The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance - mod_ssl versions prior to 2.8.18

Discussion in 'Security' started by airoid, Aug 26, 2010.

  1. airoid

    airoid Member

    Joined:
    Dec 14, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I have a PCI compliance issue with the mod_ssl version on my cpanel server. Trustwave says the following:

    mod_ssl Client Cert Buffer Overflow
    Versions of mod_ssl prior to 2.8.18 are vulnerable to a buffer overflow in certain operational configurations, specifically when the SSL server is configured to accept client-side certificates. Upgrade to a current and secure version of mod_ssl.

    I am currently using the following:
    Apache/2.2.16 (Unix), mod_ssl/2.2.16, OpenSSL/1.0.0a, mod_bwlimited/1.4, php 5.2.3 on centos-4-x86

    It is my understanding that mod_ssl cannot be updated above 2.2.16, since it is built into Apache v2. What can I say to Trustwave that would allow for this issue to be disputed? Is there some type of compensating control that I can use instead of upgrading? Or are all security issues backported into this version?

    Any help would be appreciated. Thanks.
     
  2. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    According to the CVE, it looks like this is just part of Apache 1.3.X

    Format string vulnerability in the mod_proxy hook functions function in ssl_engine_log.c in mod_ssl before 2.8.19 for Apache before 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS that are handled by the ssl_log function.


    CVE-2004-0700

    More information on:

    '[OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache)' - MARC

    Description:
    Triggered by a report to Packet Storm [1] from Virulent, a format
    string vulnerability was found in mod_ssl [2], the Apache SSL/TLS
    interface to OpenSSL, version (up to and including) 2.8.18 for Apache
    1.3. The mod_ssl in Apache 2.x is not affected. The vulnerability
    could be exploitable if Apache is used as a proxy for HTTPS URLs and
    the attacker established a own specially prepared DNS and origin
    server environment.
     
  3. airoid

    airoid Member

    Joined:
    Dec 14, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Thanks very much for the reply. It was actually CVE-2004-0488. However, being new to the PCI compliance stuff, I didn't realize looking up the CVE would show Apache versions for which this mod_ssl vulnerability would not apply. After looking up this CVE, it turns out it only applies to Apache versions prior to 2.0.50.

    I've pointed this out to Trustwave, I hope they agree. Thanks for your help!
     
Loading...

Share This Page