Vulnerability Note VU#944335
Apache web servers fail to handle chunks with a negative size
There is a remotely exploitable vulnerability in the way that Apache web servers (or other web servers based on their source code) handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.
Apache is a popular web server that includes support for chunk-encoded data according to the HTTP 1.1 standard as described in RFC2616. There is a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code.
The Apache Software Foundation has published an advisory describing the details of this vulnerability. This advisory is available on their web site at
For Apache versions 1.2.2 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers. Exploits are publicly available that claim to allow the execution of arbitrary code.
Upgrade to the latest version
Apply a patch from your vendor
If your vendor has provided a patch to correct this vulnerability, you may want to apply that patch rather than upgrading your version of httpd. The CERT/CC is aware of a patch from ISS that corrects some of the impacts associated with this vulnerability. System administrators are encouraged to ensure that the patch they apply is based on the code by the Apache Software Foundation that also corrects additional impacts described in this advisory.
More information about vendor-specific patches can be found in the vendor section of this document.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Alcatel||Affected||14 Jun 2002||28 Jun 2002|
|Apache||Affected||14 Jun 2002||17 Jun 2002|
|Apple Computer, Inc.||Affected||14 Jun 2002||02 Jul 2002|
|Compaq Computer Corporation||Affected||14 Jun 2002||16 Jul 2002|
|Covalent||Affected||-||19 Jun 2002|
|Debian Linux||Affected||14 Jun 2002||19 Jun 2002|
|F5 Networks, Inc.||Affected||14 Jun 2002||24 Jun 2002|
|FreeBSD, Inc.||Affected||14 Jun 2002||21 Jun 2002|
|Guardian Digital Inc.||Affected||14 Jun 2002||19 Jun 2002|
|Hewlett-Packard Company||Affected||14 Jun 2002||15 Jul 2002|
|IBM Corporation||Affected||14 Jun 2002||08 Aug 2002|
|Mandriva, Inc.||Affected||14 Jun 2002||21 Jun 2002|
|Mandriva, Inc.||Affected||17 Jun 2002||19 Jun 2002|
|Network Appliance||Affected||14 Jun 2002||02 Nov 2007|
|OpenBSD||Affected||14 Jun 2002||21 Jun 2002|
CVSS Metrics (Learn More)
The CERT/CC thanks Mark Litchfield for reporting this vulnerability to the Apache Software Foundation, and Mark Cox for reporting this vulnerability to the CERT/CC.
This document was written by Cory F. Cohen.
- CVE IDs: CVE-2002-0392
- CERT Advisory: CA-2002-17
- Date Public: 17 Jun 2002
- Date First Published: 17 Jun 2002
- Date Last Updated: 02 Nov 2007
- Severity Metric: 53.35
- Document Revision: 36
If you have feedback, comments, or additional information about this vulnerability, please send us email.