Apache HTTP Server versions 2.4.0 to 2.4.41
Some mod_rewrite configurations vulnerable to open redirect.
Acknowledgements: The issue was discovered by Fabrice Perez
|Reported to security team||5th December 2019|
|Issue public||1st April 2020|
|Update Released||1st April 2020|
|Affects||2.4.41, 2.4.40, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0|
Release : 12.8.x
Component : SITEMINDER Access Gateway
The Access Gateway installer installs the following HTTP modules that are required for running Access Gateway:
Default Location: <access gateway_installation_path>/httpd/modules
The following modules are loaded when Access Gateway runs but they are not needed for it to function:
###### PROPOSED RESOLUTION ######
'mod_rewrite' is not loaded by default, and therefore cannot be used. However, it is not used by Siteminder Access Gateway, and can therefore be removed from the file system completely to prevent them from being flagged by security audits.