[DW-VA1P4xT] Security scan vulnerability found
Description
VA1P4xT (VMAX A1 G3 FW: 1.0.1.64)
Customer is reporting -
A security scan says our DW-VA1P4xT is vulnerable to the below issue:
https://www.cvedetails.com/cve/CVE-2022-41556
A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.
I have 1.0.1.64 installed. Will there be an update to correct this problem?
This looks very similar (based on the description) to the problem we encountered a few months back. Did you have a chance to investigate this? The above issue may resolve it.
Please let me know what will be done.
Attachments
Child issues
Linked work items
VMAX-570
[DW-VA1G4] Apache CGI Source Code Viewing Vulnerability
Activity
Details
Priority
Highest
dw-vapxx_v1.0.1.65 > lighttpd 버전 1.4.70 으로 업데이트 되었음
Linking issue -
Check latest comment
현재 VMAX A1 G3에서 lighttpd의 버전은 v1.4.61을 사용하고 있습니다.
요청하신 v1.4.67을 변경하기 위해서는 lighttpd만을 수정 포함 관련 lib를 같이 변경해 줘야 합니다.
이에 lighttpd의 수정은 G3의 DW Cloud 배포 후 수정하는 것으로 진행하였으면 합니다.
검토된 내용 있으면 업데이트 부탁드립니다.
연구소에는 이미 내용전달했으나, 현재 myDW Cloud G4,G3 디버깅 중이라 아직 검토전이라고 합니다.
일정 잡히면 다시 연락드리겠습니다.
Can you confirm the results from the lab? We have to send an update to customer.
@FOCUS_JH Do you have an update on this? Sungho is requesting this be patched in the next version.
연구소에 내용 전달하겠습니다.
We ran a Nessus scan against a VMAX VA1P4 with firmware version 1.0.1.64.
It detected an HTTP server version running lighttpd/1.4.61 which has the following vulnerabilities as customer described:
CVE-2022-41556
CVE-2022-22707
As customer mentioned, it can be fixed by upgrading to at least lighttpd version 1.4.67.