Red Hat Bugzilla – Bug 471009
CVE-2007-6420 mod_proxy_balancer CSRF
Last modified: 2016-03-04 06:19:12 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6420 to the following vulnerability:
Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unspecified vectors.
mod_proxy_balancer is shipped in Red Hat Enterprise Linux 5 and Red Hat Application Stack v2.
We do not plan on correcting this issue in Red Hat Enterprise Linux 5 as it poses a very low security risk: The balancer manager is not enabled by default, the user targeted by the CSRF would need to be authenticated, and the consequences of an exploit would be limited to a web server denial of service.
We plan on updating to a new upstream version of Apache shipped in Application Stack v2, which will cause this issue to be addressed.
The problem with not fixing this problem (and many others that Redhat deems too low a priority to fix) is that the PCI standards committee has deemed the vulnerability to be severe enough to affect PCI-DSS standards compliance. As a vendor that takes credit cards, we can't achieve PCI compliance running Redhat enterprise software. It's especially troubling that there is a patch available, so Redhat's work has been done for them.
Can you please reconsider this decision (I understand it's about two years too late) and others you make like this? It's tough being told that your vendor-supplied security fixes aren't good enough to patch a common vulnerability assessment standard.
Hi there. This isn't something we intend to fix in a security erratum due to the rationale noted by Mark above. However, you can open a ticket with GSS and request that it gets corrected in the next quarterly update. That could very well solve the issue for you.
Note that is has been fixed in Stacks v2 already, via https://rhn.redhat.com/errata/RHSA-2008-0966.html.