Loading...

Knowledge Center


ePolicy Orchestrator Sustaining Statement (SSC1705181) - April 2017 reported Apache advisories
Technical Articles ID:   KB89378
Last Modified:  7/10/2018

Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Summary

Overview
This document describes the support position of Sustaining Engineering relative to a McAfee application. It addresses concerns about ePO and the reported Apache advisories published in April 2017 (http://httpd.apache.org/security/vulnerabilities_24.html).


Description
This document is in response to the reported Apache advisories published in April 2017:
  • CVE-2016-8743: Apache HTTP Request Parsing Whitespace Defects
    ePO does not run the module mod_proxy, or conventional CGI mechanisms.
     
  • CVE-2016-8740: HTTP/2 CONTINUATION denial of service
    ePO does not use HTTP/2.
     
  • CVE-2016-0736: Padding Oracle in Apache mod_session_crypto
    ePO does not run the module mod_session_crypto.
     
  • CVE-2016-2161: DoS vulnerability in mod_auth_digest
    ePO does not run the module mod_auth_digest.
     
  • CVE-2016-5387: HTTP_PROXY environment variable "httpoxy" mitigation
    ePO does not use the HTTP_PROXY environment variable.
     
  • CVE-2016-4979: TLS/SSL X.509 client certificate auth bypass with HTTP/2
    This issue affects releases 2.4.18 and 2.4.20 only, neither of which are versions ePO has ever used.
     
  • CVE-2016-1546: mod_http2: denial of service by thread starvation
    This issue affects HTTP/2 support in 2.4.17 and 2.4.18, neither of which are versions ePO has ever used.
     
  • CVE-2015-0228: mod_lua: Crash in websockets PING handling
    Not Applicable; ePO currently uses Apache 2.4.16.
     
  • CVE-2015-0253: Crash in ErrorDocument 400 handling
    This issue affects the 2.4.12 release only, a version ePO has never used.
     
  • CVE-2015-3183: HTTP request smuggling attack against chunked request parser
    This issue does not affect Apache 2.4.16.
     
Research and Conclusions
McAfee has determined that none of these reported CVEs are applicable to current versions of ePO; ePO is not vulnerable.

NOTE: This evaluation assumes that you are current on your ePO hotfixes, which means apache will be at version 2.4.16 or later. See KB61057 for apache versions used by ePO.


Disclaimer
Any future product release dates mentioned in this statement are intended to outline our general product direction and should not be relied on in making a purchasing decision:
  • The product release dates are for information purposes only, and may not be incorporated into any contract.
  • The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality.
  • The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.