Apache Vulnerabilities CVE-2020-1934
Article ID: 194985
Updated On:
Products
Issue/Introduction
A vulnerability was flagged on a Siteminder Access Gateway host indicating that it was vulnerable to "CVE-2020-1934".
low: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)
Apache HTTP Server versions 2.4.0 to 2.4.41
mod_proxy_ftp use of uninitialized value with malicious FTP backend.
Acknowledgements: The issue was discovered by Chamal De Silva
| Reported to security team | 3rd January 2020 |
| Issue public | 1st April 2020 |
| Update Released | 1st April 2020 |
| Affects | 2.4.41, 2.4.40, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0 |
Environment
Release : 12.8.x
Component : SITEMINDER Access Gateway
Resolution
The Access Gateway installer installs the following HTTP modules that are required for running Access Gateway:
Default Location: <access gateway_installation_path>/httpd/modules
mod_alias.so
mod_authz_core.so
mod_jk.so
mod_log_config.so
mod_mime.so
mod_setenvif.so
mod_slotmem_shm.so
(SSL) mod_socache_shmcb.so
(SSL) mod_ssl.so
(UNIX) mod_env.so
(UNIX) mod_unixd.so
The following modules are loaded when Access Gateway runs but they are not needed for it to function:
mod_negotiation
mod_dir
mod_cgi
mod_authz_host
mod_authn_core
###### PROPOSED RESOLUTION ######
'mod_proxy_ftp' is not loaded by default, and therefore cannot be used. However, since it is not used by Siteminder Access Gateway, it can therefore be removed from the file system completely to prevent it from being flagged by security audits.
Additional Information
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/administrating/review-embedded-servers-for-vulnerabilities.html
https://httpd.apache.org/security/vulnerabilities_24.html
Feedback
