search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Apache web servers fail to handle chunks with a negative size

Vulnerability Note VU#944335

Original Release Date: 2002-06-18 | Last Revised: 2007-11-02

Overview

There is a remotely exploitable vulnerability in the way that Apache web servers (or other web servers based on their source code) handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.

Description

Apache is a popular web server that includes support for chunk-encoded data according to the HTTP 1.1 standard as described in RFC2616. There is a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code.

The Apache Software Foundation has published an advisory describing the details of this vulnerability. This advisory is available on their web site at

http://httpd.apache.org/info/security_bulletin_20020617.txt

Impact

For Apache versions 1.2.2 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers. Exploits are publicly available that claim to allow the execution of arbitrary code.


For Apache versions 2.0 through 2.0.36 inclusive, the condition causing the vulnerability is correctly detected and causes the child process to exit. Depending on a variety of factors, including the threading model supported by the vulnerable system, this may lead to a denial-of-service attack against the Apache web server.

Solution

Upgrade to the latest version

The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.26 or 2.0.39.

Due to some unexpected problems with version 1.3.25, the CERT/CC has been informed by the Apache Software Foundation that the corrected version of the software is now 1.3.26. Both 1.3.26 and 2.0.39 are available on their web site at

http://www.apache.org/dist/httpd/

Apply a patch from your vendor

If your vendor has provided a patch to correct this vulnerability, you may want to apply that patch rather than upgrading your version of httpd. The CERT/CC is aware of a patch from ISS that corrects some of the impacts associated with this vulnerability. System administrators are encouraged to ensure that the patch they apply is based on the code by the Apache Software Foundation that also corrects additional impacts described in this advisory.

More information about vendor-specific patches can be found in the vendor section of this document.

Vendor Information

944335
Expand all

Alcatel

Notified:  June 14, 2002 Updated:  June 28, 2002

Status

  Vulnerable

Vendor Statement

In relation to this CERT advisory on security vulnerability in Apache, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that various Alcatel products can be affected: namely the A5000 and A5020 SoftSwitches, the A5735 SMC, the A1300 NMC2, the management platforms for the A1000 UMTS/GPRS/MSC solutions, the 1353 SH and 1355 VPN. Customers using these products should upgrade to Apache WebServer 1.3.26 (or higher) or may contact their Alcatel support representative for more details. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential security vulnerabilities in our products using the Apache Webserver and will provide updates if necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

New versions of the Apache software are available from:

Apple Computer, Inc.

Notified:  June 14, 2002 Updated:  July 02, 2002

Status

  Vulnerable

Vendor Statement

This vulnerability is fixed with the release of the "Security Update - July 2002" software update.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

More information about this vulnerability is available at:

Compaq Computer Corporation

Notified:  June 14, 2002 Updated:  July 16, 2002

Status

  Vulnerable

Vendor Statement

Compaq has released Security Bulletin SSRT2253 (document number SRB0021W).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Covalent

Updated:  June 19, 2002

Status

  Vulnerable

Vendor Statement

Covalent Technologies distributes products based on Apache 1.3 and Apache 2.0 that may be subject to this vulnerability. Covalent is currently creating patches to affected products. Covalent customers will be informed by email, and by postings at www.covalent.net/support when the patches are available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Linux

Notified:  June 14, 2002 Updated:  June 19, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian security advisory DSA-131-1 describing this issue is available from:

F5 Networks, Inc.

Notified:  June 14, 2002 Updated:  June 24, 2002

Status

  Vulnerable

Vendor Statement

The following F5 Networks, Inc. products contain a vulnerable version ofthe Apache-based web server. Instructions for obtaining and installing apatch are available in the following locations.

BIG-IP® platform

3-DNS® platform

EDGE-FX® platform

GLOBAL-SITE® platform

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD, Inc.

Notified:  June 14, 2002 Updated:  June 21, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

FreeBSD has published a Security Notice about this vulnerability:

Guardian Digital Inc.

Notified:  June 14, 2002 Updated:  June 19, 2002

Status

  Vulnerable

Vendor Statement

Guardian Digital ships Apache in all version of EnGarde Secure Linux. EnGarde Secure Profssional users may update using the GDSN. This issue was addressed in ESA-20020619-014 which may be found at:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  June 14, 2002 Updated:  July 15, 2002

Status

  Vulnerable

Vendor Statement

HP makes the Apache Server available for customers as a bundled software package called "HP Apache." New updates are available temporarily via ftp from a site located at hprc.external.hp.com.

When the new updates are available at www.software.hp.com, the Hewlett-Packard Company Security Bulletin HPSBUX0207-197 will be updated.

To retrieve the updates from the temporary ftp site, use a browser to connect to:

ftp://apache:apache@192.170.19.51/
or:
ftp://apache:apache@hprc.external.hp.com/

There are two subdirectories containing depots of swinstallable binaries with a ".t" extension, one for Apache 2.0.39 (11.00 and 11.11) and one for Apache 1.3.26 (11.00 and 11.11).

HP Virtualvault (HP-UX 11.04) patches are available from itrc.hp.com with ID's of PHSS_27361 and PHSS_27371.

For full details, see Hewlett-Packard Company Security Bulletin HPSBUX0207-197, available on itrc.hp.com. Search for "Apache chunk"

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Hewlett Packard has published security advisory HPSBUX0207-197 on this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation

Notified:  June 14, 2002 Updated:  August 08, 2002

Status

  Vulnerable

Vendor Statement

IBM makes the Apache Server availble for AIX customers as a software package under the AIX-Linux Affinity initiative. This package is included on the AIX Toolbox for Linux Applications CD, and can be downloaded via the IBM Linux Affinity website. The currently available version of Apache Server is susceptible to the vulnerability described here. We will update our Apache Server offering shortly to version 1.3.23, including the patch for this vulnerability; this update will be made available for downloading by accessing this URL:


and following the instructions presented there.

Please note that Apache Server, and all Linux Affinity software, is offered on an "as-is" basis. IBM does not own the source code for this software, nor has it developed and fully tested this code. IBM does not support these software packages.

The IBM HTTP Server product, which is also bundeled with the Websphere product,is based on the Apache server. As such, it is vulnerable to the current "Chunk Handling" issue and we are woring on a patch for this problem with all due haste. This statement will be updated as more information becomes available.

Information for the Websphere patches is available from the web. Go to this URL:

Click on the "Websphere Flashes" link and look for the item for "IBM HTTP Server". This will contain information on the exposure and links to the patches.

The IBM HMC product is also affected by the Apache vulnerability described above. The HMC is the hardware monitor and control console used with IBM's Regatta systems. This is a seperate hardware unit that uses a Linux-based operating system and Open Source software.

Customers are advised to obtain the latest security paches for the HMC. These patches will be available early next week from the following URL:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Notified:  June 14, 2002 Updated:  June 21, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mandrake published a security advisory describing this vulnerability:

Mandriva, Inc.

Notified:  June 17, 2002 Updated:  June 19, 2002

Status

  Vulnerable

Vendor Statement

The Apache webserver shipped with Conectiva Linux is vulnerable to this problem. New packages fixing this problem will be announced to our mailing list after an official fix becomes available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

A Conectiva security announcement is avilable at:

Network Appliance

Notified:  June 14, 2002 Updated:  November 02, 2007

Status

  Vulnerable

Vendor Statement

Network Appliance

Data ONTAP(R) and NetCache(R) products are not affected.

ReplicatorX versions 4.0 through 4.0.21 are affected
(This was originally released by Topio Inc, now a wholly owned subsidiary of
NetApp, as Topio Data Protection Suite (TDPS) releases 1.0 through 3.0.65).

Contact the NetApp Technical Support Center +1-888-4NETAPP for remediation
information and instructions.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  June 14, 2002 Updated:  June 21, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Information about the chunked encoding problem is availabe from:


A patch correcting the problem is availabel at:

Oracle Corporation

Notified:  June 14, 2002 Updated:  June 21, 2002

Status

  Vulnerable

Vendor Statement

Oracle has issued Oracle Security Alert #36 in response to the chunked encoding Apache HTTP Server security vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Oracle Security Alert #36 is expected to be available at:

Red Hat, Inc.

Notified:  June 14, 2002 Updated:  June 18, 2002

Status

  Vulnerable

Vendor Statement

Red Hat distributes Apache 1.3 versions in all Red Hat Linux distributions, and as part of Stronghold. However we do not distribute Apache for Windows. We are currently investigating the issue and will work on producing errata packages when an official fix for the problem is made available. When these updates are complete they will be available from the URL below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool.

http://rhn.redhat.com/errata/RHSA-2002-103.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Notified:  June 14, 2002 Updated:  June 19, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE has published security announcement SuSE-SA:2002:022 describing this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware

Updated:  June 21, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Slackware Linux posted a message to their security list indicating that updated packages were available from:

Sun Microsystems, Inc.

Notified:  June 14, 2002 Updated:  June 24, 2002

Status

  Vulnerable

Vendor Statement

Sun bundles the Apache Web Server freeware product with Solaris 8 (Apache/1.3.12) and 9 (Apache/1.3.22). Both versions are affected by this vulnerability. Sun are presently producing patches for this issue for Solaris 8 and 9. Once the patches are available, we will be publishing a Sun Alert available from:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Notified:  June 14, 2002 Updated:  September 18, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera has published several advisories describing this vulnerability:

The SCO Group (SCO Unix)

Notified:  June 14, 2002 Updated:  September 18, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera has published several advisories describing this vulnerability:

Trustix Secure Linux

Updated:  June 21, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Trustix Secure Linux has published an advisory on this topic:

Unisphere Networks

Notified:  June 14, 2002 Updated:  June 27, 2002

Status

  Vulnerable

Vendor Statement

CUSTOMER SERVICE TECHNICAL BULLETIN

SUBJECT: CERT Advisory CA-2002-17: Apache Web Server Chunk Handling Vulnerability
BULLETIN NUMBER: SSC_PSN-001
BULLETIN TYPE: Product Support Notification
AFFECTED PRODUCTS: SSC
ISSUE DATE: 06/26/2002
REVISION: 1.0

PROBLEM DESCRIPTION:
The CERT Coordination Center released an advisory on June 17, 2002 entitled, "CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability". The URL for the full text of the advisory can be found at:


AFFECTED PRODUCT(S):
SSC

SOLUTION:
The following releases of software have been found to suffer no negative effects from vulnerability outlined in CERT Advisory CA-2002-17:
    2-0-2p2
    2-0-3p2

All future releases of SSC will include the updated version of Apache web server that corrects this vulnerability.

Earlier releases of software may allow the execution of arbitrary code by remote attackers. Information needed to exploit this vulnerability is publicly known.

Affected releases include:
    2-0-0 -- 2-0-2p1
    2-0-3 -- 2-0-3p1

This Product Support Notification is publicly viewable on the Web at:

If you have any questions concerning this notice, or to obtain the latest patch release, please contact Unisphere Networks Customer Service.

Inside the U.S. call: (800) 424-2344
Outside the U.S. call: (978) 589-9000
Via the Web @

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox Corporation

Notified:  June 14, 2002 Updated:  March 27, 2003

Status

  Vulnerable

Vendor Statement

A response to this advisory is available from our web site:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  June 14, 2002 Updated:  June 18, 2002

Status

  Not Vulnerable

Vendor Statement

Cray, Inc. does not distribute Apache with any of its operating systems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  June 14, 2002 Updated:  June 18, 2002

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V operating system does not support Apache and is therefore not affected by the vulnerability reported in VU#944335.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Notified:  June 14, 2002 Updated:  June 18, 2002

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has been contacted by this vendor and told they have verified that the Lotus Domino web server is not vulnerable to this type of problem. Also, we have been told they do not ship Apache code with any of their products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has been contacted by this vendor and been told they do not ship the Apache web server in any of their products.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Berkeley Software Design, Inc.

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc.

Notified:  June 14, 2002 Updated:  July 08, 2002

Status

  Unknown

Vendor Statement

Cisco Systems is evaluating the vulnerabilities identified by VU#944335. Should an issue be found, Cisco will release a Security Advisory. The most up-to-date information on all Cisco product security issues may be found at

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks, Inc.

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NCSA

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NETBSD

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks, Inc.

Notified:  June 14, 2002 Updated:  June 27, 2002

Status

  Unknown

Vendor Statement

Nortel Networks is reviewing its portfolio to determine if any products are affected by the vulnerability noted in CERT Advisory CA-2002-17. A definitive statement will be issued shortly.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  June 14, 2002 Updated:  July 15, 2002

Status

  Unknown

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                          SGI Security Advisory

         Title:  Apache Web Server Chunk Handling vulnerability
       Number:  20020605-01-I
         Date:  July 12, 2002
    Reference:  SGI Security Advisory 20020605-01-A
    Reference:  CERT CA-2002-17
    Reference:  Apache Security Bulletin 20020617
    Reference:  CAN-2002-0392
______________________________________________________________________________


- -----------------------
- --- Issue Specifics ---
- -----------------------

This bulletin is an update to SGI Security Advisory 20020605-01-A.

It has been reported that versions of the Apache web server up to and
including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the
routines which deal with invalid requests which are encoded using chunked
encoding.  This bug can be triggered remotely by sending a carefully crafted
invalid request. This functionality is enabled by default.

See http://httpd.apache.org/info/security_bulletin_20020617.txt for
additional details.

SGI has investigated the issues and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected in IRIX 6.5.17, where we are now supplying
a fixed version of Apache.  We are also making the fixed version of Apache
available on our security FTP site for prior releases of IRIX.


- --------------
- --- Impact ---
- --------------

The Apache webserver is supplied with IRIX versions since 6.5.12m/f as a
replacement for the older SGI FastTrack server.  It is installed by default,
and is enabled through "chkconfig" by default.

In order to determine if the Apache webserver is installed, execute the
following command:

  # versions -b | grep apache

If the following line is returned you are OK:

I  sgi_apache           07/10/2002  SGI Web Server based on Apache, 1.3.26

But if either of these are returned you are vulnerable:

I  sgi_apache           03/20/2001  SGI Apache Server, 1.3.17
I  sgi_apache           06/10/2001  SGI Apache Server, 1.3.20
I  sgi_apache           12/06/2001  SGI Web Server based on Apache, 1.3.22

These vulnerabilities might lead to a root compromise in some
configurations, and no local account is required.

These vulnerabilities have been publicly discussed in Usenet newsgroups
and mailing lists.

This vulnerability was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392


- ----------------------------
- --- Temporary Workaround ---
- ----------------------------

SGI acknowledges that it may not always be possible to immediately install
patches or upgrade the operating system.  In those cases, we recommend
removing the Apache webserver and associated products by using the following
commands:

  # versions remove sgi_apache\*
 # versions remove websetup\*
 # versions remove gateway\*

It is not necessary to reboot the system after doing this.  You should
upgrade the operating system as soon as it is possible to do so.


- ----------------
- --- Solution ---
- ----------------

SGI has not provided a patch for these issues, but instead has rolled the
fixed Apache distribution into IRIX 6.5.17 and later releases of the
operating system.

   OS Version     Vulnerable?     Patch #      Other Actions
  ----------     -----------     -------      -------------
  IRIX 3.x          no                        Note 1
  IRIX 4.x          no                        Note 1
  IRIX 5.x          no                        Note 1
  IRIX 6.0.x        no                        Note 1
  IRIX 6.1          no                        Note 1
  IRIX 6.2          no                        Note 1
  IRIX 6.3          no                        Note 1
  IRIX 6.4          no                        Note 1
  IRIX 6.5          no                        Note 2
  IRIX 6.5.1        no                        Note 2
  IRIX 6.5.2        no                        Note 2
  IRIX 6.5.3        no                        Note 2
  IRIX 6.5.4        no                        Note 2
  IRIX 6.5.5        no                        Note 2
  IRIX 6.5.6        no                        Note 2
  IRIX 6.5.7        no                        Note 2
  IRIX 6.5.8        no                        Note 2
  IRIX 6.5.9        no                        Note 2
  IRIX 6.5.10       no                        Note 2
  IRIX 6.5.11       no                        Note 2
  IRIX 6.5.12       yes                       Note 2
  IRIX 6.5.13       yes   sgi_apache 1.3.26   Note 2 & 3
  IRIX 6.5.14       yes   sgi_apache 1.3.26   Note 2 & 3
  IRIX 6.5.15       yes   sgi_apache 1.3.26   Note 2 & 3
  IRIX 6.5.16       yes   sgi_apache 1.3.26   Note 2 & 3
  IRIX 6.5.17       no


   NOTES

     1) This version of the IRIX operating has been retired. Upgrade to an
       actively supported IRIX operating system.  See
       
http://support.sgi.com/irix/news/index.html#policy for more
       information.

     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
       SGI Support Provider or URL:
http://support.sgi.com/irix/swupdates/

     3) Install sgi_apache 1.3.26 which is supplied with the IRIX 6.5.17
       Applications CD or available as sgi_apache-1.3.26.tar from:
       ftp://patches.sgi.com/support/free/security/patches/{6.5.13-6.5.16}


                ##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:

Filename:                 sgi_apache
Algorithm #1 (sum -r):    24080 5 sgi_apache
Algorithm #2 (sum):       37968 5 sgi_apache
MD5 checksum:             1EE81B8F7A8DF9ED4D9AF507EA1D2755

Filename:                 sgi_apache.books
Algorithm #1 (sum -r):    65292 3274 sgi_apache.books
Algorithm #2 (sum):       32822 3274 sgi_apache.books
MD5 checksum:             CD6296A58A1B6F1FF2D6B212058D1C4D

Filename:                 sgi_apache.idb
Algorithm #1 (sum -r):    13477 281 sgi_apache.idb
Algorithm #2 (sum):       4276 281 sgi_apache.idb
MD5 checksum:             3144B64008FF66BF858434208C6BCB5B

Filename:                 sgi_apache.man
Algorithm #1 (sum -r):    29483 97 sgi_apache.man
Algorithm #2 (sum):       35420 97 sgi_apache.man
MD5 checksum:             A7864555852DB7ACC913F049BFC46121

Filename:                 sgi_apache.src
Algorithm #1 (sum -r):    43010 6244 sgi_apache.src
Algorithm #2 (sum):       58317 6244 sgi_apache.src
MD5 checksum:             7D2A6A9A226327D8D9990F80635AED80

Filename:                 sgi_apache.sw
Algorithm #1 (sum -r):    20406 1852 sgi_apache.sw
Algorithm #2 (sum):       32509 1852 sgi_apache.sw
MD5 checksum:             371625EE5B321A76137AD1A18B23B4C0


- -------------------
- --- Information ---
- -------------------

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/

SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/

SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/

SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/

SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/

SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/nt/

IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/

IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/colls/patches/tools/relstream/index.html

IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/irix/swupdates/

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211).  Security advisories and patches are
located under the URL
ftp://patches.sgi.com/support/free/security/

For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.


- ------------------------
- --- Acknowledgments ----
- ------------------------

SGI wishes to thank Mark Litchfield, CERT, ISS and the users of the Internet
Community at large for their assistance in this matter.


- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

If there are questions about this document, email can be sent to
security-info@sgi.com.

                      ------oOo------

SGI provides security information and patches for use by the entire SGI
community.  This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211).  Security advisories and patches are
located under the URL
ftp://patches.sgi.com/support/free/security/

The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/

For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(
http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.

% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d

In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to.  The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.


                      ------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is
located at
http://www.sgi.com/support/security/ .

                      ------oOo------

If there are general security questions on SGI systems, email can be sent to
security-info@sgi.com.

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.  A support
contract is not required for submitting a security report.

______________________________________________________________________________
     This information is provided freely to all interested parties
     and may be redistributed provided that it is not altered in any
     way, SGI is appropriately credited and the document retains and
     includes its valid PGP signature.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPS+/UrQ4cFApAP75AQHVJgQApjJG7ZUFT3S/wE7p1khZUiSxBpo1r0qc
inVeNOm1LskJAcr12rVpoKxAvl5UQA1AxeBuDJj1Om5DDN4jHI7mHbTGey4ZdFpJ
6TaewGXadi5xIW75Xh5dFnGYtmRCRSpekSt6VJzVmeYYocmkZyZ/VUjjDo2187Cv
o2LTSqrYsow=
=1pxh
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

An SGI Advisory describing this issue is available at:

Sequent Computer Systems, Inc.

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems, Inc.

Notified:  June 14, 2002 Updated:  June 17, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT/CC thanks Mark Litchfield for reporting this vulnerability to the Apache Software Foundation, and Mark Cox for reporting this vulnerability to the CERT/CC.

This document was written by Cory F. Cohen.

Other Information

CVE IDs: CVE-2002-0392
CERT Advisory: CA-2002-17
Severity Metric: 53.35
Date Public: 2002-06-17
Date First Published: 2002-06-18
Date Last Updated: 2007-11-02 16:02 UTC
Document Revision: 36

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.