SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#206537

Apache vulnerable to DoS

Overview

A remotely exploitable denial-of-service vulnerability exists in the Apache HTTP Server. Exploitation of this vulnerability may allow an attacker to consume all available system resources, resulting in a denial-of-service condition.

I. Description

The Apache HTTP Server is a very popular freely available web server that runs on a variety of operating systems, including UNIX, Linux, and Microsoft Windows (Win32).

A vulnerability exists in the way the Apache HTTP Server handles excessively large chunks of consecutive linefeed characters. Apache 2.0.44 (both the Windows & UNIX implementations) contains this vulnerability. Prior 2.x versions of Apache may contain the vulnerability. For more information, please see the iDEFENSE Advisory.

II. Impact

Exploitation of this vulnerability may allow an attacker to consume all available system resources, resulting in a denial-of-service condition.

III. Solution

Apply a patch from your vendor. If a patch is not available, you may wish to upgrade to Apache HTTP Server 2.0.45. The Apache Software Foundation has provided a patch as well.

Systems Affected

VendorStatusDate NotifiedDate Updated
3ComUnknown9-Apr-2003
AlcatelUnknown9-Apr-2003
Apache Software FoundationVulnerable8-Apr-2003
Apple Computer Inc.Vulnerable11-Apr-2003
AT&TUnknown8-Apr-2003
AvayaUnknown9-Apr-2003
BSDIUnknown9-Apr-2003
Cisco Systems Inc.Unknown8-Apr-2003
Computer AssociatesUnknown9-Apr-2003
ConectivaVulnerable1-May-2003
Cray Inc.Unknown9-Apr-2003
D-Link SystemsUnknown8-Apr-2003
Data GeneralUnknown9-Apr-2003
DebianVulnerable8-Apr-2003
EngardeNot Vulnerable8-Apr-2003
F5 NetworksUnknown9-Apr-2003
Foundry Networks Inc.Not Vulnerable10-Apr-2003
FreeBSDUnknown9-Apr-2003
FujitsuNot Vulnerable17-Apr-2003
Gentoo LinuxVulnerable9-Apr-2003
Hewlett-Packard CompanyVulnerable18-Sep-2003
HitachiNot Vulnerable14-Apr-2003
IBMNot Vulnerable9-Apr-2003
Ingrian NetworksUnknown9-Apr-2003
IntelUnknown8-Apr-2003
Juniper NetworksUnknown8-Apr-2003
LachmanUnknown9-Apr-2003
Lotus SoftwareUnknown9-Apr-2003
Lucent TechnologiesUnknown8-Apr-2003
MandrakeSoftVulnerable18-Sep-2003
Microsoft CorporationUnknown9-Apr-2003
MontaVista SoftwareUnknown9-Apr-2003
Multi-Tech Systems Inc.Unknown9-Apr-2003
MultinetUnknown9-Apr-2003
NEC CorporationUnknown8-Apr-2003
NetBSDUnknown8-Apr-2003
NetScreenUnknown9-Apr-2003
Network ApplianceUnknown9-Apr-2003
NeXTUnknown9-Apr-2003
NokiaUnknown8-Apr-2003
Nortel NetworksUnknown8-Apr-2003
OpenBSDUnknown8-Apr-2003
Openwall GNU/*/LinuxUnknown8-Apr-2003
Oracle CorporationUnknown8-Apr-2003
Red Hat Inc.Vulnerable10-Apr-2003
Riverstone NetworksUnknown9-Apr-2003
SCOUnknown8-Apr-2003
SequentUnknown8-Apr-2003
SGIVulnerable18-Sep-2003
Sony CorporationUnknown24-Jul-2003
Sun Microsystems Inc.Unknown8-Apr-2003
SuSE Inc.Unknown8-Apr-2003
UnisysUnknown8-Apr-2003
Wind River Systems Inc.Unknown9-Apr-2003
WirexUnknown9-Apr-2003
WirexUnknown8-Apr-2003
Xerox CorporationNot Vulnerable30-May-2003
zyXELUnknown9-Apr-2003

References


http://www.idg.com.sg/idgwww.nsf/unidlookup/315B17C00BE0ADBD48256CFE0013EEFB?OpenDocument
http://news.zdnet.co.uk/story/0,,t269-s2132975,00.html?rtag=zdnetukhompage
http://marc.theaimsgroup.com/?l=bugtraq&m=104931360606484&w=2
http://www.businessweek.com/technology/cnet/stories/995309.htm
http://www.neowin.net/comments.php?id=10012&category=main
http://www.pcworld.com/news/article/0,aid,110142,00.asp
http://www.nwfusion.com/news/2003/0403newapach.html
http://www.theregister.co.uk/content/55/30126.html
http://www.idefense.com/advisory/04.08.03.txt
http://www.vnunet.com/News/1139961
http://httpd.apache.org/download.cgi

Credit

This vulnerability was discovered by iDEFENSE Inc. The CERT/CC thanks iDEFENSE Inc. for the information contained in their document, upon which this document is based.

This document was written by Ian A Finlay.

Other Information

Date Public:2003-04-08
Date First Published:2003-04-08
Date Last Updated:2003-09-18
CERT Advisory: 
CVE-ID(s):CAN-2003-0132
NVD-ID(s):CAN-2003-0132
US-CERT Technical Alerts: 
Metric:9.72
Document Revision:17

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader