Security Advisories

September 13, 2011 - Director multiple Apache vulnerabilities

Security Advisories ID:    SA61
Version:    3.0
Status:    Published
Published date:    09/08/2011
Updated:    01/17/2012
 

Advisory Status

Interim

Advisory Severity

High, CVSS v2 base score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)

CVE Number

CVE-2010-1623 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2010-1452 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2010-0434 - CVSS base score: 2.9 (AV:A/AC:M/Au:N/C:P/I:N/A:N)
CVE-2010-0425 - CVSS base score: 8.3 (AV:A/AC:L/Au:N/C:P/I:C/A:C)
CVE-2009-3720 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2009-3560 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2009-3555 - CVSS base score: 4.3 (AV:A/AC:M/Au:N/C:N/I:P/A:P)
CVE-2009-3095 - CVSS base score: 5.8 (AV:A/AC:L/Au:N/C:P/I:P/A:P)
CVE-2009-3094 - CVSS base score: 1.8 (AV:A/AC:H/Au:N/C:N/I:N/A:P)
CVE-2009-2412 - CVSS base score: 8.3 (AV:A/AC:L/Au:N/C:P/I:C/A:C)
CVE-2009-1891 - CVSS base score: 5.7 (AV:A/AC:M/Au:N/C:N/I:N/A:C)
CVE-2008-2939 - CVSS base score: 2.9 (AV:A/AC:M/Au:N/C:N/I:P/A:N)
CVE-2008-2364 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)

Summary

Director uses a version of Apache httpd that has several publicly documented vulnerabilities. The most severe vulnerability allows an attacker to gain complete control over a Director installation.

Affected Products

All versions of Director prior to 5.5.2.3 are vulnerable.

Details

Director 5.4 and 5.5.1.1 use Apache httpd version 2.0.63.  The version of Apache has several publicly documented vulnerabilities. 

The most severe vulnerability allows an attacker to gain complete control over a Director installation.  The attacker can view and modify configuration data as well as data sent to and from Director.  An attacker can also render Director completely unresponsive for administrative control as well as data transmission.

When Director is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack.  The CVSS base scores included in this advisory are based on this deployment scenario. 

If Director is deployed outside of the firewall, the CVSS base score for all CVEs listed would be higher.  The CVSS base score for this security advisory would be a 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C). 

Director 5.5.2.3 contains an upgrade to Apache httpd version 2.0.64 fixing the CVEs documented in this security advisory.

Workarounds

Blue Coat recommends that Director be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to Director will greatly limit the ability to attack a Director installation.

Patches

Director 5.5 - an interim fix is available in 5.5.2.3.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/patch/90138905913689859042842687478968.

Director 5.4 and earlier - please upgrade to a later release.

Advisory History

2012-01-17 Adjusted formatting problems
2011-09-13 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question