PCI Security failure Apache 2.2.14

Bug #827662 reported by David Hollinger on 2011-08-16
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

We're running Ubuntu 10.04.3 as a server for our monitoring system and it's open to the outside so we can check the status from anywhere using our mobile devices. However, we are bringing our systems up to be PCI Compliant and the server fails PCI Security tests everytime due to vulnerabilities in Apache versions 2.2.18 and below. Currently, Lucid Server only has Apache 2.2.14 in the repos. Since Lucid is LTS, I would expect at some point this would be updated to Apache 2.2.19 since it contains the necessary security updates to bring Apache up to PCI Standards.

here's a copy of what was reported to us:

Description: vulnerable
Apache version: 2.2.14 12.27.211.13312.27.211.133
Aug 16 14:24:06 2011new

Severity: Critical Problem CVE: CVE-2010-0425 CVE-2010-0434 CVE-2010-1452 CVE-2010-1623 CVE-2010-2068 CVE-2011-0419 CVE-2011-1928 10.010new11

Impact: A remote attacker could crash the web server or execute arbitrary commands.

Background: Apache is a web server which runs on Unix, Linux, Mac OS and Windows systems. Apache web servers support chunked encoding, which is part of the HTTP protocol specification. Chunked encoding is used by a web client to send data to the server in parts, or chunks. After a chunk is received, the server indicates that it is ready to receive the next chunk, until all of the data has been received.

Resolution [http://httpd.apache.org/download.cgi] Upgrade Apache 1.x to version 1.3.41-dev or higher, 2.0.x to version 2.0.64-dev or higher when available, or a version higher than 2.2.18.
Vulnerability Details: Service: http Received: Server: Apache/2.2.14 (Ubuntu)

Marc Deslauriers (mdeslaur) wrote :

Your PCI scanning software is broken, it is scanning for software version numbers instead of looking at specific package versions.
See: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions

For the specific CVE numbers you've mentioned:
CVE-2010-0425 is a windows-specific vulnerability, it doesn't apply to Ubuntu
CVE-2010-0434 is fixed already, see http://www.ubuntu.com/usn/usn-908-1/
CVE-2010-1452 is fixed already, see http://www.ubuntu.com/usn/usn-1021-1/
CVE-2010-1623 is fixed already, see http://www.ubuntu.com/usn/usn-1021-1/
CVE-2010-2068 is a windows-specific vulnerability, it doesn't apply to Ubuntu
CVE-2011-0419 is fixed already, see http://www.ubuntu.com/usn/usn-1134-1/
CVE-2011-1928 is fixed already, see http://www.ubuntu.com/usn/usn-1134-1/

visibility: private → public
Changed in apache2 (Ubuntu):
status: New → Invalid
Download full text (3.9 KiB)

Thanks,

I use the information an request an exempt from the company scanning our systems.

David Hollinger III
IT Infrastructure Coordinator
Handwriting Without Tears
(301)263-2700 ext 285
(402)430-3127

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Marc Deslauriers
Sent: Tuesday, August 16, 2011 4:49 PM
To: David Hollinger
Subject: [Bug 827662] Re: PCI Security failure Apache 2.2.14

Your PCI scanning software is broken, it is scanning for software version numbers instead of looking at specific package versions.
See: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions

For the specific CVE numbers you've mentioned:
CVE-2010-0425 is a windows-specific vulnerability, it doesn't apply to Ubuntu
CVE-2010-0434 is fixed already, see http://www.ubuntu.com/usn/usn-908-1/
CVE-2010-1452 is fixed already, see http://www.ubuntu.com/usn/usn-1021-1/
CVE-2010-1623 is fixed already, see http://www.ubuntu.com/usn/usn-1021-1/
CVE-2010-2068 is a windows-specific vulnerability, it doesn't apply to Ubuntu
CVE-2011-0419 is fixed already, see http://www.ubuntu.com/usn/usn-1134-1/
CVE-2011-1928 is fixed already, see http://www.ubuntu.com/usn/usn-1134-1/

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-0425

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-0434

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-1452

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-1623

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-2068

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-0419

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-1928

** Visibility changed to: Public

** Changed in: apache2 (Ubuntu)
       Status: New => Invalid

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/827662

Title:
  PCI Security failure Apache 2.2.14

Status in “apache2” package in Ubuntu:
  Invalid

Bug description:
  We're running Ubuntu 10.04.3 as a server for our monitoring system and
  it's open to the outside so we can check the status from anywhere
  using our mobile devices. However, we are bringing our systems up to
  be PCI Compliant and the server fails PCI Security tests everytime due
  to vulnerabilities in Apache versions 2.2.18 and below. Currently,
  Lucid Server only has Apache 2.2.14 in the repos. Since Lucid is LTS,
  I would expect at some point this would be updated to Apache 2.2.19
  since it contains the necessary security updates to bring Apache up to
  PCI Standards.

  here's a copy of what was reported to us:

  Description: vulnerable
  Apache version: 2.2.14 12.27.211.13312.27.211.133
  Aug 16 14:24:06 2011new

  Severity: Critical Problem CVE: CVE-2010-0425 CVE-2010-0434
  CVE-2010-1452 CVE-2010-1623 CVE-2010-2068 CVE-2011-0419 CVE-2011-1928
  10.010new11

  Impact: A remote attacker could crash the web server or execute
  arbitrary commands.

  Background: Apache is a web server which runs on Unix, Lin...

Read more...

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers