Release Notes for Version 6.2.1

What’s in the Release Notes

These release notes cover the following topics:

Important Support Lifecycle Announcements

All users must note the End of Availability of the Pivotal Web Server product, effective March 1st, 2015. General Support for the Pivotal Web Server releases 5.5, 6.1 and 6.2 ends on July 15, 2017. Users of previous vFabric Web Server and Pivotal Web Server releases are strongly encouraged to update to this current release promptly.

Note that July 15, 2017 also marks the End of General Support for open source Apache HTTP Server version 2.2. All customers seeking ongoing support for Apache HTTP Server must migrate to version 2.4 by this date to continue receiving General Support. Only Technical Guidance will be available for version 2.2 after July 15, 2017 and will cease on July 15, 2018.

Important Notice for Microsoft Windows Users

With the launch of the Pivotal Web Server 6.2.0 product, the x86-windows and x64-windows packages are now built using Visual C++ 19.0, a component of Microsoft Visual Studio 2015 Update 1. There are two immediate impacts on Windows Users upgrading to this latest release:

  1. Users on Windows 7, 8 or 8.1, or on Windows Server 2008 or 2012, must obtain and install the Microsoft Update for Universal C Runtime in Windows (also distributed with the Visual C++ Redistributable for Visual Studio 2015) from Microsoft; https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows - and be certain to observe the prerequisites noted for that package. Installing this x86 or x64 package (as applicable) from Microsoft ensures that the runtime is updated by the Windows Update service for any new security vulnerabilities of the C Runtime itself. Windows 10 and Windows Server 2016 users do not need to obtain this package, as this is a core component of these operating systems.
  2. Users who have provisioned third-party modules in Pivotal Web Server 6.1.0 or earlier should consider rebuilding these modules for this new release 6.2.1 under the Visual Studio 2015 Update 1 product. This ensures that any resources allocated from the C Runtime by the module and consumed by the server or core modules (or vice versa) will not subject the server to possible crash-bugs. It will also make a significant difference in the resources consumed by the running server because each module loaded into the server that was linked to a different, earlier C Runtime causes each of these different C Runtimes to be loaded in process at once. The corresponding pivotal-web-server-devel packages include the apxs.bat script which simplifies the process of compiling modules.

Experimental HTTP/2 Protocol Support Included

This release introduces the mod_http2.so module, a protocol module that enables HTTP/2 connections to the deployed PWS instance. This is still a beta/experimental feature of Pivotal Web Server, and leverages the latest nghttp2 library to provide protocol compliance. It should not be used for production environments unless it is carefully tested in the specific deployment scenario desired, with the ability to disable it in product and revert to classic HTTP/1.1 support. The mod_http2 module is provided for your testing and evaluation. While it is not covered under Premium Support [1] production SLA, we do encourage you to test it and file any issues you encounter with Pivotal technical support. Issues on the mod_http2 module will be treated as Developer Support [1] issues with regards to response time.

For detailed information on this module, refer to https://httpd.apache.org/docs/2.4/mod/mod_http2.html

SSL Encryption and mod_ssl Configuration

This release includes the updated default configuration and hardening recommendations originally shipped with Pivotal Web Server release 6.1.0. The default extra/httpd-ssl.conf configuration improves the robustness of SSL/TLS cryptography. Users should review existing instances to ensure that mod_ssl features including SSLProtocol and SSLCipherList meet or exceed modern guidance. It may be especially helpful to use the instance’s certificate expiration dates to trigger a periodic review of these configurations, as guidance continues to evolve as end-users update their browsers and other clients to more modern TLS capabilities.

This release includes a modification to the default certificate creation in the ./newserver instance creation utility. This tool will now identify the certificate with a SHA256 hash (rather than SHA1) and will now encrypt a copy of the certificate using AES256 (rather than DES). This change anticipates the complete deprecation of SHA1 certificate hashes in the internet ecosystem by the end of 2016, in alignment with all major browser and service providers.

Update to mod_bmx

The Pivotal Web Server 6.2.0 release included a new update of the mod_bmx modules. If upgrading from earlier versions, users are cautioned to purge old bmx data collection files, bmx_vhost.db.dir and bmx_vhost.db.pag in each server instance logs/ directories. By default, the new mod_bmx_vhost will name these files as bmx_vhost1.db.* in order to prevent such collisions, but any user overriding the BMXVHostDBMFilename must rename or purge their vhost summary collection files after upgrading to PWS 6.2.1, prior to restarting the server instances. Unintelligible summaries and even server segfaults may result from using the old format vhost summary files.

Hyperic Monitoring

Since the release of 6.1.0, the default instance leaves the mod_bmx modules not-loaded and commented out. There is a performance impact, specifically in collecting the mod_bmx_vhost summaries, and these modules should only be loaded if this data is queried. Users requiring bmx monitoring, such as for the Web Server plug-in to Hyperic, may install new instances using one of three methods:

  1. Use two additional –subst flags to override the default, and load mod_bmx modules for monitoring at initial startup:

    ./newserver --subst "#LoadModule bmx=LoadModule bmx" \
    --subst "#Include conf/extra/httpd-info=Include conf/extra/httpd-info" [...]
    
  2. To enable mod_bmx for all new instances, uncomment these lines in the deployed product httpd-2.4/_instance/conf/httpd.conf template file, prior to invoking ./newserver.

  3. Simply modify each desired instance’s {instance}/conf/httpd.conf file after invoking ./newserver to uncomment these lines, prior to starting the server instance.

Custom Module Deployment

The Pivotal Web Server 6.2.0 release provides the opportunity to update and introduce several subcomponents, which may introduce a possibility of incompatibility issues for users who have extended the product with their own modules that are built upon these subcomponents. This specifically includes an update from OpenSSL 1.0.1 to version 1.0.2, and the introduction of Nghttp2 to support mod_http2.

This 6.2.1 release drops all support of SSLv2 ciphers and protocol; these are no longer compiled into the distributed openssl library component. Third party components compiled against the openssl component of an earlier PWS release may need to be recompiled if load-time errors are encountered. The 6.2.0 release httpd mod_ssl build had already dropped all references to SSLv2, so this change is for completeness as strongly recommended by the OpenSSL Project.

We encourage users who have compiled their own or third-party modules (apart from modules distributed with Pivotal Web Server) to carefully review their modules’ dependencies, and test their functionality before moving these into production on 6.2.1. Most modules with no direct dependencies on these subcomponents should remain compatible between modules built for PWS 6.0 or 6.1 and this 6.2.1 release. Note that modules compiled for PWS 5.x are not binary compatible with PWS 6.x releases, these modules must be recompiled, and in some cases, ported to httpd 2.4-specific APIs.

The previous 6.0.x release -devel- packages for building add-on modules have been streamlined in 6.1.0 and later to flatten the development package build/ and include/ trees, avoiding many extraneous build-1/, apr-1/ and libxml2/ subdirectory structures. Custom module build makefiles may need to be adjusted accordingly to build against the new -devel- package structure. Module builds that rely upon apxs, {component}-config scripts or pkginfo should not be affected.

Apache HTTP User Resources

The “User Provisioned Apache HTTP Server 2.4.20”, to be published in conjunction with this release, provides guidance on building or obtaining the subcomponents of this Pivotal Web Server release for users to build themselves from source code. This becomes the recommended path as of July 2017 for most users who select the Open Source Apache HTTP Server support offered by Pivotal.

Pivotal Web Server 6.2.1 Components Updated

  • Apache HTTP Server 2.4.20
  • Expat 2.1.1
  • OpenSSL 1.0.2h [Version 1.0.2 is exclusive to PWS 6.2 and later]
  • nghttp2 1.9.2 [nghttp2 is exclusive to PWS 6.2 and later, for mod_http2]
  • Apache Tomcat tcnative connector 1.2.5 [Version 1.2 is exclusive to PWS 6.2 and later]

Pivotal Web Server 6.2.1 Security Issues Addressed

CVE-2016-2108 - Memory corruption in the ASN.1 encoder - Not applicable Corrected in all Pivotal Web Server 5.5, 6.1 and 6.2 releases (all supported releases). https://www.openssl.org/news/secadv/20160503.txt

CVE-2016-2107 - Padding oracle in AES-NI CBC MAC check - High Severity This issue is of high severity where untrusted users have local machine access or very low latency access to the PWS origin server, e.g. on a common backbone within the datacenter. This would be an uncommon deployment scenario for PWS users. https://www.openssl.org/news/secadv/20160503.txt

CVE-2016-2105 - EVP_EncodeUpdate overflow - low severity CVE-2016-2106 - EVP_EncryptUpdate overflow - low severity CVE-2016-2109 - ASN.1 BIO excessive memory allocation - low severity CVE-2016-2176 - EBCDIC overread - low severity This group of issues is not expected to affect Pivotal Web Server deployments. The apr-util library alone touches the functions referenced by CVE-2016-2106, only for the mod_session_crypto module, which is not enabled by default. https://www.openssl.org/news/secadv/20160503.txt

CVE-2016-1546 - mod_http2 denial of service by thread starvation - low severity By manipulating the flow control windows on HTTP/2 streams, a malicious client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. HTTP/1 requests were not affected.

CVE-2016-0800 - Cross-protocol attack on TLS using SSLv2 (DROWN) Users of the recommended PWS configuration (disabling SSLv2 protocol and ciphers) were not affected, however any users who had enabled SSLv2 were affected, and such configurations are invalid in PWS 6.2.0 and later. Users who shared a certificate/private key on other services which are configured to support SSLv2 remain vulnerable, irrespective of updating the PWS product. https://www.openssl.org/news/secadv/20160301.txt https://drownattack.com/

CVE-2016-0705 - Double-free in DSA code - low severity CVE-2016-0798 - Memory leak in SRP database lookups - low severity CVE-2016-0797 - BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption - low severity CVE-2016-0799 - Fix memory issues in BIO_*printf functions - low severity CVE-2016-0702 - Side channel attack on modular exponentiation - low severity None of the issues above affect default Pivotal Web Server deployments. https://www.openssl.org/news/secadv/20160301.txt

CVE-2016-0703 - Divide-and-conquer session key recovery in SSLv2 - Not applicable CVE-2016-0704 - Bleichenbacher oracle in SSLv2 - Not applicable Corrected in all Pivotal Web Server 5.5, 6.1 and 6.2 releases (all supported releases). https://www.openssl.org/news/secadv/20160301.txt

CVE-2015-8395, CVE-2015-8394, CVE-2015-8392, CVE-2015-8391, CVE-2015-8390, CVE-2015-8389, CVE-2015-8388, CVE-2015-8387, CVE-2015-8386, CVE-2015-8385, CVE-2015-8384, CVE-2015-8383, CVE-2015-8382, CVE-2015-8381, CVE-2015-8380 PCRE parsing overflow Issues, all of which are rated low severity and should not represent a threat to Pivotal Web Server users, as such expressions are under the control of the server administrator. http://www.pcre.org/original/changelog.txt