Results 1 to 7 of 7

Thread: Apache bug found - CERT advisory

  1. #1
    Senior Member
    Join Date
    May 2001
    Posts
    472

    Apache bug found - CERT advisory

    Got this in my email this morning...

    Subject: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling
    Vulnerability
    Date: Mon, 17 Jun 2002 22:05:33 -0400 (EDT)
    From: CERT Advisory <cert-advisory@cert.org>
    To: cert-advisory@cert.org

    -----BEGIN PGP SIGNED MESSAGE-----

    CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability

    Original release date: June 17, 2002
    Last revised: --
    Source: CERT/CC

    A complete revision history can be found at the end of this file.

    Systems Affected

    * Web servers based on Apache code versions 1.3 through 1.3.24
    * Web servers based on Apache code versions 2.0 through 2.0.36

    Overview

    There is a remotely exploitable vulnerability in the handling of large
    chunks of data in web servers that are based on Apache source code.
    This vulnerability is present by default in configurations of Apache
    web servers versions 1.3 through 1.3.24 and versions 2.0 through
    2.0.36. The impact of this vulnerability is dependent upon the
    software version and the hardware platform the server is running on.

  2. #2

    Re:Apache bug found - CERT advisory

    I saw a story about that. It seems there is a bit of controversy as to how the vulnerability was revealed.

  3. #3

    Re:Apache bug found - CERT advisory

    [quote author=pam link=board=5;threadid=3833;start=0#38553 date=1024427917]
    I saw a story about that. It seems there is a bit of controversy as to how the vulnerability was revealed.
    [/quote]

    I saw the same story at security focus. Got to love this ----->

    On Monday, Internet Security Systems (ISS) posted their discovery to the BugTraq mailing list, without knowing the full extent of the flaw, and without giving Apache.org time to investigate and develop a patch or even propose a workaround. To sugar the pill ISS had developed its own patch, which Apache later said doesn't address all the issues. Another point in the ISS advisory which Apache disputes is a claim that only installations on Windows are
    vulnerable
    ....
    There was a posting at Slashdot suggesting that ISS was using the premature advisory as a publicity stunt; and while there's undoubtedly a lot to that, we have to wonder if there isn't something even creepier behind it. Here we see ISS publishing a vulnerability and a lame patch without so much as consulting the developer of an open-source product, but we've never seen them try to pull a stunt like that with Microsoft, say.

  4. #4

    Re:Apache bug found - CERT advisory

    New versions of Apache were just released. ;D ;D ;D

  5. #5
    Mentor coltrane's Avatar
    Join Date
    May 2001
    Location
    North Carolina
    Posts
    1,390

    Re:Apache bug found - CERT advisory

    If smells like a fish....

  6. #6

    Re:Apache bug found - CERT advisory

    [quote author=tolstoy link=board=5;threadid=3833;start=0#38575 date=1024444471]
    New versions of Apache were just released. ;D ;D ;D
    [/quote]



    no way!! tooo freaking fast ;D

  7. #7

    Re:Apache bug found - CERT advisory

    Quoted from Symantec's website

    Apache HTTP Server chunk encoding stack overflow
    Risk
    High

    Date Discovered
    06-17-2002

    Description
    Apache HTTP Server contains a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code and a denial of service (DoS).

    Chunked encoding permits the transfer of fragments of dynamically produced content of varying sizes by including a size indicator as well as information for the recipient to verify receipt of the complete message.

    For Apache versions 1.2.2 through 1.3.24, this vulnerability may allow remote attackers to execute arbitrary code on Windows platforms. In addition, Apache has reported that a similar attack may allow the execution of arbitrary code on both 32-bit and 64-bit UNIX-based systems.

    For Apache versions 2.0 through 2.0.36, the buffer overflow condition correctly detected however, an attempted exploit may cause the child process to exit depending on a variety of factors, including the threading model supported by the vulnerable system. If multi-threading is used, it may lead to a denial of service attack against the Apache Web server because all concurrent requests currently served by the affected child process will be lost.

    Multi-threading is a technique that allows an independent program to perform more than one task at seemingly the same time. For example, a program that loads a data file while also reading user input is said to have two computational units and is therefore multi-threaded.

    This vulnerability affects Apache Web server versions that run on many of the various Windows, BSD, Linux, and UNIX releases. Users are encouraged to contact their vendor to determine whether they are affected and acquire appropriate fixes.

    Symantec Enterprise Solutions
    NetRecon, Symantec's vulnerability assessment tool, has a check for vulnerable Apache HTTP Server versions included in Security Update 10, which will be available through LiveUpdate.

    NetProwler, Symantec's network-based intrusion detection tool, includes detection for attempts to exploit this issue in Security Update 18, which is available for download through the NetProwler update capabilities. Click here for further information about NetProwler Security Update 18.

    Platforms Affected
    Multiple

    Components Affected
    Apache HTTP Server 1.3.24 and previous
    Apache HTTP Server 2.0.36 and previous
    Apple Macintosh OS 10.0, 10.0.1
    BSDI BSD/OS 4.0
    IBM AIX 4.3, 5.1L
    Mandrake Soft Linux 7.1, 7.2
    Microsoft Windows 2000 Advanced Server
    Microsoft Windows 2000 Professional
    Microsoft Windows NT Server 4.0
    Microsoft Windows NT, Terminal Server Edition 4.0
    OpenBSD BSD 2.8
    Oracle Corporation 9i Enterprise Edition 9.0.1
    Stronghold Secure Web Server 3.0
    Red Hat Software, Inc. Stronghold Secure Web Server 4.0
    S.U.S.E. GmbH Linux 7.0



Similar Threads

  1. Events and cert.
    By Fatal Error in forum General Chat
    Replies: 3
    Last Post: 02-01-2005, 12:13 AM
  2. Red Hat Advisory Scam
    By trickster in forum Linux - Software, Applications & Programming
    Replies: 0
    Last Post: 10-24-2004, 11:29 PM
  3. New Redhat Technician (RHCT) cert
    By in forum General Chat
    Replies: 2
    Last Post: 11-15-2002, 10:02 PM
  4. Solaris cert
    By tolstoy in forum BSD
    Replies: 7
    Last Post: 12-13-2001, 05:17 PM
  5. Linux LPI Cert
    By popcorn in forum Linux - General Topics
    Replies: 6
    Last Post: 11-30-2001, 07:05 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •