[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability

Also anyone subscribed to this list should also be subscribed to the
CERT mailing list as well.

http://www.cert.org/contact_cert/certmaillist.html

I also recommend stopping by the SANS web site and subscribing to their
news bites. 
http://www.sans.org/newlook/digests/newsbites.htm

On Tue, 2002-06-18 at 18:42, jale@xxxxxxxxxx wrote:
> Since the previous message mentioned this, I thought I would pass it on for 
> those who need to know these things. It's sometimes nice to have a brother 
> who is a criminal defense attorney who tracks these things for me :)
> 
> Regards,
> Jale
> 
> >From: CERT Advisory <cert-advisory@xxxxxxxx>
> >To: cert-advisory@xxxxxxxx
> >Organization: CERT(R) Coordination Center - +1 412-268-7090
> >List-Help: <http://www.cert.org/>, <mailto:Majordomo@xxxxxxxx?body=help>
> >List-Subscribe: <mailto:Majordomo@xxxxxxxx?body=subscribe%20cert-advisory>
> >List-Unsubscribe: <mailto:Majordomo@xxxxxxxx?body=unsubscribe%20cert-advisory>
> >List-Post: NO (posting not allowed on this list)
> >List-Owner: <mailto:cert-advisory-owner@xxxxxxxx>
> >List-Archive: <http://www.cert.org/>
> >Subject: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling 
> >Vulnerability
> >
> >
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability
> >
> >    Original release date: June 17, 2002
> >    Last revised: --
> >    Source: CERT/CC
> >
> >    A complete revision history can be found at the end of this file.
> >
> >Systems Affected
> >
> >      * Web servers based on Apache code versions 1.3 through 1.3.24
> >      * Web servers based on Apache code versions 2.0 through 2.0.36
> >
> >Overview
> >
> >    There is a remotely exploitable vulnerability in the handling of large
> >    chunks  of  data  in web servers that are based on Apache source code.
> >    This  vulnerability  is present by default in configurations of Apache
> >    web  servers  versions  1.3  through  1.3.24  and versions 2.0 through
> >    2.0.36.  The  impact  of  this  vulnerability  is  dependent  upon the
> >    software version and the hardware platform the server is running on.
> >
> >I. Description
> >
> >    Apache is a popular web server that includes support for chunk-encoded
> >    data according to the HTTP 1.1 standard as described in RFC2616. There
> >    is  a  vulnerability  in  the  handling  of certain chunk-encoded HTTP
> >    requests that may allow remote attackers to execute arbitrary code.
> >
> >    The  Apache  Software  Foundation has published an advisory describing
> >    the details of this vulnerability. This advisory is available on their
> >    web site at
> >
> >           http://httpd.apache.org/info/security_bulletin_20020617.txt
> >
> >II. Impact
> >
> >    For  Apache  versions 1.3 through 1.3.24 inclusive, this vulnerability
> >    may allow the execution of arbitrary code by remote attackers. Several
> >    sources have reported that this vulnerability can be used by intruders
> >    to  execute  arbitrary  code  on  Windows platforms. Additionally, the
> >    Apache  Software  Foundation  has  reported  that a similar attack may
> >    allow the execution of arbitrary code on 64-bit UNIX systems.
> >
> >    For  Apache  versions  2.0  through  2.0.36  inclusive,  the condition
> >    causing  the  vulnerability is correctly detected and causes the child
> >    process  to  exit.  Depending  on  a variety of factors, including the
> >    threading model supported by the vulnerable system, this may lead to a
> >    denial-of-service attack against the Apache web server.
> >
> >III. Solution
> >
> >Apply a patch from your vendor
> >
> >    Apply  a  patch  from  your  vendor to correct this vulnerability. The
> >    CERT/CC  has  been informed by the Apache Software Foundation that the
> >    patch  provided  in the ISS advisory on this topic does not completely
> >    correct  this  vulnerability.  More  information about vendor-specific
> >    patches  can  be found in the vendor section of this document. Because
> >    the   publication  of  this  advisory  was  unexpectedly  accelerated,
> >    statements  from  all  of  the  affected vendors were not available at
> >    publication  time.  As  additional  information  from  vendors becomes
> >    available, this document will be updated.
> >
> >Upgrade to the latest version
> >
> >    The Apache Software Foundation has released two new versions of Apache
> >    that correct this vulnerability. System administrators can prevent the
> >    vulnerability  from  being  exploited  by  upgrading to Apache version
> >    1.3.25  or  2.0.39.  The new versions of Apache will be available from
> >    their web site at
> >
> >           http://httpd.apache.org/
> >
> >Appendix A. - Vendor Information
> >
> >    This  appendix  contains  information  provided  by  vendors  for this
> >    advisory.  As  vendors  report new information to the CERT/CC, we will
> >    update this section and note the changes in our revision history. If a
> >    particular  vendor  is  not  listed  below, we have not received their
> >    comments.
> >
> >Apache Software Foundation
> >
> >    New versions of the Apache software are available from:
> >
> >           http://httpd.apache.org/
> >
> >Conectiva Linux
> >
> >    The  Apache  webserver  shipped  with Conectiva Linux is vulnerable to
> >    this  problem.  New  packages fixing this problem will be announced to
> >    our mailing list after an official fix becomes available.
> >
> >Cray, Inc.
> >
> >    Cray,  Inc.  does  not  distribute  Apache  with  any of its operating
> >    systems.
> >
> >IBM Corporation
> >
> >    IBM  makes  the Apache Server availble for AIX customers as a software
> >    package  under  the  AIX-Linux  Affinity  initiative.  This package is
> >    included  on  the  AIX  Toolbox  for Linux Applications CD, and can be
> >    downloaded via the IBM Linux Affinity website. The currently available
> >    version of Apache Server is susceptible to the vulnerability described
> >    here.  We  will  update  our Apache Server offering shortly to version
> >    1.3.23,  including  the patch for this vulnerability; this update will
> >    be made available for downloading by accessing this URL:
> >
> >           http://www-1.ibm.com/servers/aix/products/aixos/linux/download.
> >           html
> >
> >    and following the instructions presented there.
> >
> >    Please  note  that  Apache Server, and all Linux Affinity software, is
> >    offered on an "as-is" basis. IBM does not own the source code for this
> >    software,  nor  has  it developed and fully tested this code. IBM does
> >    not support these software packages.
> >
> >Lotus
> >
> >    We have verified that the Lotus Domino web server is not vulnerable to
> >    this  type of problem. Also, we do not ship Apache code with any Lotus
> >    products.
> >
> >Microsoft Corporation
> >
> >    Microsoft does not ship the Apache web server.
> >
> >Network Appliance
> >
> >    NetApp systems are not vulnerable to this problem.
> >
> >RedHat Inc.
> >
> >    Red  Hat  distributes  Apache  1.3  versions  in  all  Red  Hat  Linux
> >    distributions, and as part of Stronghold. However we do not distribute
> >    Apache  for Windows. We are currently investigating the issue and will
> >    work on producing errata packages when an official fix for the problem
> >    is  made  available.  When  these  updates  are  complete they will be
> >    available  from  the  URL below. At the same time users of the Red Hat
> >    Network will be able to update their systems using the 'up2date' tool.
> >
> >           http://rhn.redhat.com/errata/RHSA-2002-103.html
> >
> >Unisphere Networks
> >
> >    The  Unisphere  Networks  SDX-300 Service Deployment System (aka. SSC)
> >    uses  Apache  1.3.24. We are releasing Version 3.0 using Apache 1.3.25
> >    soon, and will be issuing a patch release for SSC Version 2.0.3 in the
> >    very near future.
> >      _________________________________________________________________
> >
> >    The CERT/CC thanks Mark Litchfield for reporting this vulnerability to
> >    the  Apache  Software  Foundation,  and  Mark  Cox  for reporting this
> >    vulnerability to the CERT/CC.
> >      _________________________________________________________________
> >
> >    Author: Cory F. Cohen
> >    ______________________________________________________________________
> >
> >    This document is available from:
> >    http://www.cert.org/advisories/CA-2002-17.html
> >    ______________________________________________________________________
> >
> >CERT/CC Contact Information
> >
> >    Email: cert@xxxxxxxx
> >           Phone: +1 412-268-7090 (24-hour hotline)
> >           Fax: +1 412-268-6989
> >           Postal address:
> >           CERT Coordination Center
> >           Software Engineering Institute
> >           Carnegie Mellon University
> >           Pittsburgh PA 15213-3890
> >           U.S.A.
> >
> >    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
> >    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
> >    during other hours, on U.S. holidays, and on weekends.
> >
> >Using encryption
> >
> >    We  strongly  urge you to encrypt sensitive information sent by email.
> >    Our public PGP key is available from
> >    http://www.cert.org/CERT_PGP.key
> >
> >    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
> >    information.
> >
> >Getting security information
> >
> >    CERT  publications  and  other security information are available from
> >    our web site
> >    http://www.cert.org/
> >
> >    To  subscribe  to  the CERT mailing list for advisories and bulletins,
> >    send  email  to majordomo@xxxxxxxxx Please include in the body of your
> >    message
> >
> >    subscribe cert-advisory
> >
> >    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
> >    Patent and Trademark Office.
> >    ______________________________________________________________________
> >
> >    NO WARRANTY
> >    Any  material furnished by Carnegie Mellon University and the Software
> >    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
> >    Mellon University makes no warranties of any kind, either expressed or
> >    implied  as  to  any matter including, but not limited to, warranty of
> >    fitness  for  a  particular purpose or merchantability, exclusivity or
> >    results  obtained from use of the material. Carnegie Mellon University
> >    does  not  make  any warranty of any kind with respect to freedom from
> >    patent, trademark, or copyright infringement.
> >      _________________________________________________________________
> >
> >    Conditions for use, disclaimers, and sponsorship information
> >
> >    Copyright 2002 Carnegie Mellon University.
> >
> >    Revision History
> >June 17, 2002:  Initial release
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: PGP 6.5.8
> >
> >iQCVAwUBPQ6RhKCVPMXQI2HJAQHQ7AQAs7nkN3DoS3utJlLUSOrT30PD5FDjSHmu
> >F3jrO6goHJVpyL5GuliDgrdP1rqZOLr19vbExKo+YMOAGo1R9FQfn6URQMiOsGG7
> >KeZGGk/fZBf3n8wrA3fu8CXAW5pTi0lu3kGcLYyBU8cqEEkunEFx/nQPsANcu+fR
> >FnqtSf7LhQI=
> >=mZEs
> >-----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
> 
-- 
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone  707.766.9509
Fax    707.766.8989
http://www.obsidian-studios.com