Apache Vulnerabilities CVE-2020-1934

book

Article ID: 194985

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

A vulnerability was flagged on a Siteminder Access Gateway host indicating that it was vulnerable to "CVE-2020-1934".

low: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)

Apache HTTP Server versions 2.4.0 to 2.4.41
mod_proxy_ftp use of uninitialized value with malicious FTP backend.

Acknowledgements: The issue was discovered by Chamal De Silva

Reported to security team 3rd January 2020
Issue public 1st April 2020
Update Released 1st April 2020
Affects 2.4.41, 2.4.40, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0

 

Environment

Release : 12.8.x

Component : SITEMINDER Access Gateway

Resolution

The Access Gateway installer installs the following HTTP modules that are required for running Access Gateway:

Default Location: <access gateway_installation_path>/httpd/modules

mod_alias.so
mod_authz_core.so
mod_jk.so
mod_log_config.so
mod_mime.so
mod_setenvif.so
mod_slotmem_shm.so
(SSL) mod_socache_shmcb.so
(SSL) mod_ssl.so
(UNIX) mod_env.so
(UNIX) mod_unixd.so

The following modules are loaded when Access Gateway runs but they are not needed for it to function:

mod_negotiation
mod_dir
mod_cgi
mod_authz_host
mod_authn_core


###### PROPOSED RESOLUTION ######

'mod_proxy_ftp' is not loaded by default, and therefore cannot be used. However, since it is not used by Siteminder Access Gateway, it can therefore be removed from the file system completely to prevent it from being flagged by security audits.

Additional Information

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/administrating/review-embedded-servers-for-vulnerabilities.html

https://httpd.apache.org/security/vulnerabilities_24.html