Apache 2.2.11 Vulnarabilities....Solution Required

ravigpalli · #1 12th March 2010, 09:11 PM

Hi,

I am using Nagios 3.2.4 tool with Nagios-Plugins-1.4.14 and on Red Hat Fedora Linux ver 10.1.The Apache version is 2.2.11

My security team has identified the following vulnerabilities with this version and they want me to find a fix.

1)Apache mod_proxy_ftp Module NULL Pointer Dereference Denial Of
Service Vulnerability

2)Apache HTTP Server mod_proxy stream_reqbody_cl Function Denial of Service Vulnerability

3)Apache HTTP Server mod_deflate Remote Denial Of Service Vulnerability

4)Apache APR and APR-util Multiple Integer Overflow Vulnerabilities

Please some one help me how can I fix these vulnarabilities.

Thanks a lot in advance.

Regards,
Ravi G

madhavdiwan · #2 13th March 2010, 04:13 AM

Ravi ,
you have several options.

1) if you are NOT using the modules , and they are simply loaded because they came with Apache. , disable and unload them via commenting them out in the Apache config file and reloading Apache

2) if you absolutely DO need them , consider upgrading the server , Apache, or even just the modules.

I suggest you go to apache.org and find out what each module is meant to do, and then find out if you need the module for your particular websites.

next make sure that the Apache version and apache addon packages for your version of Fedora , are the latest for that Fedora version. and verify in which version the issues are fixed .. so that you know what minimum patches or versions you need to fulfil your security team's requirements.

If you can not upgrade , due to some legacy issue / old software requirements, etc.. there are still some things you can do to alleviate the risks , which should satisfy any security team, for instance:

If this server serves a production website , you should also seriously consider putting a reverse web proxy in front of it ( a squid server would work well ) so that the connections to the apache web server first get filtered and policed by the proxy server before any connection the the actual web server is made.

***Dan*** · #3 13th March 2010, 04:18 AM

(Moved to servers)

madhavdiwan · #4 13th March 2010, 07:27 PM

Quote:

Red Hat Fedora Linux ver 10.1.

Do you mean you are running Fedora 10 ?

ravigpalli · #5 15th March 2010, 05:05 PM

Yes I am running Fedora 10....

Please some one provide solution...

Thanks,
Ravi

pete_1967 · #6 15th March 2010, 07:07 PM

madhavdiwan gave you two, third is: apply the patches you want yourself, it's not rocket science.

bodhi.zazen · #7 18th March 2010, 11:08 PM

Quote:

Originally Posted by ravigpalli

Yes I am running Fedora 10....

Please some one provide solution...

Thanks,
Ravi

You google those alerts and the solutions.

Fro example :

mod_proxy_ftp Module NULL Pointer Dereference Denial Of
Service Vulnerability

http://www.securityfocus.com/bid/36260/references

In general the solution is to update either apache or the module in questions. If a rpm for fedora 10 is available , you can use that.

If there is no rpm available, well in that case I personally would start compiling, but installing the development packages on a production server has it's own set of vulnerabilities - to that means building on a separate installation.

If you have dependency problems, you will need to resolve them , which may or may not involve installing a new OS.

You other solutions are to simply disable those modules or look at additional modules such as mod_evasive and / or mod_security. Mod_security may well take some time and effort to configure, depending on what your are running on Apache .

Last, why are you running Fedora 10 as a server ? Personally I would look at Centos or RHEL.

F10 is beyond EOL :

http://fedoraproject.org/wiki/LifeCycle/EOL

meaning no more updates for you.

With that information in mind, I again suggest you update your OS and, if it were me, I would look at RHEL or Centos rather then Fedora.