Apache HTTP Server XSS Vulnerabilities via Hostnames

yngens · May 22, 2013, 8:52pm

Trying to comply with Trustwave.com’s PCI requirements and have troubles with “Apache HTTP Server XSS Vulnerabilities via Hostnames” error notice. Description of the notice is:

Multiple cross-site scripting vulnerabilities exist in Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the in the mod_imagemap, mod_info, mod_ldap, mod_proxy_ftp, mod_status, and mod_proxy_balancer modules.

and their recommendation is

Affected users should upgrade to the latest stable version of Apache HTTP Server.

Since we have Virtualmin CentOS 6.4 server we currently have:

root@my:/root#
httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: May 16 2012 15:42:59

As it is stated on http://httpd.apache.org/security/vulnerabilities_24.html both of CVE-2012-3499 and CVE-2012-4558 are fixed for Apache httpd 2.4.4. And we can’t manually upgrade our Apache version unless upstream vendor releases supported version. Running yum list | grep ‘httpd.i686’ gives:


root@my:/root#
yum list | grep 'httpd.i686'
httpd.i686                                1:2.2.15-15.el6.vm.1          @virtualmin'

So apparently httpd is installed not from CentOS repository, but from Virtualmin’s. So what should I do to overcome this requirement of Trustwave? Any reason we are running particularly this version? Any recommendation would be appreciated. Thanks!

Eric · May 23, 2013, 3:09am

Howdy,

There should be a newer version of Apache, 2.2.15-28 available.

Although Apache comes from the Virtualmin repo – Virtualmin is just using the CentOS Apache RPM with a minor tweak to it to make suexec work with /home.

If you run a “yum update”, does it show any available Apache updates?

-Eric

yngens · May 23, 2013, 3:44am

Thanks for the comment. Running yum update gives:


root@my:/root#
yum update
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * base: centos.mirrors.hoobly.com
 * epel: mirrors.kernel.org
 * rpmforge: mirror.hmc.edu
191 packages excluded due to repository priority protections
Setting up Update Process
No Packages marked for Update

Eric · May 23, 2013, 2:01pm

Hmm, well, for some reason it doesn’t seem to be offering you an update.

You may want to verify that the Virtualmin repository is still enabled in /etc/yum.repos.d.

However, you can also manually download the latest httpd package from here:

http://software.virtualmin.com/gpl/centos/6/i386/

yngens · May 23, 2013, 9:41pm

It was not offering me an update because of yum priorities. I have removed priorities package and was able to upgrade my httpd to 2.2.15-28. However, this doesn’t address the issues since Trustwave’s recommended version is 2.2.24-dev. I wonder what is the last stable version supported by CentOS/RLE?

Eric · May 24, 2013, 1:55am

Howdy,

The most recent version of Apache available in RHEL/CentOS is the version you’re seeing in the Virtualmin repository.

RHEL/CentOS backport security fixes into the Apache version they ship. So although the version number appears to be 2.2.15, it contains all the security updates that apply to it, and is fully up to date.

-Eric