Release Notes for Version 6.0.1

What’s in the Release Notes

These release notes cover the following topics:

What’s New in Pivotal Web Server 6.0.1

This Pivotal Web Server release includes the following new features and changes:

Updated Packages

  • Apache HTTP Server 2.4.10
  • Apache APR Library 1.5.1
  • OpenSSL 1.0.1i

Security vulnerabilities fixed in Pivotal Web Server 6.0.1

Table 1. Security vulnerabilities fixed in Pivotal Web Server 6.0.1
Issue Number Severity Description
CVE-2014-0231 Important A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service. Fixed in Apache HTTP Server 2.4.10. Affected all previous Pivotal Web Server versions.
CVE-2014-3523 Important A flaw was found in the WinNT MPM in httpd versions 2.4.1 to 2.4.9, when using the default AcceptFilter for that platform. A remote attacker could send carefully crafted requests that would leak memory and eventually lead to a denial of service against the server. Fixed in Apache HTTP Server 2.4.10. Affected all previous Pivotal Web Server versions.
CVE-2014-0117 Moderate A flaw was found in mod_proxy in httpd versions 2.4.6 to 2.4.9. A remote attacker could send a carefully crafted request to a server configured as a reverse proxy, and cause the child process to crash. This could lead to a denial of service against a threaded MPM. Fixed in Apache HTTP Server 2.4.10. Affected all previous Pivotal Web Server versions.
CVE-2014-0118 Moderate A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the “DEFLATE” input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration. Fixed in Apache HTTP Server 2.4.10. Affected all previous Pivotal Web Server versions.
CVE-2014-0226 Moderate A race condition was found in mod_status. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessible server status page. Fixed in Apache HTTP Server 2.4.10. Affected all previous Pivotal Web Server versions.
CVE-2014-3508 Moderate A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. Applications may be affected if they echo pretty printing output to theattacker. OpenSSL SSL/TLS clients and servers themselves are not affected.

The formatting functions for X509 are not reflected to the client in most situations. CGI or SSI scripts may perform the reflection of hostile certificate contents recovered from the environment variables propagated by mod_ssl (see [http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#SSLOptions](http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#SSLOptions)) as well as third party modules.

CVE-2014-3509 Low If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory.

This flaw affects Apache httpd only in reverse proxy configurations connecting to untrusted hosts over https:, an unusual scenario. This flaw requires yet another mechanism to execute code written into the freed memory buffer. Forward proxy connections are established using tunnelled CONNECT requests and are not affected.

CVE-2014-3511 Low A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higherprotocol version, by modifying the client’s TLS records.

While TLS 1.2 introduces more appropriate renegotiation policies, as a practical matter too many clients and servers will still only negotiate TLS 1.0. SSLInsecureRenegotiation is required to expose the most significant risks, an already unsafe configuration.

CVE-2014-5139 Low The issue affects OpenSSL clients and allows a malicious server to crash the client with a null pointer dereference (read) by specifying an SRP ciphersuite even though it was not properly negotiated with the client. This can be exploited through a Denial of Service attack.

Affects the above product releases if the server is configured to reverse proxy content from an untrusted, malicious https:// backend server. Configuration of SRP ciphers is not necessary to trigger this defect. Forward proxies use the CONNECT mechanism to tunnel https:// traffic between the origin server and user agent endpoints and are not affected by this flaw.

CVE-2014-3512 Low A malicious client or server can send invalid SRP parameters and overrun an internal buffer. Only applications which are explicitly set up for SRPuse are affected.

This issue affects Pivotal Web Server 6.0 only if the SSLSRPVerifierFile is configured. No other Web Server release is affected.

    Additionally, the following security issues have no impact on Pivotal Web Server, VMware vFabric Web Server, or VMware vFabric Enterprise Ready Server. These products do not use the Datagram Transport Layer Security (DTLS),
  • Double Free when processing DTLS packets (CVE-2014-3505)
  • DTLS memory exhaustion (CVE-2014-3506)
  • DTLS memory leak from zero-length fragments (CVE-2014-3507)
  • OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)

Known Issues Pivotal Web Server 6.0.1

The following issues have been identified in this release of Pivotal Web Server. Where possible, a workaround is also provided.

The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of Pivotal Web Server.

Table 2. Known Issues
Issue Number Description Found In Fixed In
VWS-17 The Microsoft Windows package and self-extraction mechanism do not provide a capability to store and unpack the pivotal-web-server/httpd-2.2 symbolic link.

Workaround: Create the symbolic link yourself. See [Windows: Install Pivotal Web Server from a Self-Extracting ZIP File](http://webserver.docs.pivotal.io/index.html?q=/topics/install.html) for details.

5.0.0