vulnerability on Server: Apache/2.4.4 (Unix) mod_jk/1.2.37

book

Article ID: 142297

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a vulnerability scan (Nessus) against the CA Access
Gateway (SPS) and we've discovered the following vulnerability :

  CVE-2019-9517 mod_http2
  CVE-2019-10081 mod_http2 
  CVE-2019-10082 mod_http2 
  CVE-2019-10092 mod_proxy 
  CVE-2019-10097 mod_remoteip 
  CVE-2019-10098 mod_rewrite

  Apache HTTP Server 2.4 vulnerabilities
  https://httpd.apache.org/security/vulnerabilities_24.html

Plugin Output: 

  Source            : Server: Apache/2.4.4 (Unix) mod_jk/1.2.37
  Installed version : 2.4.4
  Fixed version     : 2.4.41

The Nessus tool mentioned that : 

   Note that Nessus has not tested for this issue but has instead
   relied only on the application's self-reported version number.

How can we fix it ?

 

Environment

Release : 12.6

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

 

The nessus tools has reported the following vulnerabilities, and I've
put the module affected.

  CVE-2019-9517 mod_http2
  CVE-2019-10081 mod_http2 
  CVE-2019-10082 mod_http2 
  CVE-2019-10092 mod_proxy 
  CVE-2019-10097 mod_remoteip 
  CVE-2019-10098 mod_rewrite

From the output of the module in use in apache, none of those modules
are in usage.

[[email protected] bin]# ./apachectl -M

Loaded Modules:

  core_module (static)
  so_module (static)
  http_module (static)
  mpm_worker_module (static)
  env_module (shared)
  log_config_module (shared)
  setenvif_module (shared)
  mime_module (shared)
  negotiation_module (shared)
  dir_module (shared)
  jk_module (shared)
  cgi_module (shared)
  alias_module (shared)
  authz_host_module (shared)
  authn_core_module (shared)
  authz_core_module (shared)
  unixd_module (shared)
  slotmem_shm_module (shared)

So said, the SPS you run is not vulnerable and you have to upgrade it
only to get a supported version.