Fw: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability
Adrian Mink
plug-discuss@lists.plug.phoenix.az.us
Mon, 17 Jun 2002 21:21:31 -0700
Probably of interest to most on this list...
Adrian
----- Original Message -----
From: "CERT Advisory" <cert-advisory@cert.org>
To: <cert-advisory@cert.org>
Sent: Monday, June 17, 2002 7:02 PM
Subject: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling
Vulnerability
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability
>
> Original release date: June 17, 2002
> Last revised: --
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> * Web servers based on Apache code versions 1.3 through 1.3.24
> * Web servers based on Apache code versions 2.0 through 2.0.36
>
> Overview
>
> There is a remotely exploitable vulnerability in the handling of large
> chunks of data in web servers that are based on Apache source code.
> This vulnerability is present by default in configurations of Apache
> web servers versions 1.3 through 1.3.24 and versions 2.0 through
> 2.0.36. The impact of this vulnerability is dependent upon the
> software version and the hardware platform the server is running on.
>
> I. Description
>
> Apache is a popular web server that includes support for chunk-encoded
> data according to the HTTP 1.1 standard as described in RFC2616. There
> is a vulnerability in the handling of certain chunk-encoded HTTP
> requests that may allow remote attackers to execute arbitrary code.
>
> The Apache Software Foundation has published an advisory describing
> the details of this vulnerability. This advisory is available on their
> web site at
>
> http://httpd.apache.org/info/security_bulletin_20020617.txt
>
> II. Impact
>
> For Apache versions 1.3 through 1.3.24 inclusive, this vulnerability
> may allow the execution of arbitrary code by remote attackers. Several
> sources have reported that this vulnerability can be used by intruders
> to execute arbitrary code on Windows platforms. Additionally, the
> Apache Software Foundation has reported that a similar attack may
> allow the execution of arbitrary code on 64-bit UNIX systems.
>
> For Apache versions 2.0 through 2.0.36 inclusive, the condition
> causing the vulnerability is correctly detected and causes the child
> process to exit. Depending on a variety of factors, including the
> threading model supported by the vulnerable system, this may lead to a
> denial-of-service attack against the Apache web server.
>
> III. Solution
>
> Apply a patch from your vendor
>
> Apply a patch from your vendor to correct this vulnerability. The
> CERT/CC has been informed by the Apache Software Foundation that the
> patch provided in the ISS advisory on this topic does not completely
> correct this vulnerability. More information about vendor-specific
> patches can be found in the vendor section of this document. Because
> the publication of this advisory was unexpectedly accelerated,
> statements from all of the affected vendors were not available at
> publication time. As additional information from vendors becomes
> available, this document will be updated.
>
> Upgrade to the latest version
>
> The Apache Software Foundation has released two new versions of Apache
> that correct this vulnerability. System administrators can prevent the
> vulnerability from being exploited by upgrading to Apache version
> 1.3.25 or 2.0.39. The new versions of Apache will be available from
> their web site at
>
> http://httpd.apache.org/
>
> Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for this
> advisory. As vendors report new information to the CERT/CC, we will
> update this section and note the changes in our revision history. If a
> particular vendor is not listed below, we have not received their
> comments.
>
> Apache Software Foundation
>
> New versions of the Apache software are available from:
>
> http://httpd.apache.org/
>
> Conectiva Linux
>
> The Apache webserver shipped with Conectiva Linux is vulnerable to
> this problem. New packages fixing this problem will be announced to
> our mailing list after an official fix becomes available.
>
> Cray, Inc.
>
> Cray, Inc. does not distribute Apache with any of its operating
> systems.
>
> IBM Corporation
>
> IBM makes the Apache Server availble for AIX customers as a software
> package under the AIX-Linux Affinity initiative. This package is
> included on the AIX Toolbox for Linux Applications CD, and can be
> downloaded via the IBM Linux Affinity website. The currently available
> version of Apache Server is susceptible to the vulnerability described
> here. We will update our Apache Server offering shortly to version
> 1.3.23, including the patch for this vulnerability; this update will
> be made available for downloading by accessing this URL:
>
> http://www-1.ibm.com/servers/aix/products/aixos/linux/download.
> html
>
> and following the instructions presented there.
>
> Please note that Apache Server, and all Linux Affinity software, is
> offered on an "as-is" basis. IBM does not own the source code for this
> software, nor has it developed and fully tested this code. IBM does
> not support these software packages.
>
> Lotus
>
> We have verified that the Lotus Domino web server is not vulnerable to
> this type of problem. Also, we do not ship Apache code with any Lotus
> products.
>
> Microsoft Corporation
>
> Microsoft does not ship the Apache web server.
>
> Network Appliance
>
> NetApp systems are not vulnerable to this problem.
>
> RedHat Inc.
>
> Red Hat distributes Apache 1.3 versions in all Red Hat Linux
> distributions, and as part of Stronghold. However we do not distribute
> Apache for Windows. We are currently investigating the issue and will
> work on producing errata packages when an official fix for the problem
> is made available. When these updates are complete they will be
> available from the URL below. At the same time users of the Red Hat
> Network will be able to update their systems using the 'up2date' tool.
>
> http://rhn.redhat.com/errata/RHSA-2002-103.html
>
> Unisphere Networks
>
> The Unisphere Networks SDX-300 Service Deployment System (aka. SSC)
> uses Apache 1.3.24. We are releasing Version 3.0 using Apache 1.3.25
> soon, and will be issuing a patch release for SSC Version 2.0.3 in the
> very near future.
> _________________________________________________________________
>
> The CERT/CC thanks Mark Litchfield for reporting this vulnerability to
> the Apache Software Foundation, and Mark Cox for reporting this
> vulnerability to the CERT/CC.
> _________________________________________________________________
>
> Author: Cory F. Cohen
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2002-17.html
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert@cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
> EDT(GMT-4) Monday through Friday; they are on call for emergencies
> during other hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to majordomo@cert.org. Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2002 Carnegie Mellon University.
>
> Revision History
> June 17, 2002: Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQCVAwUBPQ6RhKCVPMXQI2HJAQHQ7AQAs7nkN3DoS3utJlLUSOrT30PD5FDjSHmu
> F3jrO6goHJVpyL5GuliDgrdP1rqZOLr19vbExKo+YMOAGo1R9FQfn6URQMiOsGG7
> KeZGGk/fZBf3n8wrA3fu8CXAW5pTi0lu3kGcLYyBU8cqEEkunEFx/nQPsANcu+fR
> FnqtSf7LhQI=
> =mZEs
> -----END PGP SIGNATURE-----
>