Author: jfthomps
Date: Mon Jul 29 15:20:23 2019
New Revision: 1863947
URL: http://svn.apache.org/viewvc?rev=1863947&view=rev
Log:
initial creation of security page
Added:
vcl/site/trunk/content/security.mdtext (with props)
Added: vcl/site/trunk/content/security.mdtext
URL:
http://svn.apache.org/viewvc/vcl/site/trunk/content/security.mdtext?rev=1863947&view=auto
==============================================================================
--- vcl/site/trunk/content/security.mdtext (added)
+++ vcl/site/trunk/content/security.mdtext Mon Jul 29 15:20:23 2019
@@ -0,0 +1,94 @@
+Title: Apache VCL Security
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+#h1 Security Issues
+The Apache Software Foundation takes security issues seriously and has a
+[security team](https://www.apache.org/security/) that helps Apache projects
work through security
+issues. If you discover any potential vulnerabilities in Apache VCL, please
report them to
+[secur...@apache.org](mailto:secur...@apache.org).
+
+#h2 Known Security Issues
+Here is a list of known security issues with Apache VCL along with the
versions affected, versions
+in which they were fixed, and information on patching vulnerable versions.
+
+#h3 CVE-2018-11772
+* Announced: July 29th, 2019
+* Affected versions: versions 2.1 through 2.5
+* Fixed in version: 2.5.1
+* [Installing patches](/patches/patching-CVE-2018.html)
+* Problem type: SQL injection
+* Description:
+
+ Apache VCL versions 2.1 through 2.5 do not properly validate cookie input
when determining what
+ node (if any) was previously selected in the privilege tree. The cookie
data is then used in an
+ SQL statement. This allows for an SQL injection attack. Access to this
portion of a VCL system
+ requires admin level rights. Other layers of security seem to protect
against malicious attack.
+ However, all VCL systems running versions earlier than 2.5.1 should be
upgraded or patched.
+ This vulnerability was found and reported to the Apache VCL project by
ADLab of Venustech.
+
+#h3 CVE-2018-11773
+* Announced: July 29th, 2019
+* Affected versions: versions 2.1 through 2.5
+* Fixed in version: 2.5.1
+* [Installing patches](/patches/patching-CVE-2018.html)
+* Problem type: improper form validation
+* Description:
+
+ Apache VCL versions 2.1 through 2.5 do not properly validate form input
when processing a
+ submitted block allocation. The form data is then used as an argument to
the php built in
+ function strtotime. This allows for an attack against the underlying
implementation of that
+ function. The implementation of strtotime at the time the issue was
discovered appeared to be
+ resistant to a malicious attack. However, all VCL systems running versions
earlier than 2.5.1
+ should be upgraded or patched. This vulnerability was found and reported
to the Apache VCL
+ project by ADLab of Venustech.
+
+#h3 CVE-2018-11774
+* Announced: July 29th, 2019
+* Affected versions: versions 2.1 through 2.5
+* Fixed in version: 2.5.1
+* [Installing patches](/patches/patching-CVE-2018.html)
+* Problem type: SQL Injection
+* Description:
+
+ Apache VCL versions 2.1 through 2.5 do not properly validate form input
when adding and
+ removing VMs to and from hosts. The form data is then used in SQL
statements. This allows for
+ an SQL injection attack. Access to this portion of a VCL system requires
admin level rights.
+ Other layers of security seem to protect against malicious attack.
However, all VCL systems
+ running versions earlier than 2.5.1 should be upgraded or patched. This
vulnerability was
+ found and reported to the Apache VCL project by ADLab of Venustech.
+
+#h3 CVE-2013-0267
+* Announced: May 6th, 2013
+* Affected versions: versions 2.1, 2.2, 2.2.1, 2.3, 2.3.1
+* Fixed in version: 2.2.2, 2.3.2
+* Problem type: improper input validation
+* Description:
+
+ Some parts of VCL did not properly validate input data. This problem was
present both in the
+ Privileges portion of the web GUI and in the XMLRPC API.
+
+ A malicious user having a minimal level of administrative rights could
+ manipulate the data submitted by the web GUI or submit non-standard data
to
+ the API to gain additional administrative rights.
+
+ The API functions that are vulnerable were introduced in 2.3.1. Some of
those
+ API functions can also be exploited to perform a DOS attack on the site to
+ remove access from other users and to perform an XSS attack to gain
elevated
+ privileges.
+
+ The vulnerabilities were found by an Apache VCL developer doing a code
review.
\ No newline at end of file
Propchange: vcl/site/trunk/content/security.mdtext
------------------------------------------------------------------------------
svn:eol-style = native
