Two of the world’s most widely deployed web servers have both recently been updated to fix security vulnerabilities.
The open-source Apache HTTP Server is being updated to version 2.4.9 to fix two separate security issues, both of which carry the highest possible exploitability score from the National Vulnerability Database. The first issue is identified as CVE-2014-0098 and is an issue that could potentially lead to a Denial of Service (DoS) condition.
“The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation,” the vulnerability summary for CVE-2014-0098 states.
The fix for the flaw from Apache is to clean up the cookie logging parser so that it no longer recognizes valueless cookies.
The other security flaw fixed in Apache HTTP Server 2.4.9, identified as CVE-2013-6438, could enable a DoS condition by way of a malicious DAV WRITE request.
The Apache 2.4.9 release isn’t just about security fixes, though; it also promises a number of incremental features updates. One of the updates is greater control over Apache’s RewriteRules. There is also support in the mod_socache_shmcb module for larger memory sizes.
The mod_lua language module gets a small bug fix to improve reliability. Mod_ssl also gets a fix for a bug that could have triggered a crash when used with older versions of the OpenSSL cryptographic system.
The Apache 2.4.x branch first debuted back in February of 2012 and is currently the leading edge of the Apache HTTP Web Server stable release family.
While Apache still dominates the web server landscape, in recent years the open-source nginx web server has emerged as a serious challenger.
This week nginx also received an update for security-related issues. Both the nginx 1.5.12 and nginx 1.4.7 releases debuted this week to fix a SPDY heap buffer overflow issue identified as CVE-2014-0133.
“A bug in the experimental SPDY implementation in nginx was found, which might allow an attacker to cause a heap memory buffer overflow in a worker process by using a specially crafted request, potentially resulting in arbitrary code execution,” Maxim Dounin wrote in an nginx mailing list posting.