Vulnerability Note VU#944335

Apache web servers fail to handle chunks with a negative size

Original Release date: 17 Jun 2002 | Last revised: 02 Nov 2007

Overview

There is a remotely exploitable vulnerability in the way that Apache web servers (or other web servers based on their source code) handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.

Description

Apache is a popular web server that includes support for chunk-encoded data according to the HTTP 1.1 standard as described in RFC2616. There is a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code.

The Apache Software Foundation has published an advisory describing the details of this vulnerability. This advisory is available on their web site at

Impact

For Apache versions 1.2.2 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers. Exploits are publicly available that claim to allow the execution of arbitrary code.

For Apache versions 2.0 through 2.0.36 inclusive, the condition causing the vulnerability is correctly detected and causes the child process to exit. Depending on a variety of factors, including the threading model supported by the vulnerable system, this may lead to a denial-of-service attack against the Apache web server.

Solution

Upgrade to the latest version

The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.26 or 2.0.39.

Due to some unexpected problems with version 1.3.25, the CERT/CC has been informed by the Apache Software Foundation that the corrected version of the software is now 1.3.26. Both 1.3.26 and 2.0.39 are available on their web site at


Apply a patch from your vendor

If your vendor has provided a patch to correct this vulnerability, you may want to apply that patch rather than upgrading your version of httpd. The CERT/CC is aware of a patch from ISS that corrects some of the impacts associated with this vulnerability. System administrators are encouraged to ensure that the patch they apply is based on the code by the Apache Software Foundation that also corrects additional impacts described in this advisory.

More information about vendor-specific patches can be found in the vendor section of this document.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AlcatelAffected14 Jun 200228 Jun 2002
ApacheAffected14 Jun 200217 Jun 2002
Apple Computer, Inc.Affected14 Jun 200202 Jul 2002
Compaq Computer CorporationAffected14 Jun 200216 Jul 2002
CovalentAffected-19 Jun 2002
Debian LinuxAffected14 Jun 200219 Jun 2002
F5 Networks, Inc.Affected14 Jun 200224 Jun 2002
FreeBSD, Inc.Affected14 Jun 200221 Jun 2002
Guardian Digital Inc. Affected14 Jun 200219 Jun 2002
Hewlett-Packard CompanyAffected14 Jun 200215 Jul 2002
IBM CorporationAffected14 Jun 200208 Aug 2002
Mandriva, Inc.Affected14 Jun 200221 Jun 2002
Mandriva, Inc.Affected17 Jun 200219 Jun 2002
Network ApplianceAffected14 Jun 200202 Nov 2007
OpenBSDAffected14 Jun 200221 Jun 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Mark Litchfield for reporting this vulnerability to the Apache Software Foundation, and Mark Cox for reporting this vulnerability to the CERT/CC.

This document was written by Cory F. Cohen.

Other Information

  • CVE IDs: CVE-2002-0392
  • CERT Advisory: CA-2002-17
  • Date Public: 17 Jun 2002
  • Date First Published: 17 Jun 2002
  • Date Last Updated: 02 Nov 2007
  • Severity Metric: 53.35
  • Document Revision: 36

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.