You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Kevin A. McGrail" <KM...@PCCC.com> on 2011/12/21 18:42:02 UTC
[users@httpd] Update on mod_setenvif exploit CVE-2011-3607 and CVE-2011-4415
Good Morning,
I was wondering if there was any update on CVE-2011-3607
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3607> and
CVE-2011-4415
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4415> which
are bugs in mod_setenvif?
Our server is being flagged for PCI non-compliance because of these
CVE's but there doesn't appear to be a fix, a workaround or any
information I can find.
I checked bugzilla and the announce archives but these CVE's aren't
listed at http://httpd.apache.org/security/vulnerabilities_22.html either.
However, some websearch issues that get pretty technical seem unclear if
the issue is considered a security issue by apache. Any assistance
appreciated.
Regards,
KAM
Re: [users@httpd] Update on mod_setenvif exploit CVE-2011-3607 and
CVE-2011-4415
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
> Anyway, I am more wondering if 2.2.22 is even on track to address
> these issues. Or if there are patches for 2.2.X (I found trunk
> patches but they only dealt with some of the CVE and didn't address
> the 2.2 branch). The amount of information available for these CVEs
> since sparse compared to my past experience but perhaps I'm searching
> incorrectly.
Following up my previous post in case anyone else has the same issue
with PCI Scans, I actually came across what I needed via a RedHat CVE
response. In short, RedHat reiterated and agreed with the Apache server
project consensus was they don't consider CVE-2011-4415 as a valid
security concern:
https://bugzilla.redhat.com/show_bug.cgi?id=750935
"Upstream consensus is that any resource consumption issues triggered by bad
.htaccess configuration are not considered security:
http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46768"
This same statement also covers CVE-2011-3607.
This explains why I couldn't find anything out about the issues through
normal channels and why nothing is tagged for a 2.2.22 release, etc.
Hopefully, we'll see the PCI scanners drop these CVEs from their
compliance scans but wanted to keep you all in the loop. I'll bcc one
of the security contacts I have at our scanner so they know more about
the false positive.
Regards,
KAM
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Update on mod_setenvif exploit CVE-2011-3607 and
CVE-2011-4415
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 12/21/2011 1:18 PM, Pete Houston wrote:
> On Wed, Dec 21, 2011 at 12:42:02PM -0500, Kevin A. McGrail wrote:
>> Our server is being flagged for PCI non-compliance because of these
>> CVE's but there doesn't appear to be a fix, a workaround or any
>> information I can find.
> There seem to be 2 obvious workarounds:
>
> 1. Don't load mod_setenvif. That's where the problem lies - if the
> vulnerable code isn't loaded then your application isn't vulnerable.
I'm unfortunately using the setenvif to block bad useragents.
> 2. Don't use .htaccess files. Neither vulnerability can be triggered
> if you AllowOverride None. This is good for security anyway and if you
> are dealing with PCI related data I'd recommend this regardless of any
> issues in the code. It'll also be more efficient.
Good points but hard to convince the PCI scanners of these type of
workarounds in my experience and we have a decent amount of software
that uses .htaccess files for things like apache DBI in mod_perl.
Plus, they are also flagging us for having +Indexes on /icons (literally
the default Apache icons). Like that's a security issue ;-)
Anyway, I am more wondering if 2.2.22 is even on track to address these
issues. Or if there are patches for 2.2.X (I found trunk patches but
they only dealt with some of the CVE and didn't address the 2.2
branch). The amount of information available for these CVEs since
sparse compared to my past experience but perhaps I'm searching incorrectly.
regards,
KAM
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Update on mod_setenvif exploit CVE-2011-3607 and
CVE-2011-4415
Posted by Pete Houston <ph...@openstrike.co.uk>.
On Wed, Dec 21, 2011 at 12:42:02PM -0500, Kevin A. McGrail wrote:
> Our server is being flagged for PCI non-compliance because of these
> CVE's but there doesn't appear to be a fix, a workaround or any
> information I can find.
There seem to be 2 obvious workarounds:
1. Don't load mod_setenvif. That's where the problem lies - if the
vulnerable code isn't loaded then your application isn't vulnerable.
2. Don't use .htaccess files. Neither vulnerability can be triggered
if you AllowOverride None. This is good for security anyway and if you
are dealing with PCI related data I'd recommend this regardless of any
issues in the code. It'll also be more efficient.
HTH,
Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107