Apache Vulnerability CVE-2020-1927

book

Article ID: 194988

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

A vulnerability was flagged on a Siteminder Access Gateway host indicating that it was vulnerable to "CVE-2020-1927".

low: mod_rewrite CWE-601 open redirect (CVE-2020-1927)

Apache HTTP Server versions 2.4.0 to 2.4.41
Some mod_rewrite configurations vulnerable to open redirect.

Acknowledgements: The issue was discovered by Fabrice Perez

Reported to security team 5th December 2019
Issue public 1st April 2020
Update Released 1st April 2020
Affects 2.4.41, 2.4.40, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0

Environment

Release : 12.8.x

Component : SITEMINDER Access Gateway

Resolution

The Access Gateway installer installs the following HTTP modules that are required for running Access Gateway:

Default Location: <access gateway_installation_path>/httpd/modules

mod_alias.so
mod_authz_core.so
mod_jk.so
mod_log_config.so
mod_mime.so
mod_setenvif.so
mod_slotmem_shm.so
(SSL) mod_socache_shmcb.so
(SSL) mod_ssl.so
(UNIX) mod_env.so
(UNIX) mod_unixd.so

The following modules are loaded when Access Gateway runs but they are not needed for it to function:

mod_negotiation
mod_dir
mod_cgi
mod_authz_host
mod_authn_core


###### PROPOSED RESOLUTION ######

'mod_rewrite' is not loaded by default, and therefore cannot be used. However, it is not used by Siteminder Access Gateway, and can therefore be removed from the file system completely to prevent them from being flagged by security audits.

Additional Information

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/administrating/review-embedded-servers-for-vulnerabilities.html

https://httpd.apache.org/security/vulnerabilities_24.html