Popular Web infrastructure is frequently the target of hackers looking to exploit vulnerabilities to snare sensitive online information. As the most popular Web server on the Internet, the Apache HTTP Web server knows this all too well. But thanks to a new security update, many serious Apache flaws have been fixed.
Server Watch has the details about the Apache security update, which addresses several vulnerabilities, including a noted SSL TLS renegotiation hole.
The Apache HTTP Web Server is the most widely deployed Web server on the Internet today, which means that vulnerabilities in the open source server can have a devastating impact. That also makes security updates like the new 2.2.15 release critical, since it addresses several security vulnerabilities in Apache’s flagship HTTP Web server.
Chief among the new vulnerabilities is one flaw relating to a broader SSL issue first disclosed in November 2009. That issue involves a renegotiation flaw with TLS.
“Notably, this release was updated to reflect the OpenSSL Project’s release 0.9.8m of the openssl library, and addresses CVE-2009-3555, the TLS renegotiation prefix injection attack,” Apache noted in a mailing list announcement.
The SSL TLS renegotiation vulnerability might have made it possible for a man-in-the middle attack, potentially leading to SSL-protected sites facing the risk of being spoofed by malicious SSL/TLS credentials.