Subject: CA20090429-01: CA ARCserve Backup Apache HTTP Server Multiple Vulnerabilities
Date: Thu, 30 Apr 2009 15:49:30 -0400
Message-ID: <649CDCB56C88AA458EFF2CBF494B620406D709AA@USILMS12.ca.com.>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: CA20090429-01: CA ARCserve Backup Apache HTTP Server Multiple Vulnerabilities
Thread-Index: AcnJzMbOYZpCaTwzR1Gqm+8HIF+ntA==
From: "Williams, James K" <James.Williams@ca.com.>
To: <bugtraq@securityfocus.com.>
X-OriginalArrivalTime: 30 Apr 2009 19:50:23.0412 (UTC) FILETIME=[E67B4740:01C9C9CC]
X-Virus-Scanned: antivirus-gw at tyumen.ru
Title: CA20090429-01: CA ARCserve Backup Apache HTTP Server=20
Multiple Vulnerabilities
CA Advisory Reference: CA20090429-01
CA Advisory Date: 2009-04-29
Reported By:
Apache Software Foundation
David Endler of iDefense
Ulf Harnhammar for SITIC, Swedish IT Incident Centre
Impact: A remote attacker can exploit a buffer overflow to gain=20
apache privileges, or cause a denial of service.
Summary: CA ARCserve Backup on Solaris, Tru64, HP-UX, and AIX=20
contains multiple vulnerabilities in the Apache HTTP Server=20
version as shipped with ARCserve Backup. CA has issued updates=20
that contain version 2.0.63 of the Apache HTTP Server to address=20
the vulnerabilities. Refer to the References section for a list of=20
resolved issues by CVE identifier.
Mitigating Factors: None
Severity: CA has given these vulnerabilities a Medium risk rating.
Affected Products:
CA ARCserve Backup r11.5 Solaris
CA ARCserve Backup r11.5 Tru64
CA ARCserve Backup r11.5 HP-UX
CA ARCserve Backup r11.5 AIX
Non-Affected Products:
CA ARCserve Backup r11.5 Windows
CA ARCserve Backup r11.5 Linux
Affected Platforms:
Solaris
Tru64
HP-UX
AIX
Status and Recommendation:
CA has issued the following patches to address the=20
vulnerabilities.
CA ARCserve Backup r11.5 Solaris:
RO06786
CA ARCserve Backup r11.5 Tru64:
RO06788
CA ARCserve Backup r11.5 HP-UX:
RO06789
CA ARCserve Backup r11.5 AIX:
RO06791
How to determine if you are affected:
1. From the command line, run the following to print the version=20
of the Apache HTTP Server included with ARCserve Backup:
$BAB_HOME/httpd/httpd -v
Note: On HP-UX the shared library path needs to be modified=20
prior to running the httpd command:
SHLIB_PATH=3D$SHLIB_PATH:$BAB_HOME/httpd/lib
export SHLIB_PATH
2. If the displayed version is less than 2.0.63, then the=20
installation may be vulnerable.
Workaround:=20
As a workaround solution, disable the Apache HTTP Server with the=20
"stopgui" command. To re-enable the server, run "startgui".
Stopping the Apache HTTP Server will prevent the ARCserve user=20
from performing GUI operations. Most of the operations provided by=20
the GUI can be accomplished via the command line.
Alternatively, restrict remote network access to reduce exposure.
References (URLs may wrap):
CA Support:
https://support.ca.com/
CA20090429-01: Security Notice for CA ARCserve Backup Apache HTTP=20
Server
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=3D205=
1
47
Solution Document Reference APARs:
RO06786, RO06788, RO06789, RO06791
CA Security Response Blog posting:
CA20090429-01: CA ARCserve Backup Apache HTTP Server Multiple=20
Vulnerabilities
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/04/29.
aspx
Reported By:=20
Apache Software Foundation
David Endler of iDefense
Ulf Harnhammar for SITIC, Swedish IT Incident Centre
CVE References:
CVE-2004-0747
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2004-0747
CVE-2003-0132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2003-0132
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at https://support.ca.com.
For technical questions or comments related to this advisory,=20
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your=20
findings to the CA Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=3D177=
7
82
Regards,
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team
CA, 1 CA Plaza, Islandia, NY 11749
=09
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2009 CA. All rights reserved.
