000023370 - Scan of RSA Certificate Manager 6.7 show vulnerabilities with Apache 1.3.33

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000023370
Applies ToRSA Registration Manager 6.7
RSA Certificate Manager 6.7
Apache 1.3.33
IssueScan of RSA Certificate Manager 6.7 show vulnerabilities with Apache 1.3.33
ResolutionHere is summary of the scanned vulnerabilities and their analysis:

1) 86727 - Apache Mod_IMAP Referer Cross-Site Scripting Vulnerability

Analysis:
- The WebServer is not built with mod_imap in RSA Certificate Manager (RCM) and RSA Registration Manager (RRM) 6.7.  Here is the list from RCM and RRM's Apache:-

apache.exe -l
Compiled-in modules:
  http_core.c
  mod_so.c
  mod_mime.c
  mod_access.c
  mod_auth.c
  mod_negotiation.c
  mod_include.c
  mod_autoindex.c
  mod_dir.c
  mod_cgi.c
  mod_gencert.c
  mod_userdir.c
  mod_alias.c
  mod_rewrite.c
  mod_env.c
  mod_log_config.c
  mod_asis.c
  mod_actions.c
  mod_xudaacl.c
  mod_setenvif.c
  mod_isapi.c
  mod_ssl.c

2) 86695 - Apache Mod_SSL Log Function Format String Vulnerability (1)

Analysis:
- The WebServer in 6.7 is not built with mod_proxy and the document mentions that the offending call is implemented in mod_proxy hook functions.
- This is issue is reported with Apache 1.3.30/mod_ssl 2.8.18. This is fixed in mod_ssl 2.8.19-1.3.31. The WebServer version in 6.7 is Apache 1.3.33/mod_ssl 2.8.22. This problem does not exist in RCM and RRM 6.7.

3) 86731 - Multiple Apache Web Server (1.3.26 and Earlier) Vulnerabilities

Analysis:
- The vulnerabilities CVE-2002-0843 and CVE-2002-0839 are reported in older versions of Apache. Since the current Apache version is 1.3.33, this problem does not exist in RCM and RRM 6.7.

4) EXT-M-005: Apache SSLVerifyClient Bypass Restrictions

Analysis:
- This parameter is not configured as a global parameter in httpd.conf and is configured per virtual host. This problem does not occur in RCM and RRM 6.7.

5) EXT-M-006: mod_ssl ssl_engine_ext Format String Error

Analysis:
- This problem is reported for mod_ssl versions before 2.8.19. The 6.7 webserver is using 2.8.22. This problem is not applicable to RCM and RRM 6.7.
NotesAlso see solution RCM 6.7 shows vulnerabilities with Apache 1.3.33
BZ 53842
Legacy Article IDa34730

Attachments

    Outcomes