Sponsored By

Apache Quickly Patches Bug

Fix is for vulnerability found in Apache HTTP Server that lets an attacker take control of the Web server or crash it

When Apache learns about a vulnerability in its software, it doesn't mess around. The Apache Software Foundation issued a patch almost immediately after a vulnerability in its Apache HTTP Server was posted on CERT late last week.

The vulnerability, first discovered by a McAfee researcher, lets an attacker execute malware as well as launch a denial of service attack to crash the victimized Apache Web server. McAfee had no reports of the bug as of presstime, but David Marcus, security research and communications manager for McAfee's Avert Labs Research Team says it's a serious problem. "The biggest danger is that it can take control of the host; it's an uber-vulnerability."

Apache has released the patches as version 2.2.3 of the Apache HTTP Server.

A flaw in Apache HTTP Server's Rewrite module, mod_rewrite, is the source of the problem. The error is in how Lightweight Directory Access Protocol (LDAP) is handled in the mod_rewrite, so servers using LDAP-based directories are at risk, Marcus says.

The mod_rewrite module is not a default in the server, but according to Apache, it's commonly used and can be in versions of Apache by its distributors. Among the systems affected by the vulnerability are products from F5 Networks, IBM, Oracle, and Sun Microsystems that use Apache.

Just because Apache got the fix out quickly doesn't mean customers have more breathing room for patching, however. "This patch is, like many of late, addressing a high profile exposure and should be applied as quickly as possible," says Rob Enderle, principal analyst with the Enderle Group. "Because of the public nature of the exposure and the related patch, unpatched systems will have a high probability of being compromised."

McAfee's Marcus says it would take a very targeted attack to exploit this vulnerability, so he doesn't expect it to become too widespread. But it's another example of the trend toward attacks being targeted at applications rather than just operating systems. "This also brings up the cross-platform potential. There's more danger in application-based attacks, for example, because you can run Apache on Windows and Linux." And several security vendors use Apache as a platform for their products, so they'll also be under the gun to install this patch, he says.

"This also points to the fact that, increasingly, these patches need to be validated by system suppliers -- those who provide Apache-based Web servers in pre-compiled form -- before they can be safely used," Enderle says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights