=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN491
_____________________________________________________________________

DATE                      : 11/09/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris 10 running Apache 2.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 102198
      * Synopsis: Security Vulnerabilities in the Apache 2 Web Server
      * Category: Security
      * Product: Solaris 10 Operating System
      * BugIDs: 6301799, 6378495
      * Avoidance: Patch
      * State: Resolved
      * Date Released: 01-Mar-2006, 08-Sep-2006
      * Date Closed: 08-Sep-2006
      * Date Modified: 12-Apr-2006, 08-Sep-2006

1. Impact

    Several vulnerabilities in the Apache 2.0 web server prior to version
    2.0.55 may allow a local or remote unprivileged user to cause a Denial
    of Service (DoS) to the Apache 2 HTTP process, or may allow a local
    user who is able to write to directories served by the web server to
    execute arbitrary code with the privileges of the Apache 2 process.
    The Apache 2 HTTP process normally runs as the unprivileged user
    "webservd" (uid 80).

    Additional vulnerabilities may prevent certain configured security
    features from being applied to specific HTTP transactions or to allow
    local unprivileged users to gain access to sensitive information.

    These vulnerabilities are described at the following URLs:

    The Change Log for Apache 2.0, at
    http://www.apache.org/dist/httpd/CHANGES_2.0

    CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' "
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700

    CAN-2005-2491: "overflow[...] in Perl Compatible Regular Expressions"
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491

    CAN-2005-2088: "HTTP Request Smuggling"
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088

    CAN-2005-2728: "denial of service"
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728

    CAN-2005-1268: "Certificate Revocation List[...] buffer overflow"
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268

    CAN-2004-0942: "denial of service"
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

    CAN-2004-0885: "'SSLCipherSuite'[...] bypass intended restrictions"
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885

    CAN-2004-1834 "allow local users to gain sensitive information"
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1834

2. Contributing Factors

    These issues can occur in the following releases:

    SPARC Platform
      * Solaris 10 without patch 120543-02

    x86 Platform
      * Solaris 10 without patch 120544-02

    Note 1: The Apache 2.0 web server is not bundled with releases prior
    to Solaris 10. However, customers who have built and/or installed a
    vulnerable version of Apache on any version of Solaris are at risk.

    Note 2: A system is only vulnerable to these issues if the Apache 2.0
    web server has been configured and is running on the system. The
    following SMF command can be used to see if the Apache web server
    service is enabled:
     $ svcs svc:/network/http:apache2
     STATE          STIME    FMRI
     disabled       Feb_02   svc:/network/http:apache2

    If the output asserts that the pattern doesn't match any instances, or
    if the STATE is 'disabled' then the host is not vulnerable.

    Note 3: The vulnerabilities CAN-2005-2700, CAN-2005-2491,
    CAN-2005-2728, CAN-2005-2088, and CAN-2005-1268 are present in Apache2
    version 2.0 to 2.0.54. The vulnerabilities CAN-2004-0942 and
    CAN-2004-1834 are present in Apache2 version 2.0 to 2.0.52. The
    vulnerability CAN-2004-0885 is present in Apache2 version 2.0.35 to
    2.0.52.

    To determine the version of the Apache 2.0 web server installed on a
    host, the following command can be run:
     $ /usr/apache2/bin/httpd -v
     Server version: Apache/2.0.52
     Server built:   Jan 22 2006 02:10:22

    Note 4: Apache 1.3 ships with Solaris 8, 9, and 10, and is impacted by
    some of the issues referenced in this Sun Alert. For details on the
    impact to Apache 1.3 see Sun Alert 102197.

3. Symptoms

    If the described issues have been exploited to cause a Denial of
    Service (DoS) condition, the Apache Web Server may be slow to respond
    to requests or may not respond at all.

    There are no predictable symptoms that would indicate any of the
    described issues have been exploited to gain unauthorized access to a
    host or its data.

4. Relief/Workaround

    There is no workaround to this issue. Please see the Resolution
    section below.

5. Resolution

    This issue is addressed in the following releases:

    SPARC Platform
      * Solaris 10 with patch 120543-02 or later

    x86 Platform
      * Solaris 10 with patch 120544-02 or later

Change History

    12-Apr-2006:
      * Updated Relief/Workaround section

    08-Sep-2006:
      * Updated Contributing Factors and Resolution sections
      * State: Resolved

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================