Overview
mod_ssl, the Apache web server module for Secure Socket Layer (SSL) communications, may not properly authenticate client certificates.
Description
mod_ssl provides Secure Socket Layer (SSL) communications for the Apache web server. SSL is designed to provide the ability to encrypt and authenticate TCP connections. Apache, using mod_ssl, can be configured to use SSL to authenticate web users using client certificates. The requirement for client certificates is not enforced if a web server configuration specifies client authentication as optional ("SSLVerifyClient optional") in the global virtual host configuration, but specifies client certificates as required in some location's context ("SSLVerifyClient require"). |
Impact
An attacker may access web documents in a restricted section of a web site without providing a valid client certificate. |
Solution
Upgrade to mod_ssl 2.8.24 or later, or apply a patch as specified by your vendor. |
Vendor Information
Apache HTTP Server Project Affected
Updated: October 18, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The Apache HTTP Server Project distributes a version of mod_ssl with Apache 2.0. According to Apache's changelog, this issue has been resolved in Apache 2.0.55.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Avaya, Inc. Affected
Updated: October 03, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Accourding to Avaya Security Advisory ASA-2005-004, the following Avaya products may be affected:
- Avaya S8710/S8700/S8500/S8300
- Avaya Converged Communications Server (CCS) / SIP Enablement Services (SES)
- Avaya Message Networking
- Avaya Intuity LX
- Avaya Modular Messaging Message Storage Server (MSS)
- Avaya CVLAN
- Avaya Intergrated Management
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Linux Affected
Notified: September 07, 2005 Updated: September 12, 2005
Status
Affected
Vendor Statement
For Apache 2.0:
The old stable distribution (woody) does not contain Apache2 packages.
For the stable distribution (sarge) these problems have been fixed in version 2.0.54-5.
For the unstable distribution (sid) these problems have been fixed in version 2.0.54-5.
For Apache 1.3:
For the old stable distribution (woody) this problem has been fixed in version 2.8.9-2.5.
For the stable distribution (sarge) this problem has been fixed in version 2.8.22-1sarge1.
For the unstable distribution (sid) this problem has been fixed in version 2.8.24-1.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Debian Security Advisory DBA-805-1 contains additional details for the apache2 package.
Debian Security Advisory DBA-807-1 contains vulnerability and remediation details for mod_ssl (package name libapache-mod-ssl).
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks, Inc. Affected
Notified: September 07, 2005 Updated: September 08, 2005
Status
Affected
Vendor Statement
BigIP v4 and v9 do not support client-side authentication to the Management user interface, so the vulnerability does not apply.
FirePass is not vulnerable.
TrafficShield uses Apache 2.0.53 and therefore is vulnerable. A hotfix will be forthcoming and included in the next security hotfix to be issued on TrafficShield 3.2.1.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fedora Project Affected
Updated: September 09, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Vulnerability and remediation information can be found in:
- For Fedora Core 3, Fedora Update Notification FEDORA-2005-848
- For Fedora Core 4, Fedora Update Notification FEDORA-2005-849
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Gentoo Linux Affected
Updated: September 23, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Gentoo Linux Security Advisory GLSA 200509-12 includes vulnerability and remediation information.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Mandriva, Inc. Affected
Notified: September 07, 2005 Updated: October 03, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Conectiva Linux Advisory CLA-2005:1013 contains vulnerability and remediation instructions.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Mandriva, Inc. Affected
Notified: September 07, 2005 Updated: September 09, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Mandriva Security Advisory MDSKA-2005:161 contains remediation instructions.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenPKG Affected
Notified: September 07, 2005 Updated: September 07, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
OpenPKG has posted a security advisory with remediation instructions:
http://www.openpkg.org/security/OpenPKG-SA-2005.017-modssl.html
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Oracle Corporation Affected
Notified: September 07, 2005 Updated: October 18, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat, Inc. Affected
Notified: September 07, 2005 Updated: December 28, 2005
Status
Affected
Vendor Statement
Updated Apache httpd packages (for Red Hat Enterprise Linux 3 and 4) and an updated mod_ssl package (for Red Hat Enterprise Linux 2.1) to correct this issue are available at the URL below and by using the Red Hat Network 'up2date' tool.
http://rhn.redhat.com/errata/CAN-2005-2700.html.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Red Hat Security Advisory RHSA-2005:608 contains vulnerability and remediation information for Apache 2.
Red Hat Security Advisory RHSA-2005:773 contains vulnerability and remediation information for the mod_ssl package itself.
For Stronghold, consult RHSA-2005:882.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SUSE Linux Affected
Notified: September 07, 2005 Updated: September 16, 2005
Status
Affected
Vendor Statement
Our customers can update their systems by using the YaST Online Update (YOU) tool or by installing the RPM file (apache2) directly after downloading it from
http://www.novell.com/de-de/linux/download/updates/index.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
SUSE has released SUSE Security Advisory SUSE-SA:2005:052 with vulnerability and remediation instructions for this and some other recent Apache vulnerabilities.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Slackware Linux Inc. Affected
Updated: September 09, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Slackware Security Advisory SSA:2005-251-02 contains vulnerability and remediation information.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Trustix Secure Linux Affected
Updated: September 09, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Trustix Secure Linux Security Advisory #2005-0047 gives vulnerability and remediation instructions.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Ubuntu Affected
Updated: September 08, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Ubuntu provides remediation instructions in Ubuntu Security Notice USN-177-1.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
mod_ssl Affected
Notified: September 07, 2005 Updated: September 09, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Release 2.8.24-1.3.33 address this issue. It is available at:
http://www.modssl.org/source/mod_ssl-2.8.24-1.3.33.tar.gz
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks, Inc. Not Affected
Notified: September 07, 2005 Updated: September 09, 2005
Status
Not Affected
Vendor Statement
Juniper Networks products are not susceptible to this vulnerability
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft Corporation Not Affected
Notified: September 07, 2005 Updated: September 09, 2005
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Openwall GNU/*/Linux Not Affected
Notified: September 07, 2005 Updated: September 08, 2005
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux is not vulnerable. We currently do not provide mod_ssl.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apache-SSL Unknown
Notified: September 07, 2005 Updated: September 09, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apple Computer, Inc. Unknown
Notified: September 07, 2005 Updated: December 06, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Consult APPLE-SA-2005-11-29 Security Update 2005-009 for vulnerability details and remediation instructions.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray, Inc. Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
EMC, Inc. (formerly Data General Corporation) Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
FreeBSD, Inc. Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Fujitsu Limited Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: September 07, 2005 Updated: October 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
HP Security Bulletin HPSBUX01232 (SSRT051043) lists affected software and with remediation instructions.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hitachi Unknown
Notified: September 07, 2005 Updated: September 23, 2005
Status
Unknown
Vendor Statement
Hitachi Web Server is not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Immunix Communications, Inc. Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ingrian Networks, Inc. Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NEC Corporation Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NetBSD Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Nokia Unknown
Notified: September 12, 2005 Updated: September 12, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Novell, Inc. Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
OpenBSD Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
QNX, Software Systems, Inc. Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sony Corporation Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sun Microsystems, Inc. Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The SCO Group (SCO UnixWare) Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Turbolinux Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Unisys Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Wind River Systems, Inc. Unknown
Notified: September 07, 2005 Updated: September 07, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://svn.apache.org/viewcvs?rev=264800&view=rev
- http://www.mail-archive.com/modssl-users@modssl.org/msg17148.html
- http://marc.theaimsgroup.com/?l=apache-modssl&m=112569517603897&w=2
- http://secunia.com/advisories/16700/
- http://www.osvdb.org/19188
- http://www.openpkg.org/security/OpenPKG-SA-2005.017-modssl.html
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167195
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167194
- http://rhn.redhat.com/errata/RHSA-2005-608.html
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.458879
Acknowledgements
Reported by Joe Orton of Red Hat.
This document was written by Hal Burch.
Other Information
| CVE IDs: | CVE-2005-2700 |
| Severity Metric: | 1.45 |
| Date Public: | 2005-08-31 |
| Date First Published: | 2005-09-09 |
| Date Last Updated: | 2006-10-18 11:30 UTC |
| Document Revision: | 69 |