The Apache Software Foundation has released a new revision (version 2.0.46) of its popular Web server software, mostly to correct two newly disclosed security holes. One problem, similar to the one that was recently patched in Microsoft IIS, can result in a denial of service event that can be triggered through a WebDAV support module.

Apache’s explanation of the other bug is that it is due to a bug in the configuration scripts that causes the apr_password_validate() function to fail. This, allows “remote attackers to create a denial of service, which causes valid usernames and passwords for Basic Authentication to fail.” In its explanation, Apache states that the foundation doesn’t think this bug would allow access to protected resources.

Details
According to the Red Hat advisory, or the WebDAV flaw, successful exploitation “may allow execution of arbitrary code.” Apache describes the WebDAV vulnerability as follows: “This can be triggered remotely through mod_dav and possibly other mechanisms.” Mod_dav is the open source module that provides the Web Distributed Authoring and Versioning protocol to Apache Web servers. WebDAV is the set of HTTP extensions that allows administrators to perform remote editing and file management on servers.The Apache announcement page provides more details about the two major security flaws and the various bugs fixed by the new release.

A Red Hat notice that addresses these vulnerabilities, RHSA-2003:186-06, is also available. Red Hat says that this update affects Red Hat Linux versions 8.0 and 9. Secunia has also released a security bulletin for these vulnerabilities. And the CVE listings for the security vulnerabilities are CAN-2003-0189 and CAN-2003-0245.

Applicability
Apache versions 2.0.37 through 2.0.45 are affected by these bugs and should be updated to version 2.0.46. The WebDAV (mod_dav) vulnerability affects versions 2.0.37 through 2.0.45, while versions 2.0.40 through 2.0.45 are vulnerable to the basic authentication module DoS attack.

Risk level: Serious
Secunia rates this as “highly critical,” but most others aren’t reporting that they can be exploited to actually penetrate a system. Nevertheless, Apache and Red Hat both appear to view these two updates as serious and worthy of the attention of Apache administrators.

Fix: Update
Version 2.0.46 is available for immediate download at Apache. About 30 nonsecurity bugs and new features are also addressed in this revision of the software.

Final word
I’m certainly not picking on Apache, but it’s only fair to point out that like IIS, Apache has had a number of recent, serious security problems. In fact, this is the second urgent security update for Apache in the past two months.

The lesson to be learned is that, while open source software is often very good quality, it’s not immune to vulnerabilities simply because it’s open source. Security comes not from perfect software but from administrators keeping tabs on new vulnerabilities and protecting the systems under their control—no matter what software they run.