Pivotal Knowledge Base

Follow

My ERS installation has been upgraded to ERS 4.0.3 SP2. Are the Apache instances vulnerable to CVE-2012-0883?

Purpose

Addresses the question of whether or not an ERS 4.0.3 SP2 instance is vulnerable to CVE-2012-0883 "insecure LD_LIBRARY_PATH handling". The details of this vulnerability are:

Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory.

Resolution

The answer to the question of whether an ERS 4.0.3 SP2 instance is vulnerable to CVE-2012-0883 is - maybe. If this instance was created under an earlier ERS version, then yes this instance may be vulnerable. If the instance was created after upgrading to ERS 4.0.3 SP2 then it is not vulnerable.

To determine whether an instance is vulnerable, run the following command from the root ERS product directory. This is the directory containing the ers-server.pl and fixrootpath.pl scripts and the servers directory. It is possible that the server instances could have been created in a different location. If that is the case, that non-default location should be searched.

$ grep LD_LIBRARY_PATH= servers/*/bin/apache_startup.sh

A vulnerable server will have entries with no test for an empty LD_LIBRARY_PATH, which appear similar to:

servers/test-apache2.2-64/bin/apache_startup.sh:
LD_LIBRARY_PATH="$apache_root/lib:$LD_LIBRARY_PATH"
servers/test-apache2.2/bin/apache_startup.sh:
LD_LIBRARY_PATH="$apache_root/lib:$LD_LIBRARY_PATH"

A patched server with instances created using ERS-4.0.3-SP2 will have entries which are already protected against CVE-2012-0883:

servers/test-apache2.2-64/bin/apache_startup.sh:
LD_LIBRARY_PATH="$apache_root/lib${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH"
servers/test-apache2.2/bin/apache_startup.sh:
LD_LIBRARY_PATH="$apache_root/lib${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH"

Look for the server instances which don't carry the ${LD_LIBRARY_PATH:+:}.

The procedure to update vulnerable apache_startup.sh scripts is as follows:

  1. Rename servers/{instance}/bin/apache_startup.sh to servers/{instance}/bin/apache_startup.old
  2. Copy apache2.2[-64]/_instance/bin/apache_startup.sh (select the correct file depending on the architecture of instance) to servers/{instance}/bin/apache_startup.sh
  3. Edit servers/{instance}/bin/apache_startup.sh and change the value of the server_name variable on line 9 to match that in servers/{instance}/bin/apache_startup.old

Additional Information

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883

©VMware 2013

Comments

Powered by Zendesk