|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#944335
Apache web servers fail to handle chunks with a negative size
OverviewThere is a remotely exploitable vulnerability in the way that Apache web servers (or other web servers based on their source code) handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.
I. DescriptionApache is a popular web server that includes support for chunk-encoded data according to the HTTP 1.1 standard as described in RFC2616. There is a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code.
The Apache Software Foundation has published an advisory describing the details of this vulnerability. This advisory is available on their web site at
II. ImpactFor Apache versions 1.2.2 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers. Exploits are publicly available that claim to allow the execution of arbitrary code.
For Apache versions 2.0 through 2.0.36 inclusive, the condition causing the vulnerability is correctly detected and causes the child process to exit. Depending on a variety of factors, including the threading model supported by the vulnerable system, this may lead to a denial-of-service attack against the Apache web server.
III. SolutionUpgrade to the latest version
The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.26 or 2.0.39.
Due to some unexpected problems with version 1.3.25, the CERT/CC has been informed by the Apache Software Foundation that the corrected version of the software is now 1.3.26. Both 1.3.26 and 2.0.39 are available on their web site at
Apply a patch from your vendor
If your vendor has provided a patch to correct this vulnerability, you may want to apply that patch rather than upgrading your version of httpd. The CERT/CC is aware of a patch from ISS that corrects some of the impacts associated with this vulnerability. System administrators are encouraged to ensure that the patch they apply is based on the code by the Apache Software Foundation that also corrects additional impacts described in this advisory.
More information about vendor-specific patches can be found in the vendor section of this document.
Systems Affected
| Vendor | Status | Date Updated |
|---|
| 3Com | Unknown | 17-Jun-2002 |
| Alcatel | Vulnerable | 28-Jun-2002 |
| Apache | Vulnerable | 17-Jun-2002 |
| Apple Computer, Inc. | Vulnerable | 2-Jul-2002 |
| AT&T | Unknown | 17-Jun-2002 |
| Berkeley Software Design, Inc. | Unknown | 17-Jun-2002 |
| Cisco Systems, Inc. | Unknown | 8-Jul-2002 |
| Compaq Computer Corporation | Vulnerable | 16-Jul-2002 |
| Computer Associates | Unknown | 17-Jun-2002 |
| Covalent | Vulnerable | 19-Jun-2002 |
| Cray Inc. | Not Vulnerable | 18-Jun-2002 |
| Data General | Unknown | 17-Jun-2002 |
| Debian Linux | Vulnerable | 19-Jun-2002 |
| F5 Networks, Inc. | Vulnerable | 24-Jun-2002 |
| FreeBSD, Inc. | Vulnerable | 21-Jun-2002 |
| Fujitsu | Not Vulnerable | 18-Jun-2002 |
| Guardian Digital Inc. | Vulnerable | 19-Jun-2002 |
| Hewlett-Packard Company | Vulnerable | 15-Jul-2002 |
| IBM Corporation | Vulnerable | 8-Aug-2002 |
| Intel | Unknown | 17-Jun-2002 |
| Juniper Networks, Inc. | Unknown | 17-Jun-2002 |
| Lotus Software | Not Vulnerable | 18-Jun-2002 |
| Lucent Technologies | Unknown | 17-Jun-2002 |
| Mandriva, Inc. | Vulnerable | 21-Jun-2002 |
| Mandriva, Inc. | Vulnerable | 19-Jun-2002 |
| Microsoft Corporation | Not Vulnerable | 17-Jun-2002 |
| NCSA | Unknown | 17-Jun-2002 |
| NEC Corporation | Unknown | 17-Jun-2002 |
| NETBSD | Unknown | 17-Jun-2002 |
| Network Appliance | Vulnerable | 2-Nov-2007 |
| Nortel Networks, Inc. | Unknown | 27-Jun-2002 |
| OpenBSD | Vulnerable | 21-Jun-2002 |
| Oracle Corporation | Vulnerable | 21-Jun-2002 |
| Red Hat, Inc. | Vulnerable | 18-Jun-2002 |
| Sequent Computer Systems, Inc. | Unknown | 17-Jun-2002 |
| SGI | Unknown | 15-Jul-2002 |
| Slackware | Vulnerable | 21-Jun-2002 |
| Sony Corporation | Unknown | 17-Jun-2002 |
| Sun Microsystems, Inc. | Vulnerable | 24-Jun-2002 |
| SUSE Linux | Vulnerable | 19-Jun-2002 |
| The SCO Group (SCO Linux) | Vulnerable | 18-Sep-2002 |
| The SCO Group (SCO Unix) | Vulnerable | 18-Sep-2002 |
| Trustix Secure Linux | Vulnerable | 21-Jun-2002 |
| Unisphere Networks | Vulnerable | 27-Jun-2002 |
| Wind River Systems, Inc. | Unknown | 17-Jun-2002 |
| Xerox Corporation | Vulnerable | 27-Mar-2003 |
References
http://httpd.apache.org/info/security_bulletin_20020617.txt
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502
http://www.ietf.org/rfc/rfc2068.txt
http://www.ietf.org/rfc/rfc2616.txt
http://www.linuxsecurity.com/articles/server_security_article-5150.html
http://www.ciac.org/ciac/bulletins/m-093.shtml
http://www.securityfocus.com/bid/5033
http://secunia.com/advisories/21917/
Credit
The CERT/CC thanks Mark Litchfield for reporting this vulnerability to the Apache Software Foundation, and Mark Cox for reporting this vulnerability to the CERT/CC.
This document was written by Cory F. Cohen.
Other Information
| Date Public | 06/17/2002 |
| Date First Published | 06/17/2002 09:38:30 PM |
| Date Last Updated | 11/02/2007 |
| CERT Advisory | CA-2002-17 |
| CVE Name | CVE-2002-0392 |
| US-CERT Technical Alerts | |
| Metric | 53.35 |
| Document Revision | 36 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader