp NULL pointer dereference. - PK93225: CVE-2009-2412 (cve.mitre.org) Fix overflow in rmm, where size alignment was taking place. - PK91361: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume e CPU time in compressing a large file after a client disconnects. - PK88341: CVE-2009-0023 (cve.mitre.org) Fix underflow in apr_strmatch_precompile. - PK88341: CVE-2009-1956 (cve.mitre.org) Fix off by one overflow in apr_brigade_vprintf. - PK88342: CVE-2009-1955 (cve.mitre.org) Fix a denial of service attack against the apr_xml_* interface using the "billion laughs" entity expansion technique. - PK81016: CVE-2008-0005 (cve.mitre.org) mod_proxy_ftp: Add explicit charset to the output to work around possible cross-site scripting flaws affecting web browsers that do not derive the response character set as required by RFC2616. - PK70197: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. - PK67579: CVE-2008-2364 (cve.mitre.org) mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. MITIGATION Users can apply cumulative fix PM10658 to address these vulnerabilities. REFERENCES [1] PM10658: IBM HTTP SERVER 2.0.47 CUMULATIVE INTERIM FIX http://www-01.ibm.com/support/docview.wss?uid=swg1PM10658 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFL6gNg/iFOrG6YcBERAg2iAKDjZRrXKflyMIVc5dRC5KN65AATCQCfQq1C kWzc2nocJu5uB3QG9L/LlJA= =YWXM -----END PGP SIGNATURE-----