Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:54 AM
Connect Directly

Apache Quickly Patches Bug

Fix is for vulnerability found in Apache HTTP Server that lets an attacker take control of the Web server or crash it

When Apache learns about a vulnerability in its software, it doesn't mess around. The Apache Software Foundation issued a patch almost immediately after a vulnerability in its Apache HTTP Server was posted on CERT late last week.

The vulnerability, first discovered by a McAfee researcher, lets an attacker execute malware as well as launch a denial of service attack to crash the victimized Apache Web server. McAfee had no reports of the bug as of presstime, but David Marcus, security research and communications manager for McAfee's Avert Labs Research Team says it's a serious problem. "The biggest danger is that it can take control of the host; it's an uber-vulnerability."

Apache has released the patches as version 2.2.3 of the Apache HTTP Server.

A flaw in Apache HTTP Server's Rewrite module, mod_rewrite, is the source of the problem. The error is in how Lightweight Directory Access Protocol (LDAP) is handled in the mod_rewrite, so servers using LDAP-based directories are at risk, Marcus says.

The mod_rewrite module is not a default in the server, but according to Apache, it's commonly used and can be in versions of Apache by its distributors. Among the systems affected by the vulnerability are products from F5 Networks, IBM, Oracle, and Sun Microsystems that use Apache.

Just because Apache got the fix out quickly doesn't mean customers have more breathing room for patching, however. "This patch is, like many of late, addressing a high profile exposure and should be applied as quickly as possible," says Rob Enderle, principal analyst with the Enderle Group. "Because of the public nature of the exposure and the related patch, unpatched systems will have a high probability of being compromised."

McAfee's Marcus says it would take a very targeted attack to exploit this vulnerability, so he doesn't expect it to become too widespread. But it's another example of the trend toward attacks being targeted at applications rather than just operating systems. "This also brings up the cross-platform potential. There's more danger in application-based attacks, for example, because you can run Apache on Windows and Linux." And several security vendors use Apache as a platform for their products, so they'll also be under the gun to install this patch, he says.

"This also points to the fact that, increasingly, these patches need to be validated by system suppliers -- those who provide Apache-based Web servers in pre-compiled form -- before they can be safely used," Enderle says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • McAfee Inc. (NYSE: MFE) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-19
    Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
    PUBLISHED: 2019-10-19
    templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
    PUBLISHED: 2019-10-18
    In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
    PUBLISHED: 2019-10-18
    In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
    PUBLISHED: 2019-10-18
    HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...