When Apache learns about a vulnerability in its software, it doesn't mess around. The Apache Software Foundation issued a patch almost immediately after a vulnerability in its Apache HTTP Server was posted on CERT late last week.
The vulnerability, first discovered by a McAfee researcher, lets an attacker execute malware as well as launch a denial of service attack to crash the victimized Apache Web server. McAfee had no reports of the bug as of presstime, but David Marcus, security research and communications manager for McAfee's Avert Labs Research Team says it's a serious problem. "The biggest danger is that it can take control of the host; it's an uber-vulnerability."
Apache has released the patches as version 2.2.3 of the Apache HTTP Server.
A flaw in Apache HTTP Server's Rewrite module, mod_rewrite, is the source of the problem. The error is in how Lightweight Directory Access Protocol (LDAP) is handled in the mod_rewrite, so servers using LDAP-based directories are at risk, Marcus says.
The mod_rewrite module is not a default in the server, but according to Apache, it's commonly used and can be in versions of Apache by its distributors. Among the systems affected by the vulnerability are products from F5 Networks, IBM, Oracle, and Sun Microsystems that use Apache.
Just because Apache got the fix out quickly doesn't mean customers have more breathing room for patching, however. "This patch is, like many of late, addressing a high profile exposure and should be applied as quickly as possible," says Rob Enderle, principal analyst with the Enderle Group. "Because of the public nature of the exposure and the related patch, unpatched systems will have a high probability of being compromised."
McAfee's Marcus says it would take a very targeted attack to exploit this vulnerability, so he doesn't expect it to become too widespread. But it's another example of the trend toward attacks being targeted at applications rather than just operating systems. "This also brings up the cross-platform potential. There's more danger in application-based attacks, for example, because you can run Apache on Windows and Linux." And several security vendors use Apache as a platform for their products, so they'll also be under the gun to install this patch, he says.
"This also points to the fact that, increasingly, these patches need to be validated by system suppliers -- those who provide Apache-based Web servers in pre-compiled form -- before they can be safely used," Enderle says.
Kelly Jackson Higgins, Senior Editor, Dark Reading