SYMSA1232

SA61 : Director multiple Apache vulnerabilities

Last Updated January 20, 2015
Initial Publication Date September 13, 2011
  • Status: Closed
  • Severity: High
  • CVSS Base Score: CVSS v2: 8.3

Director uses a version of Apache httpd that has several publicly documented vulnerabilities. The most severe vulnerability allows an attacker to gain complete control over a Director installation.

All versions of Director prior to 5.5.2.3 are vulnerable.

Patches

  • Director 5.5 - an interim fix is available in 5.5.2.3.
  • Director 5.4 and earlier - please upgrade to a later release.

Director 5.4 and 5.5.1.1 use Apache httpd version 2.0.63.  The version of Apache has several publicly documented vulnerabilities.

The most severe vulnerability allows an attacker to gain complete control over a Director installation.  The attacker can view and modify configuration data as well as data sent to and from Director.  An attacker can also render Director completely unresponsive for administrative control as well as data transmission.

When Director is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack.  The CVSS base scores included in this advisory are based on this deployment scenario.

If Director is deployed outside of the firewall, the CVSS base score for all CVEs listed would be higher. The CVSS base score for this security advisory would be a 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C).

Director 5.5.2.3 contains an upgrade to Apache httpd version 2.0.64 fixing the CVEs documented in this security advisory.

CVE-2010-1623 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2010-1452 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2010-0434 - CVSS base score: 2.9 (AV:A/AC:M/Au:N/C:P/I:N/A:N)
CVE-2010-0425 - CVSS base score: 8.3 (AV:A/AC:L/Au:N/C:P/I:C/A:C)
CVE-2009-3720 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2009-3560 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2009-3555 - CVSS base score: 4.3 (AV:A/AC:M/Au:N/C:N/I:P/A:P)
CVE-2009-3555 - CVSS base score: 4.3 (AV:A/AC:M/Au:N/C:N/I:P/A:P)
CVE-2009-3094 - CVSS base score: 1.8 (AV:A/AC:H/Au:N/C:N/I:N/A:P)
CVE-2009-2412 - CVSS base score: 8.3 (AV:A/AC:L/Au:N/C:P/I:C/A:C)
CVE-2009-1891 - CVSS base score: 5.7 (AV:A/AC:M/Au:N/C:N/I:N/A:C)
CVE-2008-2939 - CVSS base score: 2.9 (AV:A/AC:M/Au:N/C:N/I:P/A:N)
CVE-2008-2364 - CVSS base score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)

Blue Coat recommends that Director be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to Director will greatly limit the ability to attack a Director installation.

CVE-2010-1623 - https://nvd.nist.gov/vuln/detail/CVE-2010-1623
CVE-2010-1452 - https://nvd.nist.gov/vuln/detail/CVE-2010-1452
CVE-2010-0434 - https://nvd.nist.gov/vuln/detail/CVE-2010-0434
CVE-2010-0425 - https://nvd.nist.gov/vuln/detail/CVE-2010-0425
CVE-2009-3720 - https://nvd.nist.gov/vuln/detail/CVE-2009-3720
CVE-2009-3560 - https://nvd.nist.gov/vuln/detail/CVE-2009-3560
CVE-2009-3555 - https://nvd.nist.gov/vuln/detail/CVE-2009-3555
CVE-2009-3095 - https://nvd.nist.gov/vuln/detail/CVE-2009-3095
CVE-2009-3094 - https://nvd.nist.gov/vuln/detail/CVE-2009-3094
CVE-2009-2412 - https://nvd.nist.gov/vuln/detail/CVE-2009-2412
CVE-2009-1891 - https://nvd.nist.gov/vuln/detail/CVE-2009-1891
CVE-2008-2939 - https://nvd.nist.gov/vuln/detail/CVE-2008-2939
CVE-2008-2364 - https://nvd.nist.gov/vuln/detail/CVE-2008-2364

2015-01-20 Marked as final
2012-01-17 Adjusted formatting problems
2011-09-13 Initial public release

SA61

Thanks for your feedback. Let us know if you have additional comments below. (requires login)