Apache HTTP Server versions 2.4.0 to 2.4.41
mod_proxy_ftp use of uninitialized value with malicious FTP backend.
Acknowledgements: The issue was discovered by Chamal De Silva
|Reported to security team||3rd January 2020|
|Issue public||1st April 2020|
|Update Released||1st April 2020|
|Affects||2.4.41, 2.4.40, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0|
Release : 12.8.x
Component : SITEMINDER Access Gateway
The Access Gateway installer installs the following HTTP modules that are required for running Access Gateway:
Default Location: <access gateway_installation_path>/httpd/modules
The following modules are loaded when Access Gateway runs but they are not needed for it to function:
###### PROPOSED RESOLUTION ######
'mod_proxy_ftp' is not loaded by default, and therefore cannot be used. However, since it is not used by Siteminder Access Gateway, it can therefore be removed from the file system completely to prevent it from being flagged by security audits.