Solved: LMS 3.1 - Is the Apache vulnerability applicable?

chris.mcgarrah · ‎07-08-2009

Is LMS 3.1 vulnerable to this:

Affected Technologies Apache prior to 2.2.3

Apache prior to 1.3.37

Apache prior to 2.0.59

Description Description: The Rewrite module (mod_rewrite) for Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by an off-by-one buffer overflow in the escape_absolute_uri() LDAP scheme handling function. If RewriteRule is enabled and does not contain a Forbidden(F), Gone(G), or NoEscape(NE) flag, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause the server to crash.

Remedy:

For Apache 2.2.x:

Upgrade to the latest version of Apache (2.2.3 or later), available from the Apache Web site. See References.

For Apache 1.x:

Upgrade to the latest version of Apache (1.3.37 or later), available from the Apache Web site. See References.

For Apache 2.0.x:

Upgrade to the latest version of Apache (2.0.59 or later), available from the Apache Web site. See References.

Additional Details

Joe Clarke · ‎07-08-2009

No, we are not vulnerable. We do not use mod_rewrite. But to put your mind at ease, you can apply the patch to upgrade to Apache 1.3.41 from http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-cd-one .

View solution in original post

Joe Clarke · ‎07-08-2009

No, we are not vulnerable. We do not use mod_rewrite. But to put your mind at ease, you can apply the patch to upgrade to Apache 1.3.41 from http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-cd-one .

chris.mcgarrah · ‎07-08-2009

That's what I needed. Thanks for the quick reply.