Apache HTTP Server Vulnerability Advisory for Adobe Flash Media Server Customers


An important vulnerability was recently identified in Apache HTTP Server version 2.2.14 and earlier (CVE-2010-0425: mod_isapi module unload flaw). The flaw in mod_isapi could result in an attempt to unload the ISAPI dll when encountering various error states. This could leave the callbacks in an undefined state and result in a segfault. On Windows platforms using mod_isapi, a remote attacker could send a malicious request to trigger this issue, and as win32 MPM runs only one process, this would result in a denial of service, and potentially allow arbitrary code execution. This vulnerability has been fixed in Apache httpd 2.2.15.
Adobe is issuing this blog post as an advisory for customers of Adobe Flash Media Server 3.5.x (Windows only), which ships with version 2.2.9 of Apache HTTP Server:
While Adobe Flash Media Server is not vulnerable to this exploit without specific configuration to support ISAPI-based actions, Adobe recommends customers disable the ISAPI module as a precaution.
To prevent the ISAPI module from loading, change the following line in the Flash Media Server Apache configuration at FMS_INSTALL_DIR/Apache2.2/conf/httpd.conf from

LoadModule isapi_module modules/mod_isapi.so
#LoadModule isapi_module modules/mod_isapi.so

If the ISAPI module is needed for your particular Apache distribution, Adobe recommends you update your Apache installation to version 2.2.15, which includes the patch to fix this vulnerability.
For documentation on the configurations Flash Media Server uses to determine its Apache location, visit http://help.adobe.com/en_US/FlashMediaServer/3.5_AdminGuide/WSE2A5A7B9-E118-496f-92F9-E295038DB7DB.html.
This posting is provided “AS IS” with no warranties and confers no rights.


Posted on 03-15-2010