Probably of interest to most on this list... Adrian ----- Original Message ----- From: "CERT Advisory" To: Sent: Monday, June 17, 2002 7:02 PM Subject: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability > > Original release date: June 17, 2002 > Last revised: -- > Source: CERT/CC > > A complete revision history can be found at the end of this file. > > Systems Affected > > * Web servers based on Apache code versions 1.3 through 1.3.24 > * Web servers based on Apache code versions 2.0 through 2.0.36 > > Overview > > There is a remotely exploitable vulnerability in the handling of large > chunks of data in web servers that are based on Apache source code. > This vulnerability is present by default in configurations of Apache > web servers versions 1.3 through 1.3.24 and versions 2.0 through > 2.0.36. The impact of this vulnerability is dependent upon the > software version and the hardware platform the server is running on. > > I. Description > > Apache is a popular web server that includes support for chunk-encoded > data according to the HTTP 1.1 standard as described in RFC2616. There > is a vulnerability in the handling of certain chunk-encoded HTTP > requests that may allow remote attackers to execute arbitrary code. > > The Apache Software Foundation has published an advisory describing > the details of this vulnerability. This advisory is available on their > web site at > > http://httpd.apache.org/info/security_bulletin_20020617.txt > > II. Impact > > For Apache versions 1.3 through 1.3.24 inclusive, this vulnerability > may allow the execution of arbitrary code by remote attackers. Several > sources have reported that this vulnerability can be used by intruders > to execute arbitrary code on Windows platforms. Additionally, the > Apache Software Foundation has reported that a similar attack may > allow the execution of arbitrary code on 64-bit UNIX systems. > > For Apache versions 2.0 through 2.0.36 inclusive, the condition > causing the vulnerability is correctly detected and causes the child > process to exit. Depending on a variety of factors, including the > threading model supported by the vulnerable system, this may lead to a > denial-of-service attack against the Apache web server. > > III. Solution > > Apply a patch from your vendor > > Apply a patch from your vendor to correct this vulnerability. The > CERT/CC has been informed by the Apache Software Foundation that the > patch provided in the ISS advisory on this topic does not completely > correct this vulnerability. More information about vendor-specific > patches can be found in the vendor section of this document. Because > the publication of this advisory was unexpectedly accelerated, > statements from all of the affected vendors were not available at > publication time. As additional information from vendors becomes > available, this document will be updated. > > Upgrade to the latest version > > The Apache Software Foundation has released two new versions of Apache > that correct this vulnerability. System administrators can prevent the > vulnerability from being exploited by upgrading to Apache version > 1.3.25 or 2.0.39. The new versions of Apache will be available from > their web site at > > http://httpd.apache.org/ > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > > Apache Software Foundation > > New versions of the Apache software are available from: > > http://httpd.apache.org/ > > Conectiva Linux > > The Apache webserver shipped with Conectiva Linux is vulnerable to > this problem. New packages fixing this problem will be announced to > our mailing list after an official fix becomes available. > > Cray, Inc. > > Cray, Inc. does not distribute Apache with any of its operating > systems. > > IBM Corporation > > IBM makes the Apache Server availble for AIX customers as a software > package under the AIX-Linux Affinity initiative. This package is > included on the AIX Toolbox for Linux Applications CD, and can be > downloaded via the IBM Linux Affinity website. The currently available > version of Apache Server is susceptible to the vulnerability described > here. We will update our Apache Server offering shortly to version > 1.3.23, including the patch for this vulnerability; this update will > be made available for downloading by accessing this URL: > > http://www-1.ibm.com/servers/aix/products/aixos/linux/download. > html > > and following the instructions presented there. > > Please note that Apache Server, and all Linux Affinity software, is > offered on an "as-is" basis. IBM does not own the source code for this > software, nor has it developed and fully tested this code. IBM does > not support these software packages. > > Lotus > > We have verified that the Lotus Domino web server is not vulnerable to > this type of problem. Also, we do not ship Apache code with any Lotus > products. > > Microsoft Corporation > > Microsoft does not ship the Apache web server. > > Network Appliance > > NetApp systems are not vulnerable to this problem. > > RedHat Inc. > > Red Hat distributes Apache 1.3 versions in all Red Hat Linux > distributions, and as part of Stronghold. However we do not distribute > Apache for Windows. We are currently investigating the issue and will > work on producing errata packages when an official fix for the problem > is made available. When these updates are complete they will be > available from the URL below. At the same time users of the Red Hat > Network will be able to update their systems using the 'up2date' tool. > > http://rhn.redhat.com/errata/RHSA-2002-103.html > > Unisphere Networks > > The Unisphere Networks SDX-300 Service Deployment System (aka. SSC) > uses Apache 1.3.24. We are releasing Version 3.0 using Apache 1.3.25 > soon, and will be issuing a patch release for SSC Version 2.0.3 in the > very near future. > _________________________________________________________________ > > The CERT/CC thanks Mark Litchfield for reporting this vulnerability to > the Apache Software Foundation, and Mark Cox for reporting this > vulnerability to the CERT/CC. > _________________________________________________________________ > > Author: Cory F. Cohen > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2002-17.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to majordomo@cert.org. Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2002 Carnegie Mellon University. > > Revision History > June 17, 2002: Initial release > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBPQ6RhKCVPMXQI2HJAQHQ7AQAs7nkN3DoS3utJlLUSOrT30PD5FDjSHmu > F3jrO6goHJVpyL5GuliDgrdP1rqZOLr19vbExKo+YMOAGo1R9FQfn6URQMiOsGG7 > KeZGGk/fZBf3n8wrA3fu8CXAW5pTi0lu3kGcLYyBU8cqEEkunEFx/nQPsANcu+fR > FnqtSf7LhQI= > =mZEs > -----END PGP SIGNATURE----- >