Vulnerability Note VU#303448

mod_ssl contains a format string vulnerability in the ssl_log() function

Original Release date: 19 Jul 2004 | Last revised: 19 Jul 2004

Overview

There is a format string vulnerability in the ssl_log() function of the mod_ssl module that could allow an attacker to potentially execute arbitrary code.

Description

mod_ssl is an Apache module that provides Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocol support. There is a format string vulnerability in way the ssl_log() function of the mod_ssl module handles hostnames. By supplying a specially crafted hostname value in an HTTPS request, a remote, unauthenticated attacker could trigger this vulnerability. Please note, the hostname provided would have to exist in the zone.

Impact

A remote, unauthenticated attacker could potentially execute arbitrary code on an affected system.

Solution

Upgrade

Upgrade to version 2.8.19-1.3.31. Alternatively, apply the appropriate patch or upgrade as specified by your vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Mod_sslAffected-19 Jul 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by Secunia.

This document was written by Damon Morda.

Other Information

  • CVE IDs: Unknown
  • Date Public: 16 Jul 2004
  • Date First Published: 19 Jul 2004
  • Date Last Updated: 19 Jul 2004
  • Severity Metric: 6.04
  • Document Revision: 6

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.