Community Forums
Connect with us on LinkedIn
PCI Compliance - mod_ssl versions prior to 2.8.18
  
+ Reply to Thread
Results 1 to 3 of 3
  1. 08-26-2010 03:03 PM #1
    airoid
    airoid is offline
    Member
    Join Date
    Dec 2005
    Posts
    10

    Default PCI Compliance - mod_ssl versions prior to 2.8.18

    I have a PCI compliance issue with the mod_ssl version on my cpanel server. Trustwave says the following:

    mod_ssl Client Cert Buffer Overflow
    Versions of mod_ssl prior to 2.8.18 are vulnerable to a buffer overflow in certain operational configurations, specifically when the SSL server is configured to accept client-side certificates. Upgrade to a current and secure version of mod_ssl.

    I am currently using the following:
    Apache/2.2.16 (Unix), mod_ssl/2.2.16, OpenSSL/1.0.0a, mod_bwlimited/1.4, php 5.2.3 on centos-4-x86

    It is my understanding that mod_ssl cannot be updated above 2.2.16, since it is built into Apache v2. What can I say to Trustwave that would allow for this issue to be disputed? Is there some type of compensating control that I can use instead of upgrading? Or are all security issues backported into this version?

    Any help would be appreciated. Thanks.
    Reply With Quote Reply With Quote
  2. 08-27-2010 06:35 PM #2
    sirdopes
    sirdopes is offline
    cPanel Partner NOC cPanel Partner NOC Badge
    Join Date
    Sep 2007
    Posts
    139

    Default

    According to the CVE, it looks like this is just part of Apache 1.3.X

    Format string vulnerability in the mod_proxy hook functions function in ssl_engine_log.c in mod_ssl before 2.8.19 for Apache before 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS that are handled by the ssl_log function.


    CVE-2004-0700

    More information on:

    '[OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache)' - MARC

    Description:
    Triggered by a report to Packet Storm [1] from Virulent, a format
    string vulnerability was found in mod_ssl [2], the Apache SSL/TLS
    interface to OpenSSL, version (up to and including) 2.8.18 for Apache
    1.3. The mod_ssl in Apache 2.x is not affected. The vulnerability
    could be exploitable if Apache is used as a proxy for HTTPS URLs and
    the attacker established a own specially prepared DNS and origin
    server environment.
    Reply With Quote Reply With Quote
  3. 08-27-2010 06:45 PM #3
    airoid
    airoid is offline
    Member
    Join Date
    Dec 2005
    Posts
    10

    Default

    Thanks very much for the reply. It was actually CVE-2004-0488. However, being new to the PCI compliance stuff, I didn't realize looking up the CVE would show Apache versions for which this mod_ssl vulnerability would not apply. After looking up this CVE, it turns out it only applies to Apache versions prior to 2.0.50.

    I've pointed this out to Trustwave, I hope they agree. Thanks for your help!
    Reply With Quote Reply With Quote
«   see which php scripts are sending mail? | Webpage cracked with ftp cracker »     
Similar Threads & Tags
Similar threads

  1. PCI Compliance
    By vajjas1 in forum Data Protection
    Replies: 9
    Last Post: 12-31-2010, 04:33 PM
  2. PCI Compliance
    By mickalo in forum Security
    Replies: 3
    Last Post: 12-15-2009, 12:41 PM
  3. PCI Compliance
    By mickalo in forum E-mail Discussions
    Replies: 2
    Last Post: 08-20-2009, 12:34 PM
  4. PCI Compliance
    By FourMat in forum cPanel and WHM Discussions
    Replies: 10
    Last Post: 02-19-2009, 10:09 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube