UlfDunkel
January 28th, 2012, 03:03 PM
My Ubuntu server is frequently scanned by the Trustwave robots which now complain that I run Apache 2.2.20 and should fix an vulnerability issue by updating to v2.2.22.
I am not too familiar with the Apache updates, but "apt-get upgrade" did not include Apache on my machine.
Do I have to wait until this version has been packaged for aptitude?
For those who are interested, here is the issue found by Trustwave:
Apache HTTP Server Reverse Proxy/Rewrite URL Validation Vulnerability
Severity: Medium
PCI Status: Fail
CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4317
Description:
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions.
Remediation:
This issue has been fixed in httpd 2.2.22-dev or later releases. It is highly recommended that when upgrading that the latest available version from the vendor is utilized. Alternatively this finding may be addressed by disabling mod_proxy, and/or by disabling a reverse proxy (if one is in place), and/or by disabling the use of RewriteRule and ProxyPassMatch.
I am not too familiar with the Apache updates, but "apt-get upgrade" did not include Apache on my machine.
Do I have to wait until this version has been packaged for aptitude?
For those who are interested, here is the issue found by Trustwave:
Apache HTTP Server Reverse Proxy/Rewrite URL Validation Vulnerability
Severity: Medium
PCI Status: Fail
CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4317
Description:
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions.
Remediation:
This issue has been fixed in httpd 2.2.22-dev or later releases. It is highly recommended that when upgrading that the latest available version from the vendor is utilized. Alternatively this finding may be addressed by disabling mod_proxy, and/or by disabling a reverse proxy (if one is in place), and/or by disabling the use of RewriteRule and ProxyPassMatch.