CVE-2016-4975

Support for security such as Firewalls and securing linux
Post Reply
eslav
Posts: 4
Joined: 2011/09/18 17:30:40

CVE-2016-4975

Post by eslav » 2019/05/21 16:58:13

Hi folks,

On a digital ocean server, we are using Apache 2.2.15 httpd-2.2.15-69.el6.centos.src.rpm
On CentOS release 6.7 (Final) (Linux version 2.6.32-573.8.1.el6.x86_64)

Looks like nothing's available:
yum list available httpd\*

I cannot find that CVE-2016-4975 is for sure affecting us or has been patched, most hits seem to imply it's basically unfixed... maybe due to some updates around this vulnerability at NIST it has become an issue for this patch level.

So I started at the beginning:
https://access.redhat.com/articles/2123171
https://access.redhat.com/errata/#/

Looking up pages for: CVE-2016-4975
Three Search Results:
https://access.redhat.com/errata/#/?q=C ... sc&rows=10
Seems for openssl only, but shows up
https://access.redhat.com/errata/RHSA-2018:2185
https://access.redhat.com/errata/RHSA-2018:2186
This one is openssl, and, curl, and some others etc:
https://access.redhat.com/errata/RHSA-2018:2486
But those above are fixed packages, so logically if the relevant package is not there, it has not been fixed.
However, some RH pages state "Will not fix" on them, and I'm having trouble finding that being confirmed for RHEL6 branch.
Also, the above references "Red Hat JBoss Core Services Pack Apache Server..."
I don't think we're running JBoss Core Services Pack?
Especially after reading this:
https://access.redhat.com/solutions/341413
Also, if the CVE in question is listed in the "Fixes" section of each of these, what does that mean? Just related? Or should I go looking at curl and the other 3 or packages for changelogs and/or updates?

Anyway, I went here:
https://access.redhat.com/security/cve/cve-2016-4975
And there it does indeed says "Will not fix" for RHEL6

Finally, I went here:
https://bugzilla.redhat.com/show_bug.cgi?id=1375968
Scrolled down, and discussion suggests due to rating it is unlikely to get fix considering phase2 support for RHEL6.

Here's the specific CVE page at various places:
https://access.redhat.com/security/cve/cve-2016-4975
http://cve.mitre.org/cgi-bin/cvename.cg ... -2016-4975
Then the apache 2.2 page, I searched many of the terms on this page in the rpm info with grep and came up empty ("CR"/LF/"CRLF"/"I/injection":
https://httpd.apache.org/security/vulne ... -2016-4975
It's Listed here, but, "We are not aware of any exploits":
https://www.securityfocus.com/bid/105093/exploit

This seems to be pretty clear that the version is affected "(Affected 2.2.0-2.2.31)"
Also, according to this page, the analysis was modified Feb 7, 2019, and is again under analysis that will result in potential changes...
https://nvd.nist.gov/vuln/detail/CVE-2016-4975

Didn't glean anything from this, it's just referenced by MITRE:
https://security.netapp.com/advisory/nt ... 0926-0006/
Nor the HP Enterprise page, just links to their updated 2.4.x package

I like this website, but I'm never sure how complete/canonically accurate it is when cross referencing with a CentOS server.
https://www.cvedetails.com/cve/CVE-2016-4975/

User avatar
TrevorH
Forum Moderator
Posts: 26312
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2016-4975

Post by TrevorH » 2019/05/21 17:56:53

CentOS 6.7 is from mid-2015 so is now nearly 3 whole years out of date so you have an awful lot more to worry about than just one CVE in httpd. The current version is 6.10 and has hundreds if not thousands of fixes above 6.7. Comment 15 in that bugzilla entry sums up Redhat's position - https://bugzilla.redhat.com/show_bug.cgi?id=1375968#c15

Are you actually using mod_userdir? It's disabled out of the box and unused so you would have needed to specifically enable it. If you don't have mod_userdir enabled and loaded then you are not at risk.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

eslav
Posts: 4
Joined: 2011/09/18 17:30:40

Re: CVE-2016-4975

Post by eslav » 2019/05/22 18:52:20

Hey, great info!

Thanks. I thought I remembered looking up something about upgrading from 6.7 to 6.9 a while ago and thought better of it. I don't remember the argument at this point... I think I was updating all the packages on my own because I was worried about some openssl issue. Or maybe that was 6.7 to 7.2, shame on me for not documenting decisions like that better. I have lots of notes about updating those packages however. It sounds like it's a bad idea to stay behind too many minor versions is what you're saying, regardless. Fair enough, and case in point my question right?

Thanks for getting me to re-read that description of the bug. I glossed over it too quickly and focused on the comments.

I'm trying to think why we enabled mod_userdir, but we must have (I'm co-sysadmin...) when we were setting up for some reason if you're saying it's disabled by default... I don't know of anything specific that we need it for or are mapping. Probably something though. We have about 3 sites on their with different CMSs, in addition to some programs that aren't CentOS stock, can't remember most of them, I'm mostly doing this kind of thing with httpd/openssl/ssh etc. On the other hand I just found docs for the last service we used before digital ocean, and I had turned it off... of course we're doing even more now for ourselves with our current service.

I guess I could try disabling it and see if it breaks the world? That is of course in the interim while I stage an upgrade to 6.10...

Thanks again TrevorH!

Post Reply