You are here

Apache httpd: mod_session_dbd

IDs: 
CVE-2013-2249, CB-K13/0459
Keywords: 
Apache, httpd, mod_session_dbd
Description: 

The mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.

Airlock does not use mod_session_dbd but implements its own Airlock Secure Session. Airlock is not affected.

To protect back-end servers Airlock replaces back-end session handling by the Airlock Secure Session. Back-end session cookies are not exposed.

Resolution: 

The default configuration of Airlock secures the back-end servers. No action is required. Nevertheless we recommend to update vulnerable back-end software anyway: update Apache http 2.4 servers to version >= 2.4.6.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock