Fw: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability

Adrian Mink plug-discuss@lists.plug.phoenix.az.us
Mon, 17 Jun 2002 21:21:31 -0700


Probably of interest to most on this list...

Adrian

----- Original Message -----
From: "CERT Advisory" <cert-advisory@cert.org>
To: <cert-advisory@cert.org>
Sent: Monday, June 17, 2002 7:02 PM
Subject: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling
Vulnerability


>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability
>
>    Original release date: June 17, 2002
>    Last revised: --
>    Source: CERT/CC
>
>    A complete revision history can be found at the end of this file.
>
> Systems Affected
>
>      * Web servers based on Apache code versions 1.3 through 1.3.24
>      * Web servers based on Apache code versions 2.0 through 2.0.36
>
> Overview
>
>    There is a remotely exploitable vulnerability in the handling of large
>    chunks  of  data  in web servers that are based on Apache source code.
>    This  vulnerability  is present by default in configurations of Apache
>    web  servers  versions  1.3  through  1.3.24  and versions 2.0 through
>    2.0.36.  The  impact  of  this  vulnerability  is  dependent  upon the
>    software version and the hardware platform the server is running on.
>
> I. Description
>
>    Apache is a popular web server that includes support for chunk-encoded
>    data according to the HTTP 1.1 standard as described in RFC2616. There
>    is  a  vulnerability  in  the  handling  of certain chunk-encoded HTTP
>    requests that may allow remote attackers to execute arbitrary code.
>
>    The  Apache  Software  Foundation has published an advisory describing
>    the details of this vulnerability. This advisory is available on their
>    web site at
>
>           http://httpd.apache.org/info/security_bulletin_20020617.txt
>
> II. Impact
>
>    For  Apache  versions 1.3 through 1.3.24 inclusive, this vulnerability
>    may allow the execution of arbitrary code by remote attackers. Several
>    sources have reported that this vulnerability can be used by intruders
>    to  execute  arbitrary  code  on  Windows platforms. Additionally, the
>    Apache  Software  Foundation  has  reported  that a similar attack may
>    allow the execution of arbitrary code on 64-bit UNIX systems.
>
>    For  Apache  versions  2.0  through  2.0.36  inclusive,  the condition
>    causing  the  vulnerability is correctly detected and causes the child
>    process  to  exit.  Depending  on  a variety of factors, including the
>    threading model supported by the vulnerable system, this may lead to a
>    denial-of-service attack against the Apache web server.
>
> III. Solution
>
> Apply a patch from your vendor
>
>    Apply  a  patch  from  your  vendor to correct this vulnerability. The
>    CERT/CC  has  been informed by the Apache Software Foundation that the
>    patch  provided  in the ISS advisory on this topic does not completely
>    correct  this  vulnerability.  More  information about vendor-specific
>    patches  can  be found in the vendor section of this document. Because
>    the   publication  of  this  advisory  was  unexpectedly  accelerated,
>    statements  from  all  of  the  affected vendors were not available at
>    publication  time.  As  additional  information  from  vendors becomes
>    available, this document will be updated.
>
> Upgrade to the latest version
>
>    The Apache Software Foundation has released two new versions of Apache
>    that correct this vulnerability. System administrators can prevent the
>    vulnerability  from  being  exploited  by  upgrading to Apache version
>    1.3.25  or  2.0.39.  The new versions of Apache will be available from
>    their web site at
>
>           http://httpd.apache.org/
>
> Appendix A. - Vendor Information
>
>    This  appendix  contains  information  provided  by  vendors  for this
>    advisory.  As  vendors  report new information to the CERT/CC, we will
>    update this section and note the changes in our revision history. If a
>    particular  vendor  is  not  listed  below, we have not received their
>    comments.
>
> Apache Software Foundation
>
>    New versions of the Apache software are available from:
>
>           http://httpd.apache.org/
>
> Conectiva Linux
>
>    The  Apache  webserver  shipped  with Conectiva Linux is vulnerable to
>    this  problem.  New  packages fixing this problem will be announced to
>    our mailing list after an official fix becomes available.
>
> Cray, Inc.
>
>    Cray,  Inc.  does  not  distribute  Apache  with  any of its operating
>    systems.
>
> IBM Corporation
>
>    IBM  makes  the Apache Server availble for AIX customers as a software
>    package  under  the  AIX-Linux  Affinity  initiative.  This package is
>    included  on  the  AIX  Toolbox  for Linux Applications CD, and can be
>    downloaded via the IBM Linux Affinity website. The currently available
>    version of Apache Server is susceptible to the vulnerability described
>    here.  We  will  update  our Apache Server offering shortly to version
>    1.3.23,  including  the patch for this vulnerability; this update will
>    be made available for downloading by accessing this URL:
>
>           http://www-1.ibm.com/servers/aix/products/aixos/linux/download.
>           html
>
>    and following the instructions presented there.
>
>    Please  note  that  Apache Server, and all Linux Affinity software, is
>    offered on an "as-is" basis. IBM does not own the source code for this
>    software,  nor  has  it developed and fully tested this code. IBM does
>    not support these software packages.
>
> Lotus
>
>    We have verified that the Lotus Domino web server is not vulnerable to
>    this  type of problem. Also, we do not ship Apache code with any Lotus
>    products.
>
> Microsoft Corporation
>
>    Microsoft does not ship the Apache web server.
>
> Network Appliance
>
>    NetApp systems are not vulnerable to this problem.
>
> RedHat Inc.
>
>    Red  Hat  distributes  Apache  1.3  versions  in  all  Red  Hat  Linux
>    distributions, and as part of Stronghold. However we do not distribute
>    Apache  for Windows. We are currently investigating the issue and will
>    work on producing errata packages when an official fix for the problem
>    is  made  available.  When  these  updates  are  complete they will be
>    available  from  the  URL below. At the same time users of the Red Hat
>    Network will be able to update their systems using the 'up2date' tool.
>
>           http://rhn.redhat.com/errata/RHSA-2002-103.html
>
> Unisphere Networks
>
>    The  Unisphere  Networks  SDX-300 Service Deployment System (aka. SSC)
>    uses  Apache  1.3.24. We are releasing Version 3.0 using Apache 1.3.25
>    soon, and will be issuing a patch release for SSC Version 2.0.3 in the
>    very near future.
>      _________________________________________________________________
>
>    The CERT/CC thanks Mark Litchfield for reporting this vulnerability to
>    the  Apache  Software  Foundation,  and  Mark  Cox  for reporting this
>    vulnerability to the CERT/CC.
>      _________________________________________________________________
>
>    Author: Cory F. Cohen
>    ______________________________________________________________________
>
>    This document is available from:
>    http://www.cert.org/advisories/CA-2002-17.html
>    ______________________________________________________________________
>
> CERT/CC Contact Information
>
>    Email: cert@cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
>
>    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
>    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
>    during other hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
>    We  strongly  urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
>    http://www.cert.org/CERT_PGP.key
>
>    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
>    information.
>
> Getting security information
>
>    CERT  publications  and  other security information are available from
>    our web site
>    http://www.cert.org/
>
>    To  subscribe  to  the CERT mailing list for advisories and bulletins,
>    send  email  to majordomo@cert.org. Please include in the body of your
>    message
>
>    subscribe cert-advisory
>
>    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
>
>    NO WARRANTY
>    Any  material furnished by Carnegie Mellon University and the Software
>    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied  as  to  any matter including, but not limited to, warranty of
>    fitness  for  a  particular purpose or merchantability, exclusivity or
>    results  obtained from use of the material. Carnegie Mellon University
>    does  not  make  any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>      _________________________________________________________________
>
>    Conditions for use, disclaimers, and sponsorship information
>
>    Copyright 2002 Carnegie Mellon University.
>
>    Revision History
> June 17, 2002:  Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQCVAwUBPQ6RhKCVPMXQI2HJAQHQ7AQAs7nkN3DoS3utJlLUSOrT30PD5FDjSHmu
> F3jrO6goHJVpyL5GuliDgrdP1rqZOLr19vbExKo+YMOAGo1R9FQfn6URQMiOsGG7
> KeZGGk/fZBf3n8wrA3fu8CXAW5pTi0lu3kGcLYyBU8cqEEkunEFx/nQPsANcu+fR
> FnqtSf7LhQI=
> =mZEs
> -----END PGP SIGNATURE-----
>