Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:54 AM
Connect Directly

Apache Quickly Patches Bug

Fix is for vulnerability found in Apache HTTP Server that lets an attacker take control of the Web server or crash it

When Apache learns about a vulnerability in its software, it doesn't mess around. The Apache Software Foundation issued a patch almost immediately after a vulnerability in its Apache HTTP Server was posted on CERT late last week.

The vulnerability, first discovered by a McAfee researcher, lets an attacker execute malware as well as launch a denial of service attack to crash the victimized Apache Web server. McAfee had no reports of the bug as of presstime, but David Marcus, security research and communications manager for McAfee's Avert Labs Research Team says it's a serious problem. "The biggest danger is that it can take control of the host; it's an uber-vulnerability."

Apache has released the patches as version 2.2.3 of the Apache HTTP Server.

A flaw in Apache HTTP Server's Rewrite module, mod_rewrite, is the source of the problem. The error is in how Lightweight Directory Access Protocol (LDAP) is handled in the mod_rewrite, so servers using LDAP-based directories are at risk, Marcus says.

The mod_rewrite module is not a default in the server, but according to Apache, it's commonly used and can be in versions of Apache by its distributors. Among the systems affected by the vulnerability are products from F5 Networks, IBM, Oracle, and Sun Microsystems that use Apache.

Just because Apache got the fix out quickly doesn't mean customers have more breathing room for patching, however. "This patch is, like many of late, addressing a high profile exposure and should be applied as quickly as possible," says Rob Enderle, principal analyst with the Enderle Group. "Because of the public nature of the exposure and the related patch, unpatched systems will have a high probability of being compromised."

McAfee's Marcus says it would take a very targeted attack to exploit this vulnerability, so he doesn't expect it to become too widespread. But it's another example of the trend toward attacks being targeted at applications rather than just operating systems. "This also brings up the cross-platform potential. There's more danger in application-based attacks, for example, because you can run Apache on Windows and Linux." And several security vendors use Apache as a platform for their products, so they'll also be under the gun to install this patch, he says.

"This also points to the fact that, increasingly, these patches need to be validated by system suppliers -- those who provide Apache-based Web servers in pre-compiled form -- before they can be safely used," Enderle says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • McAfee Inc. (NYSE: MFE) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/27/2020
    10 iOS Security Tips to Lock Down Your iPhone
    Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
    How an Industry Consortium Can Reinvent Security Solution Testing
    Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-27
    ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
    PUBLISHED: 2020-05-27
    sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
    PUBLISHED: 2020-05-27
    ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
    PUBLISHED: 2020-05-27
    SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
    PUBLISHED: 2020-05-27
    IBM MobileFirst Platform Foundation stores highly sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 175207.