Overview

There is a remotely exploitable vulnerability in the way that Apache web servers (or other web servers based on their source code) handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.

Description

Apache is a popular web server that includes support for chunk-encoded data according to the HTTP 1.1 standard as described in RFC2616. There is a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code.

The Apache Software Foundation has published an advisory describing the details of this vulnerability. This advisory is available on their web site at

<http://httpd.apache.org/info/security_bulletin_20020617.txt&gt;

---

Impact

For Apache versions 1.2.2 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers. Exploits are publicly available that claim to allow the execution of arbitrary code.

For Apache versions 2.0 through 2.0.36 inclusive, the condition causing the vulnerability is correctly detected and causes the child process to exit. Depending on a variety of factors, including the threading model supported by the vulnerable system, this may lead to a denial-of-service attack against the Apache web server.

---

Solution

Upgrade to the latest version

The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.26 or 2.0.39.

Due to some unexpected problems with version 1.3.25, the CERT/CC has been informed by the Apache Software Foundation that the corrected version of the software is now 1.3.26. Both 1.3.26 and 2.0.39 are available on their web site at

<http://www.apache.org/dist/httpd/&gt;

Apply a patch from your vendor

If your vendor has provided a patch to correct this vulnerability, you may want to apply that patch rather than upgrading your version of httpd. The CERT/CC is aware of a patch from ISS that corrects some of the impacts associated with this vulnerability. System administrators are encouraged to ensure that the patch they apply is based on the code by the Apache Software Foundation that also corrects additional impacts described in this advisory.

More information about vendor-specific patches can be found in the vendor section of this document.

---

Vendor Information

944335

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Alcatel __ Affected

Notified: June 14, 2002 Updated: June 28, 2002

Status

Affected

Vendor Statement

In relation to this CERT advisory on security vulnerability in Apache, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that various Alcatel products can be affected: namely the A5000 and A5020 SoftSwitches, the A5735 SMC, the A1300 NMC2, the management platforms for the A1000 UMTS/GPRS/MSC solutions, the 1353 SH and 1355 VPN. Customers using these products should upgrade to Apache WebServer 1.3.26 (or higher) or may contact their Alcatel support representative for more details. The security of our customers’ networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential security vulnerabilities in our products using the Apache Webserver and will provide updates if necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Apache __ Affected

Notified: June 14, 2002 Updated: June 17, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

New versions of the Apache software are available from:

<http://httpd.apache.org/&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Apple Computer, Inc. __ Affected

Notified: June 14, 2002 Updated: July 02, 2002

Status

Affected

Vendor Statement

This vulnerability is fixed with the release of the “Security Update - July 2002” software update.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

More information about this vulnerability is available at:

<http://www.apple.com/support/security/security_updates.html&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Compaq Computer Corporation __ Affected

Notified: June 14, 2002 Updated: July 16, 2002

Status

Affected

Vendor Statement

Compaq has released Security Bulletin SSRT2253 (document number SRB0021W).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Covalent __ Affected

Updated: June 19, 2002

Status

Affected

Vendor Statement

Covalent Technologies distributes products based on Apache 1.3 and Apache 2.0 that may be subject to this vulnerability. Covalent is currently creating patches to affected products. Covalent customers will be informed by email, and by postings at www.covalent.net/support when the patches are available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Debian Linux __ Affected

Notified: June 14, 2002 Updated: June 19, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian security advisory DSA-131-1 describing this issue is available from:

<http://www.debian.org/security/2002/dsa-131&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

F5 Networks, Inc. __ Affected

Notified: June 14, 2002 Updated: June 24, 2002

Status

Affected

Vendor Statement

The following F5 Networks, Inc. products contain a vulnerable version ofthe Apache-based web server. Instructions for obtaining and installing apatch are available in the following locations.

BIG-IP® platform

3-DNS® platform

EDGE-FX® platform

GLOBAL-SITE® platform

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

FreeBSD, Inc. __ Affected

Notified: June 14, 2002 Updated: June 21, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

FreeBSD has published a Security Notice about this vulnerability:

<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:04.asc&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Guardian Digital Inc. __ Affected

Notified: June 14, 2002 Updated: June 19, 2002

Status

Affected

Vendor Statement

Guardian Digital ships Apache in all version of EnGarde Secure Linux. EnGarde Secure Profssional users may update using the GDSN. This issue was addressed in ESA-20020619-014 which may be found at:

<http://www.linuxsecurity.com/advisories/other_advisory-2137.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Hewlett-Packard Company __ Affected

Notified: June 14, 2002 Updated: July 15, 2002

Status

Affected

Vendor Statement

HP makes the Apache Server available for customers as a bundled software package called “HP Apache.” New updates are available temporarily via ftp from a site located at hprc.external.hp.com.

When the new updates are available at www.software.hp.com, the Hewlett-Packard Company Security Bulletin HPSBUX0207-197 will be updated.

To retrieve the updates from the temporary ftp site, use a browser to connect to:

<ftp://apache:[email protected]/&gt;
or:
<ftp://apache:[email protected]/&gt;

There are two subdirectories containing depots of swinstallable binaries with a “.t” extension, one for Apache 2.0.39 (11.00 and 11.11) and one for Apache 1.3.26 (11.00 and 11.11).

HP Virtualvault (HP-UX 11.04) patches are available from itrc.hp.com with ID’s of PHSS_27361 and PHSS_27371.

For full details, see Hewlett-Packard Company Security Bulletin HPSBUX0207-197, available on itrc.hp.com. Search for “Apache chunk”

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Hewlett Packard has published security advisory HPSBUX0207-197 on this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

IBM Corporation __ Affected

Notified: June 14, 2002 Updated: August 08, 2002

Status

Affected

Vendor Statement

IBM makes the Apache Server availble for AIX customers as a software package under the AIX-Linux Affinity initiative. This package is included on the AIX Toolbox for Linux Applications CD, and can be downloaded via the IBM Linux Affinity website. The currently available version of Apache Server is susceptible to the vulnerability described here. We will update our Apache Server offering shortly to version 1.3.23, including the patch for this vulnerability; this update will be made available for downloading by accessing this URL:

http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
and following the instructions presented there.

Please note that Apache Server, and all Linux Affinity software, is offered on an “as-is” basis. IBM does not own the source code for this software, nor has it developed and fully tested this code. IBM does not support these software packages.

The IBM HTTP Server product, which is also bundeled with the Websphere product,is based on the Apache server. As such, it is vulnerable to the current “Chunk Handling” issue and we are woring on a patch for this problem with all due haste. This statement will be updated as more information becomes available.

Information for the Websphere patches is available from the web. Go to this URL:

http://www.ibm.com/software/webservers/appserv/support.html
Click on the “Websphere Flashes” link and look for the item for “IBM HTTP Server”. This will contain information on the exposure and links to the patches.

The IBM HMC product is also affected by the Apache vulnerability described above. The HMC is the hardware monitor and control console used with IBM’s Regatta systems. This is a seperate hardware unit that uses a Linux-based operating system and Open Source software.

Customers are advised to obtain the latest security paches for the HMC. These patches will be available early next week from the following URL:

http://techsupport.services.ibm.com/server/hmc?fetch=corrsrv.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Mandriva, Inc. __ Affected

Notified: June 14, 2002 Updated: June 21, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Mandrake published a security advisory describing this vulnerability:

<http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-039.php&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Mandriva, Inc. __ Affected

Notified: June 17, 2002 Updated: June 19, 2002

Status

Affected

Vendor Statement

The Apache webserver shipped with Conectiva Linux is vulnerable to this problem. New packages fixing this problem will be announced to our mailing list after an official fix becomes available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

A Conectiva security announcement is avilable at:

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000498

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Network Appliance __ Affected

Notified: June 14, 2002 Updated: November 02, 2007

Status

Affected

Vendor Statement

`Network Appliance

Data ONTAP® and NetCache® products are not affected.

ReplicatorX versions 4.0 through 4.0.21 are affected
(This was originally released by Topio Inc, now a wholly owned subsidiary of
NetApp, as Topio Data Protection Suite (TDPS) releases 1.0 through 3.0.65).

Contact the NetApp Technical Support Center +1-888-4NETAPP for remediation
information and instructions.`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

OpenBSD __ Affected

Notified: June 14, 2002 Updated: June 21, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Information about the chunked encoding problem is availabe from:

<http://www.openbsd.org/errata.html#httpd&gt;
A patch correcting the problem is availabel at:

<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/005_httpd.patch&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Oracle Corporation __ Affected

Notified: June 14, 2002 Updated: June 21, 2002

Status

Affected

Vendor Statement

Oracle has issued Oracle Security Alert #36 in response to the chunked encoding Apache HTTP Server security vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Oracle Security Alert #36 is expected to be available at:

<http://otn.oracle.com/deploy/security/alerts.htm&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Red Hat, Inc. __ Affected

Notified: June 14, 2002 Updated: June 18, 2002

Status

Affected

Vendor Statement

Red Hat distributes Apache 1.3 versions in all Red Hat Linux distributions, and as part of Stronghold. However we do not distribute Apache for Windows. We are currently investigating the issue and will work on producing errata packages when an official fix for the problem is made available. When these updates are complete they will be available from the URL below. At the same time users of the Red Hat Network will be able to update their systems using the ‘up2date’ tool.

<http://rhn.redhat.com/errata/RHSA-2002-103.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

SUSE Linux __ Affected

Notified: June 14, 2002 Updated: June 19, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE has published security announcement SuSE-SA:2002:022 describing this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Slackware __ Affected

Updated: June 21, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Slackware Linux posted a message to their security list indicating that updated packages were available from:

<ftp://ftp.slackware.com/pub/slackware/slackware-8.0/&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Sun Microsystems, Inc. __ Affected

Notified: June 14, 2002 Updated: June 24, 2002

Status

Affected

Vendor Statement

Sun bundles the Apache Web Server freeware product with Solaris 8 (Apache/1.3.12) and 9 (Apache/1.3.22). Both versions are affected by this vulnerability. Sun are presently producing patches for this issue for Solaris 8 and 9. Once the patches are available, we will be publishing a Sun Alert available from:

<http://sunsolve.sun.com/&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

The SCO Group (SCO Linux) __ Affected

Notified: June 14, 2002 Updated: September 18, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera has published several advisories describing this vulnerability:

<ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt&gt;

ftp://ftp.caldera.com/pub/security/OpenUNIX/CSSA-2002-SCO.31.txt

ftp://ftp.caldera.com/pub/security/UnixWare/CSSA-2002-SCO.31.txt

ftp://ftp.caldera.com/pub/security/OpenServer/CSSA-2002-SCO.32.txt

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

The SCO Group (SCO Unix) __ Affected

Notified: June 14, 2002 Updated: September 18, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera has published several advisories describing this vulnerability:

<ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt&gt;

ftp://ftp.caldera.com/pub/security/OpenUNIX/CSSA-2002-SCO.31.txt

ftp://ftp.caldera.com/pub/security/UnixWare/CSSA-2002-SCO.31.txt

ftp://ftp.caldera.com/pub/security/OpenServer/CSSA-2002-SCO.32.txt

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Trustix Secure Linux __ Affected

Updated: June 21, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Trustix Secure Linux has published an advisory on this topic:

<http://www.trustix.net/errata/misc/2002/TSL-2002-0056-apache.asc.txt&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Unisphere Networks __ Affected

Notified: June 14, 2002 Updated: June 27, 2002

Status

Affected

Vendor Statement

CUSTOMER SERVICE TECHNICAL BULLETIN

SUBJECT: CERT Advisory CA-2002-17: Apache Web Server Chunk Handling Vulnerability
BULLETIN NUMBER: SSC_PSN-001
BULLETIN TYPE: Product Support Notification
AFFECTED PRODUCTS: SSC
ISSUE DATE: 06/26/2002
REVISION: 1.0

PROBLEM DESCRIPTION:
The CERT Coordination Center released an advisory on June 17, 2002 entitled, “CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability”. The URL for the full text of the advisory can be found at:

<http://www.cert.org/advisories/CA-2002-17.html&gt;
AFFECTED PRODUCT(S):
SSC

SOLUTION:
The following releases of software have been found to suffer no negative effects from vulnerability outlined in CERT Advisory CA-2002-17:

2-0-2p2
2-0-3p2
All future releases of SSC will include the updated version of Apache web server that corrects this vulnerability.

Earlier releases of software may allow the execution of arbitrary code by remote attackers. Information needed to exploit this vulnerability is publicly known.

Affected releases include:

2-0-0 – 2-0-2p1
2-0-3 – 2-0-3p1
This Product Support Notification is publicly viewable on the Web at:

<http://support.unispherenetworks.com/websupport/CERT/ssc_psn-001.pdf&gt;
If you have any questions concerning this notice, or to obtain the latest patch release, please contact Unisphere Networks Customer Service.

Inside the U.S. call: (800) 424-2344
Outside the U.S. call: (978) 589-9000
Via the Web @
Via email @ [email protected]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Xerox Corporation __ Affected

Notified: June 14, 2002 Updated: March 27, 2003

Status

Affected

Vendor Statement

A response to this advisory is available from our web site:

<http://www.xerox.com/security&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Cray Inc. __ Not Affected

Notified: June 14, 2002 Updated: June 18, 2002

Status

Not Affected

Vendor Statement

Cray, Inc. does not distribute Apache with any of its operating systems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Fujitsu __ Not Affected

Notified: June 14, 2002 Updated: June 18, 2002

Status

Not Affected

Vendor Statement

Fujitsu’s UXP/V operating system does not support Apache and is therefore not affected by the vulnerability reported in VU#944335.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Lotus Software __ Not Affected

Notified: June 14, 2002 Updated: June 18, 2002

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has been contacted by this vendor and told they have verified that the Lotus Domino web server is not vulnerable to this type of problem. Also, we have been told they do not ship Apache code with any of their products.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Microsoft Corporation __ Not Affected

Notified: June 14, 2002 Updated: June 17, 2002

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has been contacted by this vendor and been told they do not ship the Apache web server in any of their products.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

3Com Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

AT&T Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Berkeley Software Design, Inc. Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Cisco Systems, Inc. __ Unknown

Notified: June 14, 2002 Updated: July 08, 2002

Status

Unknown

Vendor Statement

Cisco Systems is evaluating the vulnerabilities identified by VU#944335. Should an issue be found, Cisco will release a Security Advisory. The most up-to-date information on all Cisco product security issues may be found at

<http://www.cisco.com/go/psirt/&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Computer Associates Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Data General Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Intel Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Juniper Networks, Inc. Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Lucent Technologies Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

NCSA Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

NEC Corporation Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

NETBSD Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Nortel Networks, Inc. __ Unknown

Notified: June 14, 2002 Updated: June 27, 2002

Status

Unknown

Vendor Statement

Nortel Networks is reviewing its portfolio to determine if any products are affected by the vulnerability noted in CERT Advisory CA-2002-17. A definitive statement will be issued shortly.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

SGI __ Unknown

Notified: June 14, 2002 Updated: July 15, 2002

Status

Unknown

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________ SGI Security Advisory
` Title: Apache Web Server Chunk Handling vulnerability
Number: 20020605-01-I
Date: July 12, 2002
Reference: SGI Security Advisory 20020605-01-A
Reference: CERT CA-2002-17
Reference: Apache Security Bulletin 20020617
Reference: CAN-2002-0392

---

`

`- -----------------------

• — Issue Specifics —

---

This bulletin is an update to SGI Security Advisory 20020605-01-A.
It has been reported that versions of the Apache web server up to and
including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the
routines which deal with invalid requests which are encoded using chunked
encoding. This bug can be triggered remotely by sending a carefully crafted
invalid request. This functionality is enabled by default.
See <http://httpd.apache.org/info/security_bulletin_20020617.txt> for
additional details.
SGI has investigated the issues and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
These issues have been corrected in IRIX 6.5.17, where we are now supplying
a fixed version of Apache. We are also making the fixed version of Apache
available on our security FTP site for prior releases of IRIX.
`

`- --------------

• — Impact —

---

The Apache webserver is supplied with IRIX versions since 6.5.12m/f as a
replacement for the older SGI FastTrack server. It is installed by default,
and is enabled through “chkconfig” by default.
In order to determine if the Apache webserver is installed, execute the
following command:
# versions -b | grep apache
If the following line is returned you are OK:
I sgi_apache 07/10/2002 SGI Web Server based on Apache, 1.3.26
But if either of these are returned you are vulnerable:
I sgi_apache 03/20/2001 SGI Apache Server, 1.3.17
I sgi_apache 06/10/2001 SGI Apache Server, 1.3.20
I sgi_apache 12/06/2001 SGI Web Server based on Apache, 1.3.22
These vulnerabilities might lead to a root compromise in some
configurations, and no local account is required.
These vulnerabilities have been publicly discussed in Usenet newsgroups
and mailing lists.
This vulnerability was assigned the following CVE:
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392>
`

`- ----------------------------

• — Temporary Workaround —

---

SGI acknowledges that it may not always be possible to immediately install
patches or upgrade the operating system. In those cases, we recommend
removing the Apache webserver and associated products by using the following
commands:
# versions remove sgi_apache*

versions remove websetup*

versions remove gateway*

It is not necessary to reboot the system after doing this. You should
upgrade the operating system as soon as it is possible to do so.
`

`- ----------------

• — Solution —

---

SGI has not provided a patch for these issues, but instead has rolled the
fixed Apache distribution into IRIX 6.5.17 and later releases of the
operating system.
OS Version Vulnerable? Patch # Other Actions

---

IRIX 3.x no Note 1
IRIX 4.x no Note 1
IRIX 5.x no Note 1
IRIX 6.0.x no Note 1
IRIX 6.1 no Note 1
IRIX 6.2 no Note 1
IRIX 6.3 no Note 1
IRIX 6.4 no Note 1
IRIX 6.5 no Note 2
IRIX 6.5.1 no Note 2
IRIX 6.5.2 no Note 2
IRIX 6.5.3 no Note 2
IRIX 6.5.4 no Note 2
IRIX 6.5.5 no Note 2
IRIX 6.5.6 no Note 2
IRIX 6.5.7 no Note 2
IRIX 6.5.8 no Note 2
IRIX 6.5.9 no Note 2
IRIX 6.5.10 no Note 2
IRIX 6.5.11 no Note 2
IRIX 6.5.12 yes Note 2
IRIX 6.5.13 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.14 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.15 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.16 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.17 no
`

NOTES
1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See ``<http://support.sgi.com/irix/news/index.html#policy>`` for more information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: ``<http://support.sgi.com/irix/swupdates/>``
3) Install sgi_apache 1.3.26 which is supplied with the IRIX 6.5.17 Applications CD or available as sgi_apache-1.3.26.tar from: <ftp://patches.sgi.com/support/free/security/patches/>{6.5.13-6.5.16}

##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: sgi_apache Algorithm #1 (sum -r): 24080 5 sgi_apache Algorithm #2 (sum): 37968 5 sgi_apache MD5 checksum: 1EE81B8F7A8DF9ED4D9AF507EA1D2755
Filename: sgi_apache.books Algorithm #1 (sum -r): 65292 3274 sgi_apache.books Algorithm #2 (sum): 32822 3274 sgi_apache.books MD5 checksum: CD6296A58A1B6F1FF2D6B212058D1C4D
Filename: sgi_apache.idb Algorithm #1 (sum -r): 13477 281 sgi_apache.idb Algorithm #2 (sum): 4276 281 sgi_apache.idb MD5 checksum: 3144B64008FF66BF858434208C6BCB5B
Filename: sgi_apache.man Algorithm #1 (sum -r): 29483 97 sgi_apache.man Algorithm #2 (sum): 35420 97 sgi_apache.man MD5 checksum: A7864555852DB7ACC913F049BFC46121
Filename: sgi_apache.src Algorithm #1 (sum -r): 43010 6244 sgi_apache.src Algorithm #2 (sum): 58317 6244 sgi_apache.src MD5 checksum: 7D2A6A9A226327D8D9990F80635AED80
Filename: sgi_apache.sw Algorithm #1 (sum -r): 20406 1852 sgi_apache.sw Algorithm #2 (sum): 32509 1852 sgi_apache.sw MD5 checksum: 371625EE5B321A76137AD1A18B23B4C0

`- -------------------

• — Information —

---

SGI Security Advisories can be found at:
<http://www.sgi.com/support/security/> and
<ftp://patches.sgi.com/support/free/security/advisories/>
SGI Security Patches can be found at:
<http://www.sgi.com/support/security/> and
<ftp://patches.sgi.com/support/free/security/patches/>
SGI patches for IRIX can be found at the following patch servers:
<http://support.sgi.com/irix/> and <ftp://patches.sgi.com/>
SGI freeware updates for IRIX can be found at:
<http://freeware.sgi.com/>
SGI fixes for SGI open sourced code can be found on:
<http://oss.sgi.com/projects/>
SGI patches and RPMs for Linux can be found at:
<http://support.sgi.com/linux/> or
<http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/>
SGI patches for Windows NT or 2000 can be found at:
<http://support.sgi.com/nt/>
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
<http://support.sgi.com/irix/> and <ftp://patches.sgi.com/support/patchset/>
IRIX 6.5 Maintenance Release Streams can be found at:
<http://support.sgi.com/colls/patches/tools/relstream/index.html>
IRIX 6.5 Software Update CDs can be obtained from:
<http://support.sgi.com/irix/swupdates/>
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL <ftp://patches.sgi.com/support/free/security/>
For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.
`

`- ------------------------

• — Acknowledgments ----

---

SGI wishes to thank Mark Litchfield, CERT, ISS and the users of the Internet
Community at large for their assistance in this matter.
`

`- -----------------------------------------

• — SGI Security Information/Contacts —

---

If there are questions about this document, email can be sent to
[email protected].
------oOo------
SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL <ftp://patches.sgi.com/support/free/security/>
The SGI Security Headquarters Web page is accessible at the URL:
<http://www.sgi.com/support/security/>
For issues with the patches on the FTP sites, email can be sent to
[email protected].
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(<http://www.sgi.com/support/security/wiretap.html>) or by sending email to
SGI as outlined below.
% mail [email protected]
subscribe wiretap <YourEmailAddress>
end
^d
In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to. The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.
`

------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is located at ``<http://www.sgi.com/support/security/>`` .
------oOo------
If there are general security questions on SGI systems, email can be sent to [email protected].
For reporting *NEW* SGI security issues, email can be sent to [email protected] or contact your SGI support provider. A support contract is not required for submitting a security report.
______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature.
-----BEGIN PGP SIGNATURE----- Version: 2.6.2
iQCVAwUBPS+/UrQ4cFApAP75AQHVJgQApjJG7ZUFT3S/wE7p1khZUiSxBpo1r0qc inVeNOm1LskJAcr12rVpoKxAvl5UQA1AxeBuDJj1Om5DDN4jHI7mHbTGey4ZdFpJ 6TaewGXadi5xIW75Xh5dFnGYtmRCRSpekSt6VJzVmeYYocmkZyZ/VUjjDo2187Cv o2LTSqrYsow= =1pxh -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

An SGI Advisory describing this issue is available at:

<ftp://patches.sgi.com/support/free/security/advisories/20020605-01-A&gt;

<ftp://patches.sgi.com/support/free/security/advisories/20020605-01-I&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Sequent Computer Systems, Inc. Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Sony Corporation Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

Wind River Systems, Inc. Unknown

Notified: June 14, 2002 Updated: June 17, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23944335 Feedback>).

View all 46 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://httpd.apache.org/info/security_bulletin_20020617.txt&gt;
• <http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502&gt;
• <http://www.ietf.org/rfc/rfc2068.txt&gt;
• <http://www.ietf.org/rfc/rfc2616.txt&gt;
• <http://www.linuxsecurity.com/articles/server_security_article-5150.html&gt;
• <http://www.ciac.org/ciac/bulletins/m-093.shtml&gt;
• <http://www.securityfocus.com/bid/5033&gt;
• <http://secunia.com/advisories/21917/&gt;

Acknowledgements

The CERT/CC thanks Mark Litchfield for reporting this vulnerability to the Apache Software Foundation, and Mark Cox for reporting this vulnerability to the CERT/CC.

This document was written by Cory F. Cohen.

Other Information

CVE IDs:	CVE-2002-0392
CERT Advisory:	CA-2002-17 Severity Metric: