Security Holes Uncovered in Apache, OpenSSL

 
 
By Larry Seltzer  |  Posted 2004-03-19 Email Print this article Print
 
 
 
 
 
 
 

Recently uncovered vulnerabilities in OpenSSL and Apache create the potential for attackers to tie up Web services, crash OpenSSL applications.

Security researchers on Friday uncovered a vulnerability in the open-source Apache Web server software that could easily enable a denial of services attack. The discovery follows on the heels of three holes found in the popular OpenSSL security software Wednesday. The Apache problem is one of several reported in Version 2.0.48, and lets an attacker open a short-lived connection on a particular, rarely accessed listening socket. The software will block out all other connections until another connection comes in on the same socket. Reports differed on exactly which platforms and versions were affected by this problem, but not all are affected. On late Friday, The Apache Software Foundation announced an update to its HTTP Server software that fixed the problem as well as several others. Version 2.0.49 is available for download from the Apache HTTP Server Project Web site.

Meanwhile, three security vulnerabilities in the popular OpenSSL software, used to provide secure, encrypted communications to open-source applications and distributions, were discovered Wednesday. The flaws could allow an attacker to make HTTPS (secure HTTP) services unavailable on a Web server, and to crash applications using OpenSSL.
The first OpenSSL issue results from a "null pointer assignment" in the software. Attackers can craft special, malicious data to send during a handshake exchange that invoke the problem and cause the software to crash. Affected versions range from 0.9.6c through 0.9.6k, and 0.9.7a through 0.9.7c. The current version is 0.9.7d, available at the OpenSSL Project source code download page.

Following the recent theft and release of Microsofts Windows source code, Security Center Editor Larry Seltzer wondered whether open-source software is theoretically more secure than programs developed in a "closed" environment. Click here to read more. The second problem, like the first, involves the same handshake, but appears only when Kerberos ciphersuites are in use. The OpenSSL advisory on this problem, however, states that most applications dont have the ability to use Kerberos ciphersuites. Versions 0.9.7a, 0.9.7b and 0.9.7c are affected by this vulnerability.

The third, much older security issue involves an infinite loop that can be invoked by attackers. It affected Version 0.9.6 and was fixed in 0.9.6d.

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel