Apache Vulnerability?

[Jaylaca]

They dayton server is running Apache 2.2.16 I had a friend that took a cursory look at hacking my site and wrote me the following

 

"...if you look at Apache's website it identifies three security holes with 2.2.16 (the version your server runs) which were fixed in 2.2.17. That's not to say there's any way to get your server to read an XML file from an untrusted source, but it was way too easy for me to find that. I could do the same thing with mod_ssl, OpenSSL, mod_auth_passthrough, and all the other software which is listed. The disclosure issue can be easily fixed with a one-line config change. I don't have the option memorized, but I know you want is set to "Prod" (it's probably in /etc/apache2/conf.d/security.conf). Also, update to Apache 2.2.17 and check all the other software listed there to make sure it's the most up-to-date..."

 

Is there an plan to update Apache on TCH servers?

 

Thanks,

Jason

[TCH-Vimal]

Hello Jason,

 

 

Please understand that there are no immediate plans to update Apache at this time because we have to study the issue and any change we do on the server will have to carried out across all our servers. However, I have passed this along to our leadadmin/manager and we will update you once a decision has been made.

 

 

Thank you

[TCH-Ryan]

Jason,

You are correct indeed in what your friend tells you, to a very limited extent. The Apache Web Server version 2.2.16 does have three notable low-impact vulnerabilities, however I will explain why and how they do not apply to our servers.

 

The first two are vulnerabilities CVE-2009-3720 and CVE-2009-3560 are issues are specific in a certain apache feature, the threading option MPM Worker which TCH does not use, we use MPM Prefork for threading on TCH web servers thus mitigating these two vulnerabilities right off, in other words, they do not at all apply to us. Finally, the vulnerability CVE-2010-1623 is related to an addon module for apache that TCH does not use (http://httpd.apache.org/docs/trunk/mod/mod_reqtimeout.html) which again, mitigates this threat for us as the vulnerable software is not in use on our servers.

 

We take security very seriously here at TCH, protecting your web sites, our servers and network at large is important to us and we always strive to do better. If you have any further questions or concerns never hesitate to drop in a help desk ticket or throw up a forum post and we will be glad to address whatever it is you may be inquiring about. Thank you for choosing TCH and I hope you have a great weekend.