- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Vulnerability in Apache OpenSSL - ALERT SECUR...
Operating System - HP-UX
1758383
Members
2782
Online
108868
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-13-2002 01:47 PM
тАО09-13-2002 01:47 PM
I just got a mesage about a security
potential problem = Denial of Service
For HP-UX 11.00 (and up) and Apache SSL
1.3.26 or lower.
We are using 1.3.22.
http://online.securityfocus.com/advisories/4469
Can someone tell me if they are reinstalling
the lastest Apache? I know from MoreNet
that a whole bunch of Linux servers are
affected, no unix yet.
Are folks worried? How can I be sure
about my Apache version and SSL version?
I am trying to understand the URL...What
do they want us to do?
Laurie
potential problem = Denial of Service
For HP-UX 11.00 (and up) and Apache SSL
1.3.26 or lower.
We are using 1.3.22.
http://online.securityfocus.com/advisories/4469
Can someone tell me if they are reinstalling
the lastest Apache? I know from MoreNet
that a whole bunch of Linux servers are
affected, no unix yet.
Are folks worried? How can I be sure
about my Apache version and SSL version?
I am trying to understand the URL...What
do they want us to do?
Laurie
How can you make the world a better place
Solved! Go to Solution.
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-13-2002 05:51 PM
тАО09-13-2002 05:51 PM
Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE
The advisory gives a clear answer, so I'd go with the provided solution. Any other would be dangerous and irresponsible!
Of course the real answer lies within the infrastructure that you have built for protecting servers in the DMZ and servers within your internal network!
Routers, switches, firewalls, filters, bastion hosts (http://people.hp.se/stevesk/bastion.html), static IP routing, expose only what is necessary! I have web servers that are more secure than HP's virtual Vaults OS!
live free or die
harry
Live Free or Die
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-16-2002 09:47 PM
тАО09-16-2002 09:47 PM
Solution
Hi,
The Slapper worm currently affects only Apache on Linux be it RedHat, Debian or Mandrake etc. running a vulnerable version of OpenSSL.
You should be installing the latest apache 1.3.26 or the vendor's release of a patched apache below version 1.3.26. This is because unpatched versions of apache below 1.3.26 are subject to chunk encoding vulnerabilities.
Unpatched OpenSSL 0.9.6d or below is vulnerable. The slapper worm exploits this vulnerability.
It is likely that HP's release of Apache has the patched OpenSSL built in.
Look at CERT CA-2002-23 and CA-2002-27 w.r.t. OpenSSL vulnerabilities. You can find them at http://www.cert.org.
You should get suspicious if you notice a lot of UDP/2002 (src port udp/2002, dst port udp/2002) traffic directed inbound or outbound through your firewalls because this is the communication channel used for commanding DDoS attacks.
Hope this helps. Regards.
Steven Sim Kok Leong
The Slapper worm currently affects only Apache on Linux be it RedHat, Debian or Mandrake etc. running a vulnerable version of OpenSSL.
You should be installing the latest apache 1.3.26 or the vendor's release of a patched apache below version 1.3.26. This is because unpatched versions of apache below 1.3.26 are subject to chunk encoding vulnerabilities.
Unpatched OpenSSL 0.9.6d or below is vulnerable. The slapper worm exploits this vulnerability.
It is likely that HP's release of Apache has the patched OpenSSL built in.
Look at CERT CA-2002-23 and CA-2002-27 w.r.t. OpenSSL vulnerabilities. You can find them at http://www.cert.org.
You should get suspicious if you notice a lot of UDP/2002 (src port udp/2002, dst port udp/2002) traffic directed inbound or outbound through your firewalls because this is the communication channel used for commanding DDoS attacks.
Hope this helps. Regards.
Steven Sim Kok Leong
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-16-2002 09:53 PM
тАО09-16-2002 09:53 PM
Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE
Hi,
1) Apache Chunk Encoding Vulnerability (CA-2002-17)
- http://www.cert.org/advisories/CA-2002-17.html
2) OpenSSL Vulnerability (CA-2002-23 & CA-2002-27)
- http://www.cert.org/advisories/CA-2002-23.html
- http://www.cert.org/advisories/CA-2002-27.html
Hope this helps. Regards.
Steven Sim Kok Leong
1) Apache Chunk Encoding Vulnerability (CA-2002-17)
- http://www.cert.org/advisories/CA-2002-17.html
2) OpenSSL Vulnerability (CA-2002-23 & CA-2002-27)
- http://www.cert.org/advisories/CA-2002-23.html
- http://www.cert.org/advisories/CA-2002-27.html
Hope this helps. Regards.
Steven Sim Kok Leong
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-17-2002 07:16 AM
тАО09-17-2002 07:16 AM
Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE
OK Stupit Question here...
How do I tell what release I am running of
Apache
OpenSSL
How do I tell what release I am running of
Apache
OpenSSL
How can you make the world a better place
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-17-2002 08:43 AM
тАО09-17-2002 08:43 AM
Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE
The cert says:
A. Background
The CERT Advisory CA-2002-23 regarding Multiple Vulnerabilities
In OpenSSL, affects the following HP product numbers:
B9415AA Apache 1.3.x HP-UX releases 11.00 and 11.11
B9416AA Apache 2.x HP-UX releases 11.00 and 11.11
B9415AA Apache 1.3.x HP-UX releases 11.20 and 11.22
B9416AA Apache 2.x HP-UX releases 11.20 and 11.22
B9416BA Apache 2.x IPv6 HP-UX release 11.11
To verify whether this version is installed or not:
# swlist |grep -i apache
The cert also says:
The command to stop the HP Apache binary is:
for 1.3.26:
/opt/apache/bin/apachectl stop
for 2.0.39:
/opt/hpapache2/bin/apachectl stop
So check for the existence of these binaries to determine your version also.
B. Fixing the problem
The fixes for all versions are in the form of new product bundles, instead of patches. To retrieve them, go to www.software.hp.com/ISS_products_list.html
Install Apache versions 1.3.26.05 or 2.0.39.05.
The cert also says:
"Installation of this new version of HP Apache over an existing HP Apache installation is supported, while installation over a non-HP Apache is NOT supported."
Cheryl
A. Background
The CERT Advisory CA-2002-23 regarding Multiple Vulnerabilities
In OpenSSL, affects the following HP product numbers:
B9415AA Apache 1.3.x HP-UX releases 11.00 and 11.11
B9416AA Apache 2.x HP-UX releases 11.00 and 11.11
B9415AA Apache 1.3.x HP-UX releases 11.20 and 11.22
B9416AA Apache 2.x HP-UX releases 11.20 and 11.22
B9416BA Apache 2.x IPv6 HP-UX release 11.11
To verify whether this version is installed or not:
# swlist |grep -i apache
The cert also says:
The command to stop the HP Apache binary is:
for 1.3.26:
/opt/apache/bin/apachectl stop
for 2.0.39:
/opt/hpapache2/bin/apachectl stop
So check for the existence of these binaries to determine your version also.
B. Fixing the problem
The fixes for all versions are in the form of new product bundles, instead of patches. To retrieve them, go to www.software.hp.com/ISS_products_list.html
Install Apache versions 1.3.26.05 or 2.0.39.05.
The cert also says:
"Installation of this new version of HP Apache over an existing HP Apache installation is supported, while installation over a non-HP Apache is NOT supported."
Cheryl
"Downtime is a Crime."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-17-2002 08:45 AM
тАО09-17-2002 08:45 AM
Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE
HP provides automatic notification of Security Bulletins: Connect to the ITRC --> Maintenance & Support tab (at the left of screen) --> under Notifications --> Support
Information Digests --> select the check box for Security Bulletins Digest. To see archived security digests, scroll to the bottom of the page and follow the link.
If you subscribe by hitting a checkbox, be sure to hit the UPDATE Subscriptions button at the bottom of the page.
*** security_patch_check
security_patch_check is a tool which can be used to download the latest data about security patches and compare it to the software installed on the system. The tool reports which security patches are missing from a system based on the It reports the "best" patch to install. Also, any recalled patches which are present on the system will be reported. It works through a firewall, with the help of a web-proxy or similar network device.
security_patch_check tool is supported on 11.00, 11.04, 11i (11.11), and future releases of 11i. security_patch_check is available for download from http://software.hp.com/ as of March 16, 2001.
Cheryl
Information Digests --> select the check box for Security Bulletins Digest. To see archived security digests, scroll to the bottom of the page and follow the link.
If you subscribe by hitting a checkbox, be sure to hit the UPDATE Subscriptions button at the bottom of the page.
*** security_patch_check
security_patch_check is a tool which can be used to download the latest data about security patches and compare it to the software installed on the system. The tool reports which security patches are missing from a system based on the It reports the "best" patch to install. Also, any recalled patches which are present on the system will be reported. It works through a firewall, with the help of a web-proxy or similar network device.
security_patch_check tool is supported on 11.00, 11.04, 11i (11.11), and future releases of 11i. security_patch_check is available for download from http://software.hp.com/ as of March 16, 2001.
Cheryl
"Downtime is a Crime."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2002 01:31 AM
тАО09-18-2002 01:31 AM
Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE
Hi,
To tell the version of apache or ssl you are running, you can use either netcat or simply telnet:
# telnet my_hp_web_server 80
HEAD / HTTP/1.0
If your apache httpd.conf did not set ServerSignature to off and ServerTokens to Prod, you will see the version of apache and ssl displayed.
If you want to mask this information off, set ServerSignature to off and ServerTokens to Prod. However, this does not stop the worm because the worm relies on detecting the string "apache" from the header before launching an intrusion attempt. You can't mask off the string "apache".
Hope this helps. Regards.
Steven Sim Kok Leong
To tell the version of apache or ssl you are running, you can use either netcat or simply telnet:
# telnet my_hp_web_server 80
HEAD / HTTP/1.0
If your apache httpd.conf did not set ServerSignature to off and ServerTokens to Prod, you will see the version of apache and ssl displayed.
If you want to mask this information off, set ServerSignature to off and ServerTokens to Prod. However, this does not stop the worm because the worm relies on detecting the string "apache" from the header before launching an intrusion attempt. You can't mask off the string "apache".
Hope this helps. Regards.
Steven Sim Kok Leong
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP