content:en_us:announcements_cve_cve-2018-1283

CVE 2018-1283

/** * This is the notes section. CVE documents should ONLY be created by employees of ClearCenter with the authority to make statements on behalf of the company. If you have content that would be useful to the statement, please contact ClearCenter. */

'In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a “Session” header. This comes from the “HTTP_SESSION” variable name used by mod_session to forward its data to CGIs, since the prefix “HTTP_” is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.'

ClearCenter response

This issue affects ClearOS 7 but does not affect ClearOS 6.

Short response

This vulnerability is useful against CGI applications under ClearOS by manipulation of content by way of the session header. If your web application is not CGI then you are not affected by this vulnerability.

Long response

This vulnerability is useful against CGI applications under ClearOS by manipulation of content by way of the session header. If your web application is not CGI then you are not affected by this vulnerability.

A fix been submitted for Fedora version affected by this vulnerability but no fix from Redhat/CentOS is available.

Resolution

If your web server is running CGI applications, consider blocking access via other means to authorized users. For example, use the Dynamic Firewall application from the ClearOS Marketplace or make the application only available to networks containing trusted users. Alternately, you can move your CGI application to a Fedora instance of apache while the bug is being fixed upstream.

content/en_us/announcements_cve_cve-2018-1283.txt · Last modified: 2018/10/03 20:31 by dloper

Page Tools