logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Need help resolving security scans
Author
arunsn25



Joined: 02 Sep 2021
Posts: 1

PostPosted: Sat 04 Sep '21 19:25    Post subject: Need help resolving security scans Reply with quote

Hello,

I'm running Apache 2.4.48 on Windows 2019.

Our security team is complaining that the following CVEs are still showing up as vulnerable in our installation:
CVE-1999-0236
CVE-1999-1412
CVE-2007-0086

Their recommendation is to patch Apache.

Apache Lounge released a newer version of 2.4.48 on 26th August. However, the change log does not mention that the above CVEs are fixed. Hence, since, the above CVEs are pretty old (based on the year), can someone confirm if the August 26th download addresses these patches? If not, how do we remove the vulnerabilities? Thanks![/img]
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6998
Location: Germany, Next to Hamburg

PostPosted: Sat 04 Sep '21 22:27    Post subject: Reply with quote

The first one is related to a "ScriptAlias" /cgi setting. You need to find that in your config.

The second one is also CGI related that might cause a DOS.

The last one is not an apache issue.

Quote:

Official Statement from Red Hat (01/11/2007)

Red Hat does not consider this issue to be a security vulnerability. The pottential attacker has to send acknowledgement packets periodically to make server generate traffic. Exactly the same effect could be achieved by simply downloading the file. The statement that setting the TCP window size to arbitrarily high value would permit the attacker to disconnect and stop sending ACKs is false, because Red Hat Enterprise Linux limits the size of the TCP send buffer to 4MB by default.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2264
Location: Sun Diego, USA

PostPosted: Sun 05 Sep '21 23:39    Post subject: Reply with quote

James Blond wrote:
The last one is not an apache issue.

Are you sure?

CVE-2007-0086:
The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.

RHEL dispute dealt with the TCP side of this CVE, not the range part, and we are not RHEL, nor Linux.

Think back to 2011 and a person who went by the name Kingcope, and his script killapache.pl. It sent a puzzel of ranges including overlaps that brought a lot of servers to their knees, including RHEL IIRC, without messing with TCP window size.

CVE-2011-3192 came about because of it: The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.

It sure sounds to me like the second part of 2007-0086.

*) SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file.
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, <lowprio20 gmail com>]

So in the end this should still be moot. Bottom line, tell them to bring down your 2.4.48 to the need of a cold boot with the 2007-0086 before you will believe them cause the second required part of that CVE cannot be accomplished anymore.

Even if it can with Apache's default, you can use MaxRanges to lower the allowed ranges.

CVE-1999-1412: A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes.

Seems to me this is a problem only for MacOS X and Apache Lounge doesn't build for OS X, just Windows. Moot.

CVE-1999-0236: ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.

Not much of a description so I will assume it means read the source of the CGI program/script. I cannot accomplish this with my 2.4.48 so far. I will try with a misconfiguration and see. If that works then this is for sure due to a config error.
Back to top


Reply to topic   Topic: Need help resolving security scans View previous topic :: View next topic
Post new topic   Forum Index -> Apache