Security Holes Uncovered in Apache, OpenSSL

Recently uncovered vulnerabilities in OpenSSL and Apache create the potential for attackers to tie up Web services, crash OpenSSL applications.

Security researchers on Friday uncovered a vulnerability in the open-source Apache Web server software that could easily enable a denial of services attack. The discovery follows on the heels of three holes found in the popular OpenSSL security software Wednesday.

The Apache problem is one of several reported in Version 2.0.48, and lets an attacker open a short-lived connection on a particular, rarely accessed listening socket. The software will block out all other connections until another connection comes in on the same socket. Reports differed on exactly which platforms and versions were affected by this problem, but not all are affected.

On late Friday, The Apache Software Foundation announced an update to its HTTP Server software that fixed the problem as well as several others. Version 2.0.49 is available for download from the Apache HTTP Server Project Web site.

Meanwhile, three security vulnerabilities in the popular OpenSSL software, used to provide secure, encrypted communications to open-source applications and distributions, were discovered Wednesday. The flaws could allow an attacker to make HTTPS (secure HTTP) services unavailable on a Web server, and to crash applications using OpenSSL.

The first OpenSSL issue results from a "null pointer assignment" in the software. Attackers can craft special, malicious data to send during a handshake exchange that invoke the problem and cause the software to crash. Affected versions range from 0.9.6c through 0.9.6k, and 0.9.7a through 0.9.7c. The current version is 0.9.7d, available at the OpenSSL Project source code download page.

/zimages/1/28571.gifFollowing the recent theft and release of Microsofts Windows source code, Security Center Editor Larry Seltzer wondered whether open-source software is theoretically more secure than programs developed in a "closed" environment. Click here to read more.

The second problem, like the first, involves the same handshake, but appears only when Kerberos ciphersuites are in use. The OpenSSL advisory on this problem, however, states that most applications dont have the ability to use Kerberos ciphersuites. Versions 0.9.7a, 0.9.7b and 0.9.7c are affected by this vulnerability.

The third, much older security issue involves an infinite loop that can be invoked by attackers. It affected Version 0.9.6 and was fixed in 0.9.6d.

/zimages/1/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/1/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif