- Sun Alert ID: 101555 (formerly 57628)
- Synopsis: Security Vulnerabilities in the Apache Web Server and Apache Modules
- Category: Security
- Product: Solaris 9 Operating System, Solaris 8 Operating System
- BugIDs: 5048900, 5069902
- Avoidance: Patch
- State: Resolved
- Date Released: 24-Aug-2004, 12-Oct-2004
- Date Closed: 12-Oct-2004
- Date Modified: 12-Oct-2004, 22-Sep-2004, 09-Sep-2004, 12-Aug-2005
1. Impact
A local or remote unprivileged user may be able execute arbitrary code on Solaris 8 or Solaris 9 systems running Apache with privileges of the Apache HTTP process, due to several security vulnerabilities in the Apache Web Server and Apache Web Server modules.
The Apache HTTP process normally runs as the unprivileged uid "nobody" (uid 60001). The ability to execute arbitrary code as the unprivileged uid "nobody" may lead to modified web content, denial of service, or further compromise.
These issues are described at the following sites:
The Change Log for Apache 1.3, at http://www.apache.org/dist/httpd/CHANGES_1.3
CAN-2003-0987: "mod_digest issue" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
CAN-2003-0020: "filtering of data sent to errorlog" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
CAN-2004-0174: "possible denial of service" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
CAN-2003-0993: "mod_access on 64-bit platforms" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
CAN-2004-0492: "buffer overflow in mod_proxy" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
Note that Apache 1.3.31 addresses the first four of these five security vulnerabilities. Additional changes were made to address CAN-2004-0492 in Sun's version of Apache 1.3.31.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
x86 Platform
Note 1: This Sun Alert originally reported that Solaris 8 systems without patch 116973-01 or 116974-01 were impacted by these issues. However, as per Sun Alert 101841 (at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1), some of these issues may still occur on Solaris 8 systems with 116973-01 or 116974-01.
A system is only vulnerable to this issue if Apache Web Server has been configured and is running on the system. The following command can be executed to check if the Apache(1M) httpd daemon is running on the system:
$ /usr/bin/ps -ef | grep httpd
nobody 103892 102307 0 Jan 20 ? 0:27 /usr/apache/bin/httpd
Apache was not bundled with Solaris prior to Solaris 8. However, customers who have built and/or installed a vulnerable version of Apache on any version of Solaris are at risk. See the Apache web site to download the latest version of Apache which addresses these issues. Note also that CAN-2004-0492 is not fixed in a shipped version of Apache yet.
The vulnerabilities CAN-2003-0020, CAN-2004-0174, and CAN-2003-0993 are present in Apache Web Server versions 1.3 through 1.3.29. The vulnerability CAN-2003-098 is present in Apache Web Server versions 1.3 through 1.3.30.
The vulnerability CAN-2004-0492 is present in Apache Web Server versions 1.3 through 1.3.31. CAN-2004-0492 is addressed in the Apache Web Server shipped in the patches described in this Sun Alert.
In order to determine the version of Apache installed, the following command can be executed:
$ /usr/apache/bin/httpd -v
Server version: Apache/1.3.27 (Unix)
Server built: Nov 1 2002 16:16:41
3. Symptoms
There are no reliable symptoms that would indicate any of the described issues have been exploited to gain unauthorized uid "nobody" access to a host.
| Solution Summary | Top |
4. Relief/Workaround
There is no workaround. Please see the "Resolution" section below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
x86 Platform
Note 1: This Sun Alert originally reported that the Solaris 8 patches 116973-01 or later and 116974-01 or later addressed these issues. However, as per Sun Alert 101841 (at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1), the complete resolution is available in Solaris 8 patches 116973-02 or later and 116974-02 or later.
Change History
- Final patches added for Solaris 8 resolution; update Contributing Factors and Resolution sections; re-release as "Resolved"
- T-Patches added for Solaris 8 to "Relief/Workaround"
- Patches released/added for Solaris 9 resolution, update Contributing Factors and Resolution sections
- Updated Contributing Factors and Relief/Workaround sections
This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Sun Contracted Content
Sun Contracted Feature
