Gentoo FoundationGLSA-200410-21Apache 2, mod_ssl: Bypass of SSLCipherSuite directive
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
55.4%
Background
The Apache HTTP server is one of the most popular web servers on the internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and is also included in Apache 2.
Description
A flaw has been found in mod_ssl where the “SSLCipherSuite” directive could be bypassed in certain configurations if it is used in a directory or location context to restrict the set of allowed cipher suites.
Impact
A remote attacker could gain access to a location using any cipher suite allowed by the server/virtual host configuration, disregarding the restrictions by “SSLCipherSuite” for that location.
Workaround
There is no known workaround at this time.
Resolution
All Apache 2 users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=www-servers/apache-2.0.52"
# emerge ">=www-servers/apache-2.0.52"
All mod_ssl users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=net-www/mod_ssl-2.8.20"
# emerge ">=net-www/mod_ssl-2.8.20"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | www-servers/apache | < 2.0.52 | UNKNOWN |
| Gentoo | any | all | net-www/mod_ssl | < 2.8.20 | UNKNOWN |
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
55.4%