Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    CVE-2016-8743: Apache HTTP Request Parsing Whitespace Defect - Apache 2.2.32 - PDS and SSL

    • Product: Aleph
    • Product Version: 22, 23
    • Relevant for Installation Type: Multi-Tenant Direct, Dedicated-Direct, Local, TotalCare

     

    Description

     

    The following applies only for installations having Apache 2.2.32 installed on their Aleph server and using PDS in SSL mode.

     

    Note: Apache version 2.2.32 is not part of the Third Party updates [Status: June 07, 2017].

     

     

    There is a problem with login via PDS in SSL mode after the upgrade to Apache 2.2.32 which was required to address security vulnerability CVE-2016-8743

     

    Resolution

    The HTTPS call from Aleph to PDS was changed to support Apache 2.2.32 in rc #2415 (v22) and rc #2122 (v23).

     

     

    Additional Information

     

    Note 1) If you would like to implement this Apache version on your Aleph server to address the vulnerability issue documented as 'CVE-2016-8743', please contact Ex Libris Support team to schedule the installation on your Aleph production server.

     

     

    Note 2) A hotfix is available for rc #2415 (v22) resp. #2122 (v23)

     

     

    Download instructions for the hotfix (example for rc #2122):

     

    1) Connect to ftp.exl.de:
    ftp ftp.exl.de
    Username: Outgoing
    Password: 0sc6rexl 

    Please note that user Outgoing has read-only permission on ftp-server and no directory-listing is allowed.
    2) Download of file hotfix_ver23_rc2122.tar.gz to any directory on your server:
    ftp> cd hotfix
    ftp> get hotfix_ver23_rc2122.tar.gz

    3) Unzip and untar:
    gunzip hotfix_ver23_rc2122.tar.gz
    tar xvf hotfix_ver23_rc2122.tar
    4) Call up script aaa_install:
    cd hotfix_ver23_rc2122/
    ./aaa_install

    5) The fix is reactivated after the next startup of Aleph.

     

     

    Replace hotfix_ver23_rc2122 with hotfix_ver22_rc2415 to obtain the hotfix for Aleph version 22.

     

     


    • Article last edited: 07-June-2017