Firewall Hole Found, Patched

Monday, April 15, 2013 @ 05:04 PM gHale


Version 2.7.3 of the Apache/NGINX security module mod_security fixes a security problem in the XML parser of its predecessor versions.

Processing a specially prepared XML document could give access to local files or consume excessive amounts of CPU or memory, crippling the server, according to Timur Yunusov and Alexey Osipov from Positive Technologies who found the flaw. The vulnerability’s case number is CVE-2013-1915.

RELATED STORIES
Cogent Fixes DataHub Bugs
Mitsubishi, Clorius Holes Released
Patches for Wind River Holes
Mitigation for Siemens Comm Modules

The mod_security module is a web application firewall that allows requests to the web server to filter according to various criteria. The change log lists the fix as an additional switch, SecXmlExternalEntity which controls whether the libxml2 library used by mod_security will load external entities when parsing XML files. This new switch is set to off by default so the parser will not attempt to retrieve files from other locations when parsing a document that refers to external entities.

Linux distributors such as Red Hat and Debian have already addressed the issue. The discoverers have yet to release their own advisory on the problem; only advisories for other manufacturers are on the advisory pages of mod_security owner Trustwave SpiderLabs.



Leave a Reply

You must be logged in to post a comment.