httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From di...@apache.org
Subject CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation (final draft)
Date Sat, 07 Nov 2009 01:21:08 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Subject: CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation

Apache httpd is affected by CVE-2009-3555[1] (The SSL Injection or MiM attack[2]).

We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared to deploy 0.9.8m as
it becomes available[3]. Note that these are for short term  and mid-term mitigation only;
the long term solution may well require a modification of the SSL and/or TLS protocols[4].
 

For those who are not able to upgrade OpenSSL swiftly and/or for those who need detailed logging
- we recommend that you roll out this patch[5]:

        http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/xx.
        sha1: 28cd58f3758f1add39417333825b9d854f4f5f43

for mod_ssl as soon as possible. This is a partial fix in lieu of the protocol issues being
addressed and further changes to OpenSSL. Like the OpenSSL 0.9.8l stopgap measure this patch
rejects in-session renegotation.

If you are unable to patch and unable to roll our a newer version of OpenSSL, and you rely
on Client Side Authentication with Certificates 
then we recommend that you 1) ensure that you limit your configuration to a single 'SSLClient
require' on VirtualHost/Sever level and 2) remove  all other (re)negotiation/require directives.
However this does NOT  fully protect you - it just curtails authentication in this specific
setting.

A version with this patch, Apache 2.2.15, is currently being readied[6]. 

Note that as mod_ssl is not part of the 1.3 branch distribution. A further announcement will
be sent out when these are available.



1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
2: http://www.links.org/?p=780, http://extendedsubset.com/?p=8
3: http://www.openssl.org/source/
   openssl-announce mailing list on
   http://www.openssl.org/support/community.html
4: http://www.ietf.org/mail-archive/web/tls/current/msg03963.html
5: svn diff -r833581:833594 https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl
(| openssl sha1)
6: http://httpd.apache.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQCVAwUBSvTLgDGmPZbsFAuBAQJzjgP+KwkR6T5ItGQdPFWpF0DCAbEA+Z5bwNFg
mD7WQRta6vttDYH03ZLiPQyfQZNXZedPC36mOVnkdfOptnnckTWXabbIq2oj92d6
3KfWJYDLTOXx2fsM0PaaDOgIuiQqp0vl2B7B7puSdBNhaLY1N1Udcqj+QYOALD7B
Cio3kkz74B0=
=S4Y7
-----END PGP SIGNATURE-----

Mime
View raw message