Apache 2, mod_ssl: Bypass of SSLCipherSuite directive

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200410-21 / apache
Release Date	October 21, 2004
Latest Revision	December 30, 2007: 02
Impact	low
Exploitable	remote

Package	Vulnerable versions	Unaffected versions	Architecture(s)
www-servers/apache	< 2.0.52	>= 2.0.52, < 2.0	All supported architectures
net-www/mod_ssl	< 2.8.20	>= 2.8.20	All supported architectures

Related bugreports: #66807

Synopsis

In certain configurations, it can be possible to bypass restrictions set by the "SSLCipherSuite" directive of mod_ssl.

2. Impact Information

Background

The Apache HTTP server is one of the most popular web servers on the internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and is also included in Apache 2.

Description

A flaw has been found in mod_ssl where the "SSLCipherSuite" directive could be bypassed in certain configurations if it is used in a directory or location context to restrict the set of allowed cipher suites.

Impact

A remote attacker could gain access to a location using any cipher suite allowed by the server/virtual host configuration, disregarding the restrictions by "SSLCipherSuite" for that location.

3. Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Apache 2 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge sync
# emerge -pv ">=www-servers/apache-2.0.52"
# emerge ">=www-servers/apache-2.0.52"

All mod_ssl users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge sync
# emerge -pv ">=net-www/mod_ssl-2.8.20"
# emerge ">=net-www/mod_ssl-2.8.20"

4. References

Page updated October 21, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.