Home
TeamSite
Patching security holes in Teamsite's Apache
IWguy
In Teamsite 6.5 SP2 - the release notes mention that Apache 1.3.31 (with CAN-2004-0492 patch from 1.3.32) is being used.
From a security/Sysadmin's point of view, what is to be done if a security hole is identified for Apache 1.3.31? Can the Sysadmin patch Teamsite's version of Apache by themselves or is this done by Interwoven through the use of a patch? If so, do they patch all security holes or only the major ones?
Thanks in advance,
Darcy
Find more posts tagged with
Comments
smenon
We typically patch any major security issue found with the version of Apache if it is relevant for TeamSite. Sometimes there are security issues found that do not apply to TeamSite because it is not an application that sits outside the firewall serving as a public webserver.
--Sunil Menon
Sr. Product Manager
Interwoven, Inc.
Migrateduser
Sunil,
Here are the specifics. Below were the Apache vulnerabilities that were identified by our Risk management Team after TS6.5 SP2 installation,
1.
The remote web server appears to be running a version of Apache that is older than version 1.3.32.
This version is vulnerable to a heap based buffer overflow in proxy_util.c for mod_proxy. This issue may lead remote attackers to cause a denial of service and possibly execute arbitrary code on the server.
Solution: Don't use mod_proxy or upgrade to a newer version.
Risk factor: Medium
CVE : CAN-2004-0492
BID : 10508
Nessus ID : 15555
2.
The remote web server appears to be running a version of Apache that is older than version 1.3.33.
This version is vulnerable to a local buffer overflow in the get_tag() function of the module 'mod_include' when a specially crafted document with malformed server-side includes is requested though an HTTP session.
Successful exploitation can lead to execution of arbitrary code with escalated privileges, but requires that server-side includes (SSI) is enabled.
Solution: Disable SSI or upgrade to a newer version when available.
Risk factor: Medium
CVE : CAN-2004-0940
BID : 11471
Nessus ID : 15554
3.
The remote host appears to be running Apache 1.3.33 or older.
There is a local buffer overflow in the 'htpasswd' command in these versions that may allow a local user to gain elevated privileges if 'htpasswd' is run setuid or a remote user to run arbitrary commands remotely if the script is accessible through a CGI.
*** Note that Nessus solely relied on the version number
*** of the remote server to issue this warning. This might
*** be a false positive
See also :
http://archives.neohapsis.com/archives/bugtraq/2004-10/0345.html
Solution : Make sure htpasswd does not run setuid and is not accessible through any CGI scripts.
Risk factor : Medium
BID : 13777, 13778
Nessus ID : 14771
I agree it doesnt serve as the "public webserver". But I just want to make sure, looking at the issues & then considering how TeamSite is used, if there is need of any action or I can just ignore them. Or do you suggest any kind of upgrade here or any comments?
Darcy: I was just wondering if you guys decided anything.
Thanks
Anand
skip11
Hi,
"Sometimes there are security issues found that do not apply to TeamSite because it is not an
application that sits outside the firewall serving as a public webserver."
And that is a justification for allowing a security issue - not having public (internet ?) access ?
In large organizations, many threats can be identified as originating from network zones
within the corporations intranet. Even if the system is firewalled, there is usually some
vulnerability with regard to access (open admin ports, console, trust in employees who
have physical or remote access). As long as access is even the slightest bit vulnerable,
then the security of applications cannot be said to be fullproof. Patching all security issues with
webservers, regardless of relvevance to the role they play in the application, will decrease
the threat level from any kind of attack.
R.Barger
Credit Suisse Group
Zurich, Switzerland
smenon
Agreed.. I was only trying to state that we look at the security vulnerability and determine if this is something that is relevant for TeamSite's usage. If it is found to be a serious issue, we will definitely upgrade our Apache version to adopt a version that includes the fix for that issue. Sometime, when we determine the threat to be of low risk, we might defer the Apache upgrade until the next release/service pack of TeamSite (instead of releasing a patch).
--Sunil Menon
Sr. Product Manager
Interwoven, Inc.
IWguy
Hi Anand,
Nothing has been decided yet - we are still evaluating this as we have some clients who share the views of others on this thread. I assume that it is the client base that determines what is low, medium or high risk. Do clients have to report their risk levels to Interwoven in order to have a patch implemented in a service pack or a release?
It appears that onus is currently on the client to bring vulnerabilities be patched.
How does the client determine which vulnerabilities are applicable to the version of Apache that has been prepackaged in Teamsite?
Does a process currently exist where Interwoven provides a report to their clients that informs them that "vulnerability X does not apply to this version of Apache, vulnerability Y does..etc..)?
Thanks,
Darcy
Migrateduser
Sunil,
Do you suggest opening a case with support Team to have this worked out or to have official statement on the issue so as to add as a upgrade in next release/service pack of TeamSite ? Anybody has opened the case with support on this?
!Thanks
Anand
Edited by sacrh on 11/04/05 11:12 AM (server time).
rpollock
Any movement on this or an official response from Interwoven? I find the logic of if it doesn't affect us, we can ignore it for a while is a little concerning.
Any information would be beneficial sooner rather than later.
