CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
98.2%
There is a remotely exploitable vulnerability in the way that Apache web servers (or other web servers based on their source code) handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.
Apache is a popular web server that includes support for chunk-encoded data according to the HTTP 1.1 standard as described in RFC2616. There is a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code.
The Apache Software Foundation has published an advisory describing the details of this vulnerability. This advisory is available on their web site at
<http://httpd.apache.org/info/security_bulletin_20020617.txt>
For Apache versions 1.2.2 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers. Exploits are publicly available that claim to allow the execution of arbitrary code.
For Apache versions 2.0 through 2.0.36 inclusive, the condition causing the vulnerability is correctly detected and causes the child process to exit. Depending on a variety of factors, including the threading model supported by the vulnerable system, this may lead to a denial-of-service attack against the Apache web server.
Upgrade to the latest version
The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.26 or 2.0.39.
Due to some unexpected problems with version 1.3.25, the CERT/CC has been informed by the Apache Software Foundation that the corrected version of the software is now 1.3.26. Both 1.3.26 and 2.0.39 are available on their web site at
<http://www.apache.org/dist/httpd/>
Apply a patch from your vendor
If your vendor has provided a patch to correct this vulnerability, you may want to apply that patch rather than upgrading your version of httpd. The CERT/CC is aware of a patch from ISS that corrects some of the impacts associated with this vulnerability. System administrators are encouraged to ensure that the patch they apply is based on the code by the Apache Software Foundation that also corrects additional impacts described in this advisory.
More information about vendor-specific patches can be found in the vendor section of this document.
944335
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 14, 2002 Updated: June 28, 2002
Affected
In relation to this CERT advisory on security vulnerability in Apache, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that various Alcatel products can be affected: namely the A5000 and A5020 SoftSwitches, the A5735 SMC, the A1300 NMC2, the management platforms for the A1000 UMTS/GPRS/MSC solutions, the 1353 SH and 1355 VPN. Customers using these products should upgrade to Apache WebServer 1.3.26 (or higher) or may contact their Alcatel support representative for more details. The security of our customers’ networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential security vulnerabilities in our products using the Apache Webserver and will provide updates if necessary.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
New versions of the Apache software are available from:
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: July 02, 2002
Affected
This vulnerability is fixed with the release of the “Security Update - July 2002” software update.
The vendor has not provided us with any further information regarding this vulnerability.
More information about this vulnerability is available at:
<http://www.apple.com/support/security/security_updates.html>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: July 16, 2002
Affected
Compaq has released Security Bulletin SSRT2253 (document number SRB0021W).
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Updated: June 19, 2002
Affected
Covalent Technologies distributes products based on Apache 1.3 and Apache 2.0 that may be subject to this vulnerability. Covalent is currently creating patches to affected products. Covalent customers will be informed by email, and by postings at www.covalent.net/support when the patches are available.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 19, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Debian security advisory DSA-131-1 describing this issue is available from:
<http://www.debian.org/security/2002/dsa-131>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 24, 2002
Affected
The following F5 Networks, Inc. products contain a vulnerable version ofthe Apache-based web server. Instructions for obtaining and installing apatch are available in the following locations.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 21, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
FreeBSD has published a Security Notice about this vulnerability:
<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:04.asc>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 19, 2002
Affected
Guardian Digital ships Apache in all version of EnGarde Secure Linux. EnGarde Secure Profssional users may update using the GDSN. This issue was addressed in ESA-20020619-014 which may be found at:
<http://www.linuxsecurity.com/advisories/other_advisory-2137.html>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: July 15, 2002
Affected
HP makes the Apache Server available for customers as a bundled software package called “HP Apache.” New updates are available temporarily via ftp from a site located at hprc.external.hp.com.
When the new updates are available at www.software.hp.com, the Hewlett-Packard Company Security Bulletin HPSBUX0207-197 will be updated.
To retrieve the updates from the temporary ftp site, use a browser to connect to:
<ftp://apache:[email protected]/>
or:
<ftp://apache:[email protected]/>
There are two subdirectories containing depots of swinstallable binaries with a “.t” extension, one for Apache 2.0.39 (11.00 and 11.11) and one for Apache 1.3.26 (11.00 and 11.11).
HP Virtualvault (HP-UX 11.04) patches are available from itrc.hp.com with ID’s of PHSS_27361 and PHSS_27371.
For full details, see Hewlett-Packard Company Security Bulletin HPSBUX0207-197, available on itrc.hp.com. Search for “Apache chunk”
The vendor has not provided us with any further information regarding this vulnerability.
Hewlett Packard has published security advisory HPSBUX0207-197 on this issue.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: August 08, 2002
Affected
IBM makes the Apache Server availble for AIX customers as a software package under the AIX-Linux Affinity initiative. This package is included on the AIX Toolbox for Linux Applications CD, and can be downloaded via the IBM Linux Affinity website. The currently available version of Apache Server is susceptible to the vulnerability described here. We will update our Apache Server offering shortly to version 1.3.23, including the patch for this vulnerability; this update will be made available for downloading by accessing this URL:
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
and following the instructions presented there.
Please note that Apache Server, and all Linux Affinity software, is offered on an “as-is” basis. IBM does not own the source code for this software, nor has it developed and fully tested this code. IBM does not support these software packages.
The IBM HTTP Server product, which is also bundeled with the Websphere product,is based on the Apache server. As such, it is vulnerable to the current “Chunk Handling” issue and we are woring on a patch for this problem with all due haste. This statement will be updated as more information becomes available.
Information for the Websphere patches is available from the web. Go to this URL:
http://www.ibm.com/software/webservers/appserv/support.html
Click on the “Websphere Flashes” link and look for the item for “IBM HTTP Server”. This will contain information on the exposure and links to the patches.
The IBM HMC product is also affected by the Apache vulnerability described above. The HMC is the hardware monitor and control console used with IBM’s Regatta systems. This is a seperate hardware unit that uses a Linux-based operating system and Open Source software.
Customers are advised to obtain the latest security paches for the HMC. These patches will be available early next week from the following URL:
http://techsupport.services.ibm.com/server/hmc?fetch=corrsrv.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 21, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Mandrake published a security advisory describing this vulnerability:
<http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-039.php>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 17, 2002 Updated: June 19, 2002
Affected
The Apache webserver shipped with Conectiva Linux is vulnerable to this problem. New packages fixing this problem will be announced to our mailing list after an official fix becomes available.
The vendor has not provided us with any further information regarding this vulnerability.
A Conectiva security announcement is avilable at:
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000498
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: November 02, 2007
Affected
`Network Appliance
Data ONTAP® and NetCache® products are not affected.
ReplicatorX versions 4.0 through 4.0.21 are affected
(This was originally released by Topio Inc, now a wholly owned subsidiary of
NetApp, as Topio Data Protection Suite (TDPS) releases 1.0 through 3.0.65).
Contact the NetApp Technical Support Center +1-888-4NETAPP for remediation
information and instructions.`
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 21, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Information about the chunked encoding problem is availabe from:
<http://www.openbsd.org/errata.html#httpd>
A patch correcting the problem is availabel at:
<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/005_httpd.patch>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 21, 2002
Affected
Oracle has issued Oracle Security Alert #36 in response to the chunked encoding Apache HTTP Server security vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Oracle Security Alert #36 is expected to be available at:
<http://otn.oracle.com/deploy/security/alerts.htm>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 18, 2002
Affected
Red Hat distributes Apache 1.3 versions in all Red Hat Linux distributions, and as part of Stronghold. However we do not distribute Apache for Windows. We are currently investigating the issue and will work on producing errata packages when an official fix for the problem is made available. When these updates are complete they will be available from the URL below. At the same time users of the Red Hat Network will be able to update their systems using the ‘up2date’ tool.
<http://rhn.redhat.com/errata/RHSA-2002-103.html>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 19, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
SuSE has published security announcement SuSE-SA:2002:022 describing this issue.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Updated: June 21, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Slackware Linux posted a message to their security list indicating that updated packages were available from:
<ftp://ftp.slackware.com/pub/slackware/slackware-8.0/>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 24, 2002
Affected
Sun bundles the Apache Web Server freeware product with Solaris 8 (Apache/1.3.12) and 9 (Apache/1.3.22). Both versions are affected by this vulnerability. Sun are presently producing patches for this issue for Solaris 8 and 9. Once the patches are available, we will be publishing a Sun Alert available from:
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: September 18, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Caldera has published several advisories describing this vulnerability:
<ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt>
ftp://ftp.caldera.com/pub/security/OpenUNIX/CSSA-2002-SCO.31.txt
ftp://ftp.caldera.com/pub/security/UnixWare/CSSA-2002-SCO.31.txt
ftp://ftp.caldera.com/pub/security/OpenServer/CSSA-2002-SCO.32.txt
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: September 18, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Caldera has published several advisories describing this vulnerability:
<ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt>
ftp://ftp.caldera.com/pub/security/OpenUNIX/CSSA-2002-SCO.31.txt
ftp://ftp.caldera.com/pub/security/UnixWare/CSSA-2002-SCO.31.txt
ftp://ftp.caldera.com/pub/security/OpenServer/CSSA-2002-SCO.32.txt
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Updated: June 21, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Trustix Secure Linux has published an advisory on this topic:
<http://www.trustix.net/errata/misc/2002/TSL-2002-0056-apache.asc.txt>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 27, 2002
Affected
CUSTOMER SERVICE TECHNICAL BULLETIN
SUBJECT: CERT Advisory CA-2002-17: Apache Web Server Chunk Handling Vulnerability
BULLETIN NUMBER: SSC_PSN-001
BULLETIN TYPE: Product Support Notification
AFFECTED PRODUCTS: SSC
ISSUE DATE: 06/26/2002
REVISION: 1.0
PROBLEM DESCRIPTION:
The CERT Coordination Center released an advisory on June 17, 2002 entitled, “CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability”. The URL for the full text of the advisory can be found at:
<http://www.cert.org/advisories/CA-2002-17.html>
AFFECTED PRODUCT(S):
SSC
SOLUTION:
The following releases of software have been found to suffer no negative effects from vulnerability outlined in CERT Advisory CA-2002-17:
2-0-2p2
2-0-3p2
All future releases of SSC will include the updated version of Apache web server that corrects this vulnerability.
Earlier releases of software may allow the execution of arbitrary code by remote attackers. Information needed to exploit this vulnerability is publicly known.
Affected releases include:
2-0-0 – 2-0-2p1
2-0-3 – 2-0-3p1
This Product Support Notification is publicly viewable on the Web at:
<http://support.unispherenetworks.com/websupport/CERT/ssc_psn-001.pdf>
If you have any questions concerning this notice, or to obtain the latest patch release, please contact Unisphere Networks Customer Service.
Inside the U.S. call: (800) 424-2344
Outside the U.S. call: (978) 589-9000
Via the Web @
Via email @ [email protected]
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: March 27, 2003
Affected
A response to this advisory is available from our web site:
<http://www.xerox.com/security>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 18, 2002
Not Affected
Cray, Inc. does not distribute Apache with any of its operating systems.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 18, 2002
Not Affected
Fujitsu’s UXP/V operating system does not support Apache and is therefore not affected by the vulnerability reported in VU#944335.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 18, 2002
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has been contacted by this vendor and told they have verified that the Lotus Domino web server is not vulnerable to this type of problem. Also, we have been told they do not ship Apache code with any of their products.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has been contacted by this vendor and been told they do not ship the Apache web server in any of their products.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: July 08, 2002
Unknown
Cisco Systems is evaluating the vulnerabilities identified by VU#944335. Should an issue be found, Cisco will release a Security Advisory. The most up-to-date information on all Cisco product security issues may be found at
<http://www.cisco.com/go/psirt/>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 27, 2002
Unknown
Nortel Networks is reviewing its portfolio to determine if any products are affected by the vulnerability noted in CERT Advisory CA-2002-17. A definitive statement will be issued shortly.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: July 15, 2002
Unknown
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________ SGI Security Advisory
` Title: Apache Web Server Chunk Handling vulnerability
Number: 20020605-01-I
Date: July 12, 2002
Reference: SGI Security Advisory 20020605-01-A
Reference: CERT CA-2002-17
Reference: Apache Security Bulletin 20020617
Reference: CAN-2002-0392
`
`- -----------------------
This bulletin is an update to SGI Security Advisory 20020605-01-A.
It has been reported that versions of the Apache web server up to and
including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the
routines which deal with invalid requests which are encoded using chunked
encoding. This bug can be triggered remotely by sending a carefully crafted
invalid request. This functionality is enabled by default.
See <http://httpd.apache.org/info/security_bulletin_20020617.txt>
for
additional details.
SGI has investigated the issues and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
These issues have been corrected in IRIX 6.5.17, where we are now supplying
a fixed version of Apache. We are also making the fixed version of Apache
available on our security FTP site for prior releases of IRIX.
`
`- --------------
The Apache webserver is supplied with IRIX versions since 6.5.12m/f as a
replacement for the older SGI FastTrack server. It is installed by default,
and is enabled through “chkconfig” by default.
In order to determine if the Apache webserver is installed, execute the
following command:
# versions -b | grep apache
If the following line is returned you are OK:
I sgi_apache 07/10/2002 SGI Web Server based on Apache, 1.3.26
But if either of these are returned you are vulnerable:
I sgi_apache 03/20/2001 SGI Apache Server, 1.3.17
I sgi_apache 06/10/2001 SGI Apache Server, 1.3.20
I sgi_apache 12/06/2001 SGI Web Server based on Apache, 1.3.22
These vulnerabilities might lead to a root compromise in some
configurations, and no local account is required.
These vulnerabilities have been publicly discussed in Usenet newsgroups
and mailing lists.
This vulnerability was assigned the following CVE:
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392>
`
`- ----------------------------
SGI acknowledges that it may not always be possible to immediately install
patches or upgrade the operating system. In those cases, we recommend
removing the Apache webserver and associated products by using the following
commands:
# versions remove sgi_apache*
It is not necessary to reboot the system after doing this. You should
upgrade the operating system as soon as it is possible to do so.
`
`- ----------------
SGI has not provided a patch for these issues, but instead has rolled the
fixed Apache distribution into IRIX 6.5.17 and later releases of the
operating system.
OS Version Vulnerable? Patch # Other Actions
IRIX 3.x no Note 1
IRIX 4.x no Note 1
IRIX 5.x no Note 1
IRIX 6.0.x no Note 1
IRIX 6.1 no Note 1
IRIX 6.2 no Note 1
IRIX 6.3 no Note 1
IRIX 6.4 no Note 1
IRIX 6.5 no Note 2
IRIX 6.5.1 no Note 2
IRIX 6.5.2 no Note 2
IRIX 6.5.3 no Note 2
IRIX 6.5.4 no Note 2
IRIX 6.5.5 no Note 2
IRIX 6.5.6 no Note 2
IRIX 6.5.7 no Note 2
IRIX 6.5.8 no Note 2
IRIX 6.5.9 no Note 2
IRIX 6.5.10 no Note 2
IRIX 6.5.11 no Note 2
IRIX 6.5.12 yes Note 2
IRIX 6.5.13 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.14 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.15 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.16 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.17 no
`
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See ``<http://support.sgi.com/irix/news/index.html#policy>`` for more information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: ``<http://support.sgi.com/irix/swupdates/>``
3) Install sgi_apache 1.3.26 which is supplied with the IRIX 6.5.17 Applications CD or available as sgi_apache-1.3.26.tar from: <ftp://patches.sgi.com/support/free/security/patches/>{6.5.13-6.5.16}
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: sgi_apache Algorithm #1 (sum -r): 24080 5 sgi_apache Algorithm #2 (sum): 37968 5 sgi_apache MD5 checksum: 1EE81B8F7A8DF9ED4D9AF507EA1D2755
Filename: sgi_apache.books Algorithm #1 (sum -r): 65292 3274 sgi_apache.books Algorithm #2 (sum): 32822 3274 sgi_apache.books MD5 checksum: CD6296A58A1B6F1FF2D6B212058D1C4D
Filename: sgi_apache.idb Algorithm #1 (sum -r): 13477 281 sgi_apache.idb Algorithm #2 (sum): 4276 281 sgi_apache.idb MD5 checksum: 3144B64008FF66BF858434208C6BCB5B
Filename: sgi_apache.man Algorithm #1 (sum -r): 29483 97 sgi_apache.man Algorithm #2 (sum): 35420 97 sgi_apache.man MD5 checksum: A7864555852DB7ACC913F049BFC46121
Filename: sgi_apache.src Algorithm #1 (sum -r): 43010 6244 sgi_apache.src Algorithm #2 (sum): 58317 6244 sgi_apache.src MD5 checksum: 7D2A6A9A226327D8D9990F80635AED80
Filename: sgi_apache.sw Algorithm #1 (sum -r): 20406 1852 sgi_apache.sw Algorithm #2 (sum): 32509 1852 sgi_apache.sw MD5 checksum: 371625EE5B321A76137AD1A18B23B4C0
`- -------------------
SGI Security Advisories can be found at:
<http://www.sgi.com/support/security/>
and
<ftp://patches.sgi.com/support/free/security/advisories/>
SGI Security Patches can be found at:
<http://www.sgi.com/support/security/>
and
<ftp://patches.sgi.com/support/free/security/patches/>
SGI patches for IRIX can be found at the following patch servers:
<http://support.sgi.com/irix/>
and <ftp://patches.sgi.com/>
SGI freeware updates for IRIX can be found at:
<http://freeware.sgi.com/>
SGI fixes for SGI open sourced code can be found on:
<http://oss.sgi.com/projects/>
SGI patches and RPMs for Linux can be found at:
<http://support.sgi.com/linux/>
or
<http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/>
SGI patches for Windows NT or 2000 can be found at:
<http://support.sgi.com/nt/>
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
<http://support.sgi.com/irix/>
and <ftp://patches.sgi.com/support/patchset/>
IRIX 6.5 Maintenance Release Streams can be found at:
<http://support.sgi.com/colls/patches/tools/relstream/index.html>
IRIX 6.5 Software Update CDs can be obtained from:
<http://support.sgi.com/irix/swupdates/>
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL <ftp://patches.sgi.com/support/free/security/>
For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.
`
`- ------------------------
SGI wishes to thank Mark Litchfield, CERT, ISS and the users of the Internet
Community at large for their assistance in this matter.
`
`- -----------------------------------------
If there are questions about this document, email can be sent to
[email protected].
------oOo------
SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL <ftp://patches.sgi.com/support/free/security/>
The SGI Security Headquarters Web page is accessible at the URL:
<http://www.sgi.com/support/security/>
For issues with the patches on the FTP sites, email can be sent to
[email protected].
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(<http://www.sgi.com/support/security/wiretap.html>
) or by sending email to
SGI as outlined below.
% mail [email protected]
subscribe wiretap <YourEmailAddress>
end
^d
In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to. The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.
`
------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is located at ``<http://www.sgi.com/support/security/>`` .
------oOo------
If there are general security questions on SGI systems, email can be sent to [email protected].
For reporting *NEW* SGI security issues, email can be sent to [email protected] or contact your SGI support provider. A support contract is not required for submitting a security report.
______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature.
-----BEGIN PGP SIGNATURE----- Version: 2.6.2
iQCVAwUBPS+/UrQ4cFApAP75AQHVJgQApjJG7ZUFT3S/wE7p1khZUiSxBpo1r0qc inVeNOm1LskJAcr12rVpoKxAvl5UQA1AxeBuDJj1Om5DDN4jHI7mHbTGey4ZdFpJ 6TaewGXadi5xIW75Xh5dFnGYtmRCRSpekSt6VJzVmeYYocmkZyZ/VUjjDo2187Cv o2LTSqrYsow= =1pxh -----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
An SGI Advisory describing this issue is available at:
<ftp://patches.sgi.com/support/free/security/advisories/20020605-01-A>
<ftp://patches.sgi.com/support/free/security/advisories/20020605-01-I>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
Notified: June 14, 2002 Updated: June 17, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).
View all 46 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The CERT/CC thanks Mark Litchfield for reporting this vulnerability to the Apache Software Foundation, and Mark Cox for reporting this vulnerability to the CERT/CC.
This document was written by Cory F. Cohen.
CVE IDs: | CVE-2002-0392 |
---|---|
CERT Advisory: | CA-2002-17 Severity Metric: |
bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502
httpd.apache.org/info/security_bulletin_20020617.txt
secunia.com/advisories/21917/
www.ciac.org/ciac/bulletins/m-093.shtml
www.ietf.org/rfc/rfc2068.txt
www.ietf.org/rfc/rfc2616.txt
www.linuxsecurity.com/articles/server_security_article-5150.html
www.securityfocus.com/bid/5033