Oracle has released a security advisory and patches to address the Apache HTTP server mod_rewrite log file manipulation vulnerability.
A vulnerability in the do_rewritelog() function of Apache HTTP Server could allow an unauthenticated, remote attacker to gain access to sensitive information.
The vulnerability is due to improper handling of certain escape sequences by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted device. Processing the crafted request could allow certain escape sequences to be written to the log file. If an attacker views these sequences in the log file with a terminal emulator, the attacker could execute arbitrary commands on the targeted system.
Apache has confirmed this vulnerability and released updated software.
The following products are vulnerable:
Apache HTTP Server version 2.2.24 and prior
Apache HTTP Server versions prior to 2.0.65
To exploit the vulnerability, the attacker must submit crafted HTTP requests to the system. In a typical network configuration, the attacker would likely need access to trusted, internal networks to submit crafted requests to the targeted system. This access requirement could reduce the likelihood of a successful exploit.
According to the vendor, the updated Apache HTTP Server version 2.0.65 will be released in September 2013.
An unauthenticated, remote attacker could exploit this vulnerability to gain access to log files on a targeted system. If successful and viewed in a terminal emulator, the attacker could use the vulnerability to execute arbitrary commands on the targeted system, which could be leveraged to conduct further attacks.
The vulnerability is due to improper handling of certain escape sequences by the do_rewritelog() function of the affected software when writing to the log file.
An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted device. Processing the crafted request could allow certain escape sequences to be written to the log file. If an attacker views these sequences in the log file with a terminal emulator, the attacker could gain the ability to execute arbitrary commands on the targeted system.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to monitor affected systems.
Apache.org has released updated software at the following links:
The security vulnerability applies to the following combinations of products.
Apache Software Foundation
Apache HTTP Server
2.0 Base | 2.0.28 Base | 2.0.29 Base | 2.0.30 Base | 2.0.31 Base | 2.0.32 Base | 2.0.33 Base | 2.0.34 Base | 2.0.35 Base | 2.0.36 Base | 2.0.37 Base | 2.0.38 Base | 2.0.39 Base | 2.0.40 Base | 2.0.41 Base | 2.0.42 Base | 2.0.43 Base | 2.0.44 Base | 2.0.45 Base | 2.0.46 Base | 2.0.47 Base | 2.0.48 Base | 2.0.49 Base | 2.0.50 Base | 2.0.51 Base | 2.0.52 Base | 2.0.53 Base | 2.0.54 Base | 2.0.55 Base | 2.0.56 Base | 2.0.57 Base | 2.0.58 Base | 2.0.59 Base | 2.0.61 Base | 2.0.63 Base | 2.0.64 Base | 2.2.20 Base | 2.2.21 Base | 2.2.22 Base | 2.2.23 Base | 2.2.24 Base
6.3 Base | 6.4 Base | 7.0 Base | 7.1 Base | 7.2 Base | 7.3 Base | 7.4 Base | 8.0 Base | 8.1 Base | 8.2 Base | 8.3 Base | 9.0 Base | 9.1 Base
11.23 Base | 11.31 Base
Professional 5.0 | Mobilinux 5.0 | CGE 5.1
Red Hat, Inc.
JBoss Enterprise Application Platform
6 EL5 IA-32, x86_64 | 6 EL6 IA-32, x86_64
Red Hat, Inc.
JBoss Enterprise Web Server
EL5 IA-32, x86_64 | EL6 IA-32, x86_64
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.