Buffer Overflow in mod_ssl

Overview

A buffer overflow exists in mod_ssl.

Description

mod_ssl is an Apache module that allows secure connections over X.509 authenticated channels. A buffer overflow exists in the ssl_compat_directive() function. For more detailed information, please see the original vulnerability report.

---

Impact

A local attacker can execute arbitrary code with the privileges of the web server. Additionally, an attacker may be able to add bogus entries to multiple web server log files. An attacker may also be able to slow down or even stop the web server.

---

Solution

Apply a patch from your vendor.

---

Do not allow per-directory config files. To accomplish this, set the AllowOverride directive to “none” in the httpd.conf file. As a reminder, you must restart the web server for the changes to take effect.

---

Vendor Information

104555

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Updated: April 30, 2003

Status

Affected

Vendor Statement

This is fixed in Security Update 2002-08-02. Further information is available from:

<http://docs.info.apple.com/article.html?artnum=61798&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Conectiva __ Affected

Updated: July 08, 2002

Status

Affected

Vendor Statement

Please see <http://lwn.net/Articles/3951/&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Debian __ Affected

Updated: April 30, 2003

Status

Affected

Vendor Statement

This vulnerability was fixed in DSA-135 (02 Jul 2002):

<http://www.debian.org/security/2002/dsa-135&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Engarde __ Affected

Updated: April 17, 2003

Status

Affected

Vendor Statement

<http://mail-archives.engardelinux.org/engarde-users/2002/Jul/0009.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Hewlett-Packard Company __ Affected

Updated: April 17, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see <http://www.securityfocus.com/advisories/4298&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

IBM __ Affected

Updated: June 17, 2003

Status

Affected

Vendor Statement

The AIX operating system does not ship with mod_ssl. However, mod_ssl is available for installation on AIX from the Linux Affinity Toolbox.

Users using mod_ssl 2.8.10 are later are not vulnerable to the issues discussed in CERT Vulnerability Note VU#104555 and any advisories which follow.

This vulnerability is present in mod_ssl 2.8.9 and earlier; users are urged to upgrade as soon as possible.

The Linux Affinity Toolbox is available at:

<http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html&gt;

This software is offered on an “as-is” and is unwarranted.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Red Hat Inc. __ Affected

Updated: April 30, 2003

Status

Affected

Vendor Statement

A number of Red Hat products included mod_ssl packages vulnerable to this issue. Updated packages are available along with our advisories at the URLs below. Users of the Red Hat Network can update their systems using the ‘up2date’ tool.

Red Hat Linux:
<http://rhn.redhat.com/errata/RHSA-2002-134.html&gt;
Red Hat Enterprise Linux:
<http://rhn.redhat.com/errata/RHSA-2002-136.html&gt;
Stronghold 3:
<http://rhn.redhat.com/errata/RHSA-2002-164.html&gt;
Stronghold 4 (cross-platform):
<http://rhn.redhat.com/errata/RHSA-2002-146.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

SCO __ Affected

Updated: April 17, 2003

Status

Affected

Vendor Statement

<ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31/CSSA-2002-SCO.31.txt&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

The mod_ssl project __ Affected

Updated: July 08, 2002

Status

Affected

Vendor Statement

Please see <http://www.mail-archive.com/[email protected]/msg14451.html&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Extreme Networks __ Not Affected

Updated: May 01, 2003

Status

Not Affected

Vendor Statement

Extreme Networks software suite is not vulnerable to the attack explained in VU#10455, as it does not include the Webserver implementation from Apache. Investigation and testing by Extreme Network engineering reveals the current Webserver implementation in Extreme Networks software suite is not vulnerable to the attack explained in VU#104555.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Foundry Networks Inc. __ Not Affected

Updated: May 07, 2003

Status

Not Affected

Vendor Statement

Foundry Networks has tested for this vulnerability and is not affected by the buffer overflow in mod_ssl as described in VU#104555.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Hitachi __ Not Affected

Updated: May 08, 2003

Status

Not Affected

Vendor Statement

Hitachi Web Server is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Ingrian Networks __ Not Affected

Updated: May 02, 2003

Status

Not Affected

Vendor Statement

Ingrian Networks products are not vulnerable to VU#104555.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

SGI __ Not Affected

Updated: April 30, 2003

Status

Not Affected

Vendor Statement

The mod_ssl that SGI just started shipping as a supported offering, in IRIX 6.5.20, is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Xerox Corporation __ Not Affected

Updated: May 30, 2003

Status

Not Affected

Vendor Statement

A response to this vulnerability is available from our web site: <http://www.xerox.com/security&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Data General Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

NeXT Unknown

Notified: April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

Sun Microsystems Inc. Unknown

Updated: May 08, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104555 Feedback>).

View all 18 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.modssl.org/&gt;
• <http://www.securityfocus.com/bid/5084&gt;
• <http://online.securityfocus.com/archive/1/279074&gt;
• http://marc.theaimsgroup.com/?l=apache-modssl&m=102491918531562

Acknowledgements

This vulnerability was discovered by Frank Denis.

This document was written by Ian A Finlay.

Other Information

CVE IDs:	CVE-2002-0653
Severity Metric:	23.63 Date Public: