Apache upgrade released to fix security hole

A flaw has been discovered in the newest version of the Apache Web server that could allow an attacker to take control of a user’s system, prompting the release Friday of an upgrade to the software.

PivX Solutions LLC, a network security consultancy in Newport Beach, Calif., disclosed the vulnerability Friday soon after an upgrade to Apache Version 2.0 which fixes the hole was made available on the Web. The hole could allow an attacker to remotely access all the files on an Apache 2.0 Web server, execute them, pass malicious code, and even shut down the system completely, said Geoff Shively, who goes by the title “chief hacking officer” at PivX Solutions.

“This is the same type of vulnerability that made Code Red, Code Blue and Nimda possible,” Shively said. “If someone wanted to make a worm for this it would take the same route.”

PivX Solutions has released a basic work-around that will disable the problem, the company said. In addition, the Apache Software Foundation has made available a new version of the software which plugs the hole. Both the work-around and the upgrade are available online at http://www.apache.org/dist/httpd/.

The vulnerability affects Apache systems running on all versions of Windows as well as OS/2 and NetWare, according to PivX. The Apache Software Foundation added that it affects all default installations of the Apache Web server. Unix and other variant platforms appear unaffected, according to Apache.

It is considered high risk, and users were urged to immediately install version 2.0.40 of the Apache Web server or implement the work-around.

“Some people have been using this attack,” Shively said. “There have been some systems affected that we’re somewhat aware of.”

The firm discovered the flaw on August 3 and four days later began working with the Apache Software Foundation on a fix. “We waited until today to release the advisory so Apache could make the fix,” Shively said.

PivX Solutions also disclosed a second vulnerability in Apache 2.0 Friday, though it was deemed low risk. The second flaw can be used to gather information about an individual Apache Web server, such as who owns it, what operating system it is running on, names of files stored on the server, where it is physically located, as well as other info that would normally be held private, Shively said. The 2.0.40 upgrade also fixes this low-risk flaw, according to Apache.