|Applies To||RSA Registration Manager 6.7|
RSA Certificate Manager 6.7
|Issue||Scan of RSA Certificate Manager 6.7 show vulnerabilities with Apache 1.3.33|
|Resolution||Here is summary of the scanned vulnerabilities and their analysis:|
1) 86727 - Apache Mod_IMAP Referer Cross-Site Scripting Vulnerability
- The WebServer is not built with mod_imap in RSA Certificate Manager (RCM) and RSA Registration Manager (RRM) 6.7. Here is the list from RCM and RRM's Apache:-
2) 86695 - Apache Mod_SSL Log Function Format String Vulnerability (1)
- The WebServer in 6.7 is not built with mod_proxy and the document mentions that the offending call is implemented in mod_proxy hook functions.
- This is issue is reported with Apache 1.3.30/mod_ssl 2.8.18. This is fixed in mod_ssl 2.8.19-1.3.31. The WebServer version in 6.7 is Apache 1.3.33/mod_ssl 2.8.22. This problem does not exist in RCM and RRM 6.7.
3) 86731 - Multiple Apache Web Server (1.3.26 and Earlier) Vulnerabilities
- The vulnerabilities CVE-2002-0843 and CVE-2002-0839 are reported in older versions of Apache. Since the current Apache version is 1.3.33, this problem does not exist in RCM and RRM 6.7.
4) EXT-M-005: Apache SSLVerifyClient Bypass Restrictions
- This parameter is not configured as a global parameter in httpd.conf and is configured per virtual host. This problem does not occur in RCM and RRM 6.7.
5) EXT-M-006: mod_ssl ssl_engine_ext Format String Error
- This problem is reported for mod_ssl versions before 2.8.19. The 6.7 webserver is using 2.8.22. This problem is not applicable to RCM and RRM 6.7.
|Notes||Also see solution RCM 6.7 shows vulnerabilities with Apache 1.3.33|
|Legacy Article ID||a34730|