Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

CVE-2012-2110 and mod_ssl.

 

 

Apache dev RSS feed   Index | Next | Previous | View Threaded


shenson at opensslfoundation

Apr 20, 2012, 8:29 AM

Post #1 of 1 (234 views)
Permalink
CVE-2012-2110 and mod_ssl.

Guys,

A note about the impact of the potentially exploitable OpenSSL vulnerability
CVE-2012-2110 on mod_ssl.

The OCSP part of Apache 2.4 mod_ssl makes use of the d2i_OCSP_RESPONSE_bio call
which is affected. Since OCSP data relies on DNS it cannot be trusted and an
attacker could inject malicious data by this route if OCSP or OCSP stapling is
enabled.

An alternative technique which would not rely on the OpenSSL upstream fix would
be to use d2i_OCSP_RESPONSE instead.

The mod_ssl code also makes use of the affected d2i_X509_bio and
d2i_PrivateKey_bio calls but these load certificates and keys for server
configuration and so the data should come from trusted sources.

Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson [at] opensslfoundation

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.