CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
26.9%
A buffer overflow exists in mod_ssl.
mod_ssl is an Apache module that allows secure connections over X.509 authenticated channels. A buffer overflow exists in the ssl_compat_directive()
function. For more detailed information, please see the original vulnerability report.
A local attacker can execute arbitrary code with the privileges of the web server. Additionally, an attacker may be able to add bogus entries to multiple web server log files. An attacker may also be able to slow down or even stop the web server.
Apply a patch from your vendor.
Do not allow per-directory config files. To accomplish this, set the AllowOverride directive to “none” in the httpd.conf file. As a reminder, you must restart the web server for the changes to take effect.
104555
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: April 30, 2003
Affected
This is fixed in Security Update 2002-08-02. Further information is available from:
<http://docs.info.apple.com/article.html?artnum=61798>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: July 08, 2002
Affected
Please see <http://lwn.net/Articles/3951/>.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: April 30, 2003
Affected
This vulnerability was fixed in DSA-135 (02 Jul 2002):
<http://www.debian.org/security/2002/dsa-135>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: April 17, 2003
Affected
<http://mail-archives.engardelinux.org/engarde-users/2002/Jul/0009.html>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: April 17, 2003
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see <http://www.securityfocus.com/advisories/4298>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: June 17, 2003
Affected
The AIX operating system does not ship with mod_ssl. However, mod_ssl is available for installation on AIX from the Linux Affinity Toolbox.
Users using mod_ssl 2.8.10 are later are not vulnerable to the issues discussed in CERT Vulnerability Note VU#104555 and any advisories which follow.
This vulnerability is present in mod_ssl 2.8.9 and earlier; users are urged to upgrade as soon as possible.
The Linux Affinity Toolbox is available at:
<http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html>
This software is offered on an “as-is” and is unwarranted.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: April 30, 2003
Affected
A number of Red Hat products included mod_ssl packages vulnerable to this issue. Updated packages are available along with our advisories at the URLs below. Users of the Red Hat Network can update their systems using the ‘up2date’ tool.
Red Hat Linux:
<http://rhn.redhat.com/errata/RHSA-2002-134.html>
Red Hat Enterprise Linux:
<http://rhn.redhat.com/errata/RHSA-2002-136.html>
Stronghold 3:
<http://rhn.redhat.com/errata/RHSA-2002-164.html>
Stronghold 4 (cross-platform):
<http://rhn.redhat.com/errata/RHSA-2002-146.html>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: April 17, 2003
Affected
<ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31/CSSA-2002-SCO.31.txt>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: July 08, 2002
Affected
Please see <http://www.mail-archive.com/[email protected]/msg14451.html>.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: May 01, 2003
Not Affected
Extreme Networks software suite is not vulnerable to the attack explained in VU#10455, as it does not include the Webserver implementation from Apache. Investigation and testing by Extreme Network engineering reveals the current Webserver implementation in Extreme Networks software suite is not vulnerable to the attack explained in VU#104555.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: May 07, 2003
Not Affected
Foundry Networks has tested for this vulnerability and is not affected by the buffer overflow in mod_ssl as described in VU#104555.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: May 08, 2003
Not Affected
Hitachi Web Server is NOT Vulnerable to this issue.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: May 02, 2003
Not Affected
Ingrian Networks products are not vulnerable to VU#104555.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: April 30, 2003
Not Affected
The mod_ssl that SGI just started shipping as a supported offering, in IRIX 6.5.20, is not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: May 30, 2003
Not Affected
A response to this vulnerability is available from our web site: <http://www.xerox.com/security>.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Notified: April 29, 2003 Updated: April 29, 2003
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Notified: April 29, 2003 Updated: April 29, 2003
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
Updated: May 08, 2003
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).
View all 18 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was discovered by Frank Denis.
This document was written by Ian A Finlay.
CVE IDs: | CVE-2002-0653 |
---|---|
Severity Metric: | 23.63 Date Public: |
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
26.9%