Apache HTTP Server chunk encoding stack overflowRisk
High Date Discovered
06-17-2002 Description
Apache HTTP Server contains a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code and a denial of service (DoS).
Chunked encoding permits the transfer of fragments of dynamically produced content of varying sizes by including a size indicator as well as information for the recipient to verify receipt of the complete message.
For Apache versions 1.2.2 through 1.3.24, this vulnerability may allow remote attackers to execute arbitrary code on Windows platforms. In addition, Apache has reported that a similar attack may allow the execution of arbitrary code on both 32-bit and 64-bit UNIX-based systems.
For Apache versions 2.0 through 2.0.36, the buffer overflow condition correctly detected however, an attempted exploit may cause the child process to exit depending on a variety of factors, including the threading model supported by the vulnerable system. If multi-threading is used, it may lead to a denial of service attack against the Apache Web server because all concurrent requests currently served by the affected child process will be lost.
Multi-threading is a technique that allows an independent program to perform more than one task at seemingly the same time. For example, a program that loads a data file while also reading user input is said to have two computational units and is therefore multi-threaded.
This vulnerability affects Apache Web server versions that run on many of the various Windows, BSD, Linux, and UNIX releases. Users are encouraged to contact their vendor to determine whether they are affected and acquire appropriate fixes.
Symantec Enterprise Solutions
NetRecon, Symantec's vulnerability assessment tool, has a check for vulnerable Apache HTTP Server versions included in Security Update 10, which will be available through LiveUpdate.
NetProwler, Symantec's network-based intrusion detection tool, includes detection for attempts to exploit this issue in Security Update 18, which is available for download through the NetProwler update capabilities. Click here for further information about NetProwler Security Update 18. Platforms Affected
Multiple Components Affected
Apache HTTP Server 1.3.24 and previous
Apache HTTP Server 2.0.36 and previous
Apple Macintosh OS 10.0, 10.0.1
BSDI BSD/OS 4.0
IBM AIX 4.3, 5.1L
Mandrake Soft Linux 7.1, 7.2
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional
Microsoft Windows NT Server 4.0
Microsoft Windows NT, Terminal Server Edition 4.0
OpenBSD BSD 2.8
Oracle Corporation 9i Enterprise Edition 9.0.1
Stronghold Secure Web Server 3.0
Red Hat Software, Inc. Stronghold Secure Web Server 4.0
S.U.S.E. GmbH Linux 7.0
RecommendationsApache HTTP Server 1.3.24 and previous
Upgrade : Upgrade to Apache HTTP Server 1.3.26
Upgrade to the latest version of Apache HTTP Server to eliminate vulnerabilities found in earlier versions.
Refer to the announcement.txt file on the upgrade for installation instructions.
The Advisory from Apache Software Foundation advises that the patch provided in the ISS advisory on this topic does not completely correct this vulnerability.
Apache HTTP Server 2.0.36 and previous
Upgrade : Upgrade to Apache HTTP Server 2.0.39
Upgrade to the latest version of Apache HTTP Server to eliminate vulnerabilities found in earlier versions.
Refer to the announcement.txt file on the upgrade for installation instructions.
The Advisory from Apache Software Foundation advises that the patch provided in the ISS advisory on this topic does not completely correct this vulnerability.
Apple Macintosh OS 10.0, 10.0.1
Upgrade : Upgrade to Apache HTTP Server 1.3.26
Upgrade to the latest version of Apache HTTP Server to eliminate vulnerabilities found in earlier versions.
Refer to the announcement.txt file on the upgrade for installation instructions.
The Advisory from Apache Software Foundation advises that the patch provided in the ISS advisory on this topic does not completely correct this vulnerability.
BSDI BSD/OS 4.0
Upgrade : Apache HTTP Server 1.3.26
Upgrade to the latest version of Apache HTTP Server to eliminate vulnerabilities found in earlier versions.
Refer to the announcement.txt file on the upgrade for installation instructions.
The Advisory from Apache Software Foundation advises that the patch provided in the ISS advisory on this topic does not completely correct this vulnerability.
BSDI BSD/OS 4.0
Patch : OpenBSD chunk-encoding httpd.patch
OpenBSD has released Patches affecting the chunk-encoding vulnerability in Apache HTTP servers.
Ensure you download the correct version of this patch for your operating system.
BSDI BSD/OS 4.0
Patch : OpenBSD chunk-encoding httpd.patch
OpenBSD has released Patches affecting the chunk-encoding vulnerability in Apache HTTP servers.
Ensure you download the correct version of this patch for your operating system.
IBM AIX 4.3
Patch : IBM AIX Server heap overflow Apache HTTP server Patch
This patch addresses the heap overflow chunk encoding vulnerability on Apache HTTP servers used on IBM AIX servers.
IBM AIX 4.3 and 5.1L
Install on AIX systems running Apache HTTP Server.
IBM AIX 5.1L
Patch : IBM AIX Server heap overflow Apache HTTP server Patch
This patch addresses the heap overflow chunk encoding vulnerability on Apache HTTP servers used on IBM AIX servers.
IBM AIX 4.3 and 5.1L
Install on AIX systems running Apache HTTP Server.
Mandrake Soft Linux 7.1, 7.2
Upgrade : |Upgrade to Apache HTTP Server 2.0.39
Upgrade to the latest version of Apache HTTP Server to eliminate vulnerabilities found in earlier versions.
Refer to the announcement.txt file on the upgrade for installation instructions.
The Advisory from Apache Software Foundation advises that the patch provided in the ISS advisory on this topic does not completely correct this vulnerability.
Mandrake Soft Linux 7.1, 7.2
Patch : Mandrake Apache HTTP Server Overflow patch
Mandrake has released a patch fixing the potential code execution vulnerabiity for its operating systems when using Apache Software Foundation HTTP Server.
Mandrake Soft Linux 7.1, 7.2
Patch : Mandrake Apache HTTP Server DoS patch
Mandrake has released a patch to repair the Denial of Service vulnerability associated with Apache Software Foundations HTTP Server.
Microsoft Windows 2000 Professional, Server, Advanced Server, Datacenter Server
Upgrade : Upgrade to Apache HTTP Server 1.3.26
Upgrade to the latest version of Apache HTTP Server to eliminate vulnerabilities found in earlier versions.
Refer to the announcement.txt file on the upgrade for installation instructions.
The Advisory from Apache Software Foundation advises that the patch provided in the ISS advisory on this topic does not completely correct this vulnerability.
Microsoft Windows NT Server, Terminal Server Edition 4.0
Upgrade : Upgrade to Apache HTTP Server 1.3.26
Upgrade to the latest version of Apache HTTP Server to eliminate vulnerabilities found in earlier versions.
Refer to the announcement.txt file on the upgrade for installation instructions.
The Advisory from Apache Software Foundation advises that the patch provided in the ISS advisory on this topic does not completely correct this vulnerability.
OpenBSD BSD 2.8
Patch : OpenBSD chunk-encoding httpd.patch
OpenBSD has released Patches affecting the chunk-encoding vulnerability in Apache HTTP servers.
Ensure you download the correct version of this patch for your operating system.
OpenBSD BSD 2.8
Patch : OpenBSD chunk-encoding httpd.patch
OpenBSD has released Patches affecting the chunk-encoding vulnerability in Apache HTTP servers.
Ensure you download the correct version of this patch for your operating system.
OpenBSD BSD 2.8
Upgrade : Upgrade to Apache HTTP Server 2.0.39
Upgrade to the latest version of Apache HTTP Server to eliminate vulnerabilities found in earlier versions.
Refer to the announcement.txt file on the upgrade for installation instructions.
The Advisory from Apache Software Foundation advises that the patch provided in the ISS advisory on this topic does not completely correct this vulnerability.
Oracle Corporation 9i Enterprise Edition 9.0.1
Patch : Oracle Patch 2424256
Oracle has released a patch which fixes the chunk-encoding vulnerability in the Apache HTTP Servers.
Red Hat Software, Inc. Linux 6.2, 7.0, 7.1, 7.2, 7.3
Patch : Red Hat Patch for Linux Chunk Encoding
This patch addresses the Heap Overflow vulnerability caused by improper chunk encoding in the Apache HTTP Web Server running on Red Hat Linux.
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/apache-1.3.22-5.6.src.rpm
alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/apache-1.3.22-5.6.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/apache-devel-1.3.22-5.6.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/apache-manual-1.3.22-5.6.alpha.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/apache-1.3.22-5.6.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/apache-devel-1.3.22-5.6.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/apache-manual-1.3.22-5.6.i386.rpm
sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/apache-1.3.22-5.6.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/apache-devel-1.3.22-5.6.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/apache-manual-1.3.22-5.6.sparc.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/apache-1.3.22-5.7.1.src.rpm
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/apache-1.3.22-5.7.1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/apache-devel-1.3.22-5.7.1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/apache-manual-1.3.22-5.7.1.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/apache-1.3.22-5.7.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/apache-devel-1.3.22-5.7.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/apache-manual-1.3.22-5.7.1.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/apache-1.3.22-5.7.1.src.rpm
alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/apache-1.3.22-5.7.1.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/apache-devel-1.3.22-5.7.1.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/apache-manual-1.3.22-5.7.1.alpha.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/apache-1.3.22-5.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/apache-devel-1.3.22-5.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/apache-manual-1.3.22-5.7.1.i386.rpm
ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/apache-1.3.22-5.7.1.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/apache-devel-1.3.22-5.7.1.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/apache-manual-1.3.22-5.7.1.ia64.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/apache-1.3.22-6.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/apache-1.3.22-6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/apache-devel-1.3.22-6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/apache-manual-1.3.22-6.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/apache-1.3.22-6.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/apache-devel-1.3.22-6.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/apache-manual-1.3.22-6.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/apache-1.3.23-14.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/apache-1.3.23-14.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/apache-devel-1.3.23-14.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/apache-manual-1.3.23-14.i386.rpm
Red Hat Software, Inc. Stronghold Secure Web Server 3.0
Patch : Red Hat Patch for Stronghold 3.0 Chunk Encoding
This patch addresses the Heap Overflow vulnerability caused by improper chunk encoding in the Red Hat Stronghold 3.0 build 3016 secure web server.
Patch and installation instructions are available for download from URL:
http://stronghold.redhat.com/sh3/errata-2002-118
Red Hat Software, Inc. Stronghold Secure Web Server 4.0
Patch : Red Hat Patch for Stronghold Enterprise 4.0 Chunk Encoding
This patch addresses the Heap Overflow vulnerability caused by improper chunk encoding in the Red Hat Stronghold Enterprise 4.0 secure web server.
Patch and installation instructions are available for download from URL:
http://stronghold.redhat.com/sh4/errata-2002-118
S.U.S.E. GmbH Linux 7.0
Patch : SuSE RPM apache-patch
S.u.S.E. has released patches for it's Chunk encoding stack overflow and DoS vulnerability when using Apache Software Foundation HTTP Server.
Ensure you download and install the correct patch for your specific operating system.
S.U.S.E. GmbH Linux 7.0
Upgrade : Upgrade to Apache HTTP Server 2.0.39
Upgrade to the latest version of Apache HTTP Server to eliminate vulnerabilities found in earlier versions.
Refer to the announcement.txt file on the upgrade for installation instructions.
The Advisory from Apache Software Foundation advises that the patch provided in the ISS advisory on this topic does not completely correct this vulnerability. References
Source: CERT CA-2002-17
URL: http://www.cert.org//advisories/CA-2002-17.html
Source: Apache 20020617
URL: http://httpd.apache.org/info/security_bulletin_20020617.txt
Source: CVE CAN-2002-0392
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
Source: Security Focus.com BID 5033
URL: http://online.securityfocus.com/bid/5033
Source: Red Hat RHSA-2002-103-13
URL: http://rhn.redhat.com/errata/RHSA-2002-103.html
Copyright (c) 2008 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
|
