Apache HTTP Server versions 2.4.0 to 2.4.41
mod_proxy_ftp use of uninitialized value with malicious FTP backend.
Acknowledgements: The issue was discovered by Chamal De Silva
| Reported to security team | 3rd January 2020 |
| Issue public | 1st April 2020 |
| Update Released | 1st April 2020 |
| Affects | 2.4.41, 2.4.40, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0 |
Release : 12.8.x
Component : SITEMINDER Access Gateway
The Access Gateway installer installs the following HTTP modules that are required for running Access Gateway:
Default Location: <access gateway_installation_path>/httpd/modules
mod_alias.so
mod_authz_core.so
mod_jk.so
mod_log_config.so
mod_mime.so
mod_setenvif.so
mod_slotmem_shm.so
(SSL) mod_socache_shmcb.so
(SSL) mod_ssl.so
(UNIX) mod_env.so
(UNIX) mod_unixd.so
The following modules are loaded when Access Gateway runs but they are not needed for it to function:
mod_negotiation
mod_dir
mod_cgi
mod_authz_host
mod_authn_core
###### PROPOSED RESOLUTION ######
'mod_proxy_ftp' is not loaded by default, and therefore cannot be used. However, since it is not used by Siteminder Access Gateway, it can therefore be removed from the file system completely to prevent it from being flagged by security audits.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/administrating/review-embedded-servers-for-vulnerabilities.html
https://httpd.apache.org/security/vulnerabilities_24.html