Several vulnerabilities in the Apache 2.0 web server prior to version 2.0.55 may allow a local or remote unprivileged user to cause a Denial of Service (DoS) to the Apache 2 HTTP process, or may allow a local user who is able to write to directories served by the web server to execute arbitrary code with the privileges of the Apache 2 process. The Apache 2 HTTP process normally runs as the unprivileged user "webservd" (uid 80).

Additional vulnerabilities may prevent certain configured security features from being applied to specific HTTP transactions or to allow local unprivileged users to gain access to sensitive information.

These vulnerabilities are described at the following URLs:

The Change Log for Apache 2.0, at http://www.apache.org/dist/httpd/CHANGES_2.0

CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' " http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700

CAN-2005-2491: "overflow[...] in Perl Compatible Regular Expressions" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491

CAN-2005-2088: "HTTP Request Smuggling" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088

CAN-2005-2728: "denial of service" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728

CAN-2005-1268: "Certificate Revocation List[...] buffer overflow" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268

CAN-2004-0942: "denial of service" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

CAN-2004-0885: "'SSLCipherSuite'[...] bypass intended restrictions" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885

CAN-2004-1834 "allow local users to gain sensitive information" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1834

These issues can occur in the following releases:

SPARC Platform

• Solaris 10 without patch 120543-02

x86 Platform

• Solaris 10 without patch 120544-02

Note 1: The Apache 2.0 web server is not bundled with releases prior to Solaris 10. However, customers who have built and/or installed a vulnerable version of Apache on any version of Solaris are at risk.

Note 2: A system is only vulnerable to these issues if the Apache 2.0 web server has been configured and is running on the system. The following SMF command can be used to see if the Apache web server service is enabled:

    $ svcs svc:/network/http:apache2
    STATE          STIME    FMRI
    disabled       Feb_02   svc:/network/http:apache2

If the output asserts that the pattern doesn't match any instances, or if the STATE is 'disabled' then the host is not vulnerable.

Note 3: The vulnerabilities CAN-2005-2700, CAN-2005-2491, CAN-2005-2728, CAN-2005-2088, and CAN-2005-1268 are present in Apache2 version 2.0 to 2.0.54. The vulnerabilities CAN-2004-0942 and CAN-2004-1834 are present in Apache2 version 2.0 to 2.0.52. The vulnerability CAN-2004-0885 is present in Apache2 version 2.0.35 to 2.0.52.

To determine the version of the Apache 2.0 web server installed on a host, the following command can be run:

    $ /usr/apache2/bin/httpd -v
    Server version: Apache/2.0.52
    Server built:   Jan 22 2006 02:10:22

Note 4: Apache 1.3 ships with Solaris 8, 9, and 10, and is impacted by some of the issues referenced in this Sun Alert. For details on the impact to Apache 1.3 see Sun Alert 102197.

If the described issues have been exploited to cause a Denial of Service (DoS) condition, the Apache Web Server may be slow to respond to requests or may not respond at all.

There are no predictable symptoms that would indicate any of the described issues have been exploited to gain unauthorized access to a host or its data.

There is no workaround to this issue. Please see the Resolution section below.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 10 with patch 120543-02 or later

x86 Platform

• Solaris 10 with patch 120544-02 or later

12-Apr-2006:

• Updated Relief/Workaround section

08-Sep-2006:

• Updated Contributing Factors and Resolution sections
• State: Resolved

This solution has no attachment