Apache Web Server Flaws Patched

by Sean Michael Kerner

A handful of vulnerabilities in Apache Web server get fixed, including one flaw that impacts only Windows systems.

More on Apache Web Server

The Apache Web Server is the most widely deployed Web server on the Internet today, which means that vulnerabilities in the open source server can have a devastating impact. That also makes security updates like the new 2.2.15 release critical, since it addresses several security vulnerabilities in Apache's flagship HTTP Web server.

Chief among the new vulnerabilities is one flaw relating to a broader SSL issue first disclosed in November 2009. That issue involves a renegotiation flaw with TLS .

"Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555, the TLS renegotiation prefix injection attack," Apache noted in a mailing list announcement.

The SSL TLS renegotiation vulnerability might have made it possible for a man-in-the middle attack, potentially leading to SSL-protected sites facing the risk of being spoofed by malicious SSL/TLS credentials.

Apache 2.2.15 provides a number of enhancements that aim to protect against the flaw. One of them is a fix in Apache's mod_ssl module, which Apache labels as a comprehensive fix.

The fix utilizes the latest OpenSSL version 0.9.8.m, which provides protection against the flaw. An additional measure taken by Apache to protect against the SSL/TLS flaw is to reject any client-initiated renegotiations.

In addition to the SSL/TLS vulnerability, there is also a separate fix for a Denial-of-Service (DoS) issue affecting the mod_proxy_ajp module, which provides proxy services.

"mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired," Apache stated. "A remote attacker could send malicious requests to trigger this issue, resulting in denial of service."

Windows Web server deployments at risk

Though Apache is available for Unix, Linux and Windows, Apache 2.2.15 also provides a fix for an issue that only affects the Web server when it is running on Microsoft Windows systems.

The Windows-only issue has to do with the mod_isapi module, which enables Apache to serve Internet Server extensions on Windows Servers. The flaw could potentially have led to a DoS and arbitrary code execution.

"By sending a specially crafted request followed by a reset packet, it is possible to trigger a vulnerability in Apache mod_isapithat will unload the target ISAPI module from memory," security firm Sense of Security Labs, which first discovered the flaw, reported in its advisory. "However, function pointers still remain in memory and are called when published ISAPI functions are referenced. This results in a dangling pointer vulnerability."

The Apache 2.2.x branch first debuted in 2005 and has been updated frequently since, with the last update 2.2.14 coming in October 2009. The Apache HTTP Web Server project itself recently celebrated its 15th birthday.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Follow ServerWatch on Twitter

This article was originally published on Tuesday Mar 9th 2010
Mobile Site | Full Site