Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

LMS 3.1 - Is the Apache vulnerability applicable?

Is LMS 3.1 vulnerable to this:

Affected Technologies Apache prior to 2.2.3

Apache prior to 1.3.37

Apache prior to 2.0.59

Description Description: The Rewrite module (mod_rewrite) for Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by an off-by-one buffer overflow in the escape_absolute_uri() LDAP scheme handling function. If RewriteRule is enabled and does not contain a Forbidden(F), Gone(G), or NoEscape(NE) flag, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause the server to crash.

Remedy:

For Apache 2.2.x:

Upgrade to the latest version of Apache (2.2.3 or later), available from the Apache Web site. See References.

For Apache 1.x:

Upgrade to the latest version of Apache (1.3.37 or later), available from the Apache Web site. See References.

For Apache 2.0.x:

Upgrade to the latest version of Apache (2.0.59 or later), available from the Apache Web site. See References.

Additional Details

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: LMS 3.1 - Is the Apache vulnerability applicable?

No, we are not vulnerable. We do not use mod_rewrite. But to put your mind at ease, you can apply the patch to upgrade to Apache 1.3.41 from http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-cd-one .

2 REPLIES
Cisco Employee

Re: LMS 3.1 - Is the Apache vulnerability applicable?

No, we are not vulnerable. We do not use mod_rewrite. But to put your mind at ease, you can apply the patch to upgrade to Apache 1.3.41 from http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-cd-one .

Community Member

Re: LMS 3.1 - Is the Apache vulnerability applicable?

That's what I needed. Thanks for the quick reply.

168
Views
0
Helpful
2
Replies
CreatePlease to create content