The vulnerability is found in Apache's core "mod_isapi" module. Successful exploit of this module could allow an attacker to gain system-level privileges. At present, it appears this flaw impacts Apache web server on Windows platforms only.
Proof of concept code has been written by Sense of Security, and although the exploit is complex in its design, it will certainly be ported to various attack frameworks which will remove some of the technical acumen needed to run the exploit.
Since it's not trivial to determine if the Apache web server has been compromised, and given that data loss is a very real possibility, updating to 2.2.15 appears to be the only solution at this point. As with all things Internet-facing, make sure you do adequate regression testing in a dev environment before pulling the trigger in production.
No comments:
Post a Comment
Please tell me what you think.