=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN450
_____________________________________________________________________

DATE                      : 10/11/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Apache mod_ssl.

======================================================================
http://mail-archives.apache.org/mod_mbox/httpd-announce/200911.mbox/%3C20091107013220.31376.qmail@minotaur.apache.org%3E
http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
______________________________________________________________________


Subject: CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation

Apache httpd is affected by CVE-2009-3555[1] (The SSL Injection
or MiM attack[2]).

The Apache httpd webserver relies on OpenSSL for the implementation of
the SSL/TLS protocol.

We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared
to deploy OpenSSL 0.9.8m as it becomes available[3].

Note that these are for short term and mid-term mitigation only; the
long term solution may well require a modification of the SSL and/or
TLS protocols[4].

For those who are not able to upgrade OpenSSL swiftly and/or for
those who need detailed logging - we recommend that you roll out
this patch[5]:

  http://www.apache.org/dist/httpd/patches/
       apply_to_2.2.14 CVE-2009-3555-2.2.patch
 sha1: 28cd58f3758f1add39417333825b9d854f4f5f43

as soon as possible. This is a partial fix in lieu of the protocol
issues being addressed and further changes to OpenSSL. Like the
OpenSSL 0.9.8l stopgap measure this patch rejects
in-session renegotiation.

If you are unable to patch and unable to roll our a newer version of
OpenSSL, and you rely on Client Side Authentication with Certificates
then we recommend that you 1) ensure that you limit your configuration
to a single 'SSLClient require' on VirtualHost/Sever level and 2)
remove all other (re)negotiation/require directives. However this does
NOT fully protect you - it just curtails authentication in this
specific setting.



1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
2: http://www.links.org/?p=780, http://extendedsubset.com/?p=8
3: http://www.openssl.org/source/
   openssl-announce mailing list on
   http://www.openssl.org/support/community.html
4: http://www.ietf.org/mail-archive/web/tls/current/msg03963.html
5: svn diff -r833581:833594 https://svn.apache.org/repos/asf/
   httpd/httpd/trunk/modules/ssl

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================