The Apache vulnerability, full disclosure, and monocultures [LWN.net]

The advisory from Internet Security Systems (ISS) came out on June 17: the Apache server has a remotely-exploitable vulnerability in its "chunk handling" code, which is used for handling uploads of unknown size. The alert describes the problem, notes that the Apache project has been alerted, and includes a patch.

It all looks like a fairly normal response to security problems in the free software community, until you look a little more closely. It turns out that the Apache group was already aware of the problem and was working on a fix. The Computer Emergency Response Team (CERT) also was already involved. It also turns out that the ISS patch does not completely fix the problem. ISS, in its hurry to publicise the vulnerability, had not checked with either CERT or the Apache Software Foundation.

Full disclosure of security vulnerabilities is (usually) seen as a good thing in the free software community. Freedom, with regard to software, includes the freedom to know about (and fix) problems. And, of course, full disclosure is a powerful tool for forcing a software maintainer to release a fix - most of the time. As a general rule, nobody is more secure when the crackers are the only ones to know about security problems.

The other side of full disclosure, however, is that, when done too soon, it can leave millions of users open to a vulnerability while no fix is available. Such is the case this time around. Sites running Apache on Windows are most vulnerable to the chunk handling vulnerability; such sites are probably running a binary distribution of Apache, many do not even have a compiler available, and thus they will be poorly served by a source patch.

Full disclosure is a powerful tool which should be used with care. The disclosure of a security vulnerability should never be a surprise to those who must clean up the mess. Those who find security problems should always work with the package maintainer and give that maintainer time to make a fix available. Only in cases of serious stalling or neglect should a disclosure go out before the maintainer is ready.

This is a lesson that the free software community will probably have to relearn every so often. Free software has the potential to be far more secure; its open nature lets any interested party inspect the code for problems. But much of that advantage is lost when vulnerabilities are handled in an immature manner. If you or your company find a security vulnerability, surely you can wait a few days to claim your credit.

This vulnerability raises another concern as well. Much has been said about the dominance of Windows systems on the net; the resulting "monoculture" is highly vulnerable to security problems. Apache's share of the total web server population is such that it could be considered a monoculture as well. Apache has obtained that share through consistent high quality and a strong security record. No package is completely invulnerable, however, and Apache problems, when they do turn up, place much of the net at risk. For the security of the net as a whole, it would be nice if there were another free web server with something resembling Apache's stature and market share.

For details on the chunk handling vulnerability, see the LWN vulnerability entry, the advisory from the Apache Software Foundation or the CERT advisory. Initial indications were that this problem was not remotely exploitable on Linux systems, but that claim is now known to be false. If you are running an Apache server, you want to upgrade as soon as possible.

(Log in to post comments)

Not so simple as "Apache is a monoculture"

Posted Jun 20, 2002 17:50 UTC (Thu) by bjn (guest, #2179) [Link]

This vulnerability, like many others, is a stack overflow. Such vulnerabilities are very sensitive to the hardware architecture, operating system, and compiler. Unlike IIS (which runs on only one OS, and only one hardware architecture), Apache runs on many OSes, and many hardware architectures, and is compiled with many compilers. I wouldn't call that a monoculture (w.r.t security), since it is much harder to write an exploit that will work on all of them.

I would expect the more popular variations (Red Hat Linux on Intel, for example) to be widely attacked; but I doubt any attack tool is going to reach a majority of the Apache servers worldwide.

it's not a problem of the monoculture at all

Posted Jun 25, 2002 19:06 UTC (Tue) by BogusUser ((unknown), #2254) [Link]

What if you do have e.g. 5 open source implementations of web servers
that all take about 20% of the server installations?

in terms of the LWN argue it would be safer to drive like this,
but they are on error. when you do have 5 web servers then you
have 5 mostly different codebases, 5 times the places where
vulnerabilities might waiting to compromise the community.

its simply a problem of having enough developers, code reviewers
and lab tests plus the usual out in the wild "tests" with hackers.
when your software lacks inspection due to its magnitued then it
can only get worser when you have 5 of that magnitude.

tell the world that open standards are a good thing
and that open source standard software is just the better choice.

but a different aspect - what if there were 5 webservers out there?
would you expect them to have all the same features?
would you expect at least on of them to provide you
all the features you need for your business?

compare to the desktop browser war on open source desktops -
which of them does Java, SSL and a few more features?
why do we need all those wanne be browsers
whilst only a few fullfill the practical needs
but an unknown amount of them is most likely having security
vulnerabilities? same for the crowds of MP3 audio/video players...

and for a last argue, there must be measures to make standard
open source software more secure. think of the SEL package
for the Linux kernel and its userland counterpart.
did you ever notice that there is no BeOS, no BSD (net, free, open)
and no hurd version of the SEL package around? Thats where choice
does developers drive mad. good development is done only once.

I want to remeber the cleanup of the multiple instances of the
zip algorithm in the linux kernel some half year ago. And i want
to remember the Amiga OS that had really only a single implementation
of "printf" in the whole system, regardless of application, system
or kernel caller - they all used the same prooven codebase. If there
would ever pop up a bug, then the fixing would be a single operation.

Dont complain that a single bug can have such a magnitude of affected
systems due to "monoculture" (in fact Apache does have only some 50%
share if i remember correctly). Only a widespread system can ensure
that open source community has the man power to maintain it. If we
had multiple of such software then the number of bugs that a certain
system with a particular software will suffer wont get better. It only
will take longer time to get fixes and updates carried out due since
the number of developers (and developer time) per software package
will significantly shrink.

A healty open source community must have a strong look onto its own
effectiveness (like using bitkeeper), else it will spent a good deal
of its working hours with useless tasks. Thats not true in all cases,
e.g. where there are different promising approaches to follow and
different requirements to fullfill, but its true in general for the
whole community. Re-inventing the wheel over and over again wont
benefit anyone, despite the one that feels great about.

Regards, Alex.