Overview
There is a remotely exploitable vulnerability in the way that Apache web servers (or other web servers based on their source code) handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.
Description
Apache is a popular web server that includes support for chunk-encoded data according to the HTTP 1.1 standard as described in RFC2616. There is a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code. The Apache Software Foundation has published an advisory describing the details of this vulnerability. This advisory is available on their web site at |
Impact
For Apache versions 1.2.2 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers. Exploits are publicly available that claim to allow the execution of arbitrary code.
|
Solution
Upgrade to the latest version |
Vendor Information
Alcatel Affected
Notified: June 14, 2002 Updated: June 28, 2002
Status
Affected
Vendor Statement
In relation to this CERT advisory on security vulnerability in Apache, Alcatel has conducted an immediate assessment to determine any impact this may have on our portfolio. A first analysis has shown that various Alcatel products can be affected: namely the A5000 and A5020 SoftSwitches, the A5735 SMC, the A1300 NMC2, the management platforms for the A1000 UMTS/GPRS/MSC solutions, the 1353 SH and 1355 VPN. Customers using these products should upgrade to Apache WebServer 1.3.26 (or higher) or may contact their Alcatel support representative for more details. The security of our customers' networks is of highest priority for Alcatel. Therefore we continue to test our product portfolio against potential security vulnerabilities in our products using the Apache Webserver and will provide updates if necessary.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apache Affected
Notified: June 14, 2002 Updated: June 17, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
New versions of the Apache software are available from:
http://httpd.apache.org/
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer, Inc. Affected
Notified: June 14, 2002 Updated: July 02, 2002
Status
Affected
Vendor Statement
This vulnerability is fixed with the release of the "Security Update - July 2002" software update.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
More information about this vulnerability is available at:
http://www.apple.com/support/security/security_updates.html
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Compaq Computer Corporation Affected
Notified: June 14, 2002 Updated: July 16, 2002
Status
Affected
Vendor Statement
Compaq has released Security Bulletin SSRT2253 (document number SRB0021W).
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Covalent Affected
Updated: June 19, 2002
Status
Affected
Vendor Statement
Covalent Technologies distributes products based on Apache 1.3 and Apache 2.0 that may be subject to this vulnerability. Covalent is currently creating patches to affected products. Covalent customers will be informed by email, and by postings at www.covalent.net/support when the patches are available.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Linux Affected
Notified: June 14, 2002 Updated: June 19, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Debian security advisory DSA-131-1 describing this issue is available from:
http://www.debian.org/security/2002/dsa-131
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks, Inc. Affected
Notified: June 14, 2002 Updated: June 24, 2002
Status
Affected
Vendor Statement
The following F5 Networks, Inc. products contain a vulnerable version ofthe Apache-based web server. Instructions for obtaining and installing apatch are available in the following locations.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD, Inc. Affected
Notified: June 14, 2002 Updated: June 21, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
FreeBSD has published a Security Notice about this vulnerability:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:04.asc
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Inc. Affected
Notified: June 14, 2002 Updated: June 19, 2002
Status
Affected
Vendor Statement
Guardian Digital ships Apache in all version of EnGarde Secure Linux. EnGarde Secure Profssional users may update using the GDSN. This issue was addressed in ESA-20020619-014 which may be found at:
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Affected
Notified: June 14, 2002 Updated: July 15, 2002
Status
Affected
Vendor Statement
HP makes the Apache Server available for customers as a bundled software package called "HP Apache." New updates are available temporarily via ftp from a site located at hprc.external.hp.com.
When the new updates are available at www.software.hp.com, the Hewlett-Packard Company Security Bulletin HPSBUX0207-197 will be updated.
To retrieve the updates from the temporary ftp site, use a browser to connect to:
ftp://apache:apache@192.170.19.51/
or:
ftp://apache:apache@hprc.external.hp.com/
There are two subdirectories containing depots of swinstallable binaries with a ".t" extension, one for Apache 2.0.39 (11.00 and 11.11) and one for Apache 1.3.26 (11.00 and 11.11).
HP Virtualvault (HP-UX 11.04) patches are available from itrc.hp.com with ID's of PHSS_27361 and PHSS_27371.
For full details, see Hewlett-Packard Company Security Bulletin HPSBUX0207-197, available on itrc.hp.com. Search for "Apache chunk"
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Hewlett Packard has published security advisory HPSBUX0207-197 on this issue.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Corporation Affected
Notified: June 14, 2002 Updated: August 08, 2002
Status
Affected
Vendor Statement
IBM makes the Apache Server availble for AIX customers as a software package under the AIX-Linux Affinity initiative. This package is included on the AIX Toolbox for Linux Applications CD, and can be downloaded via the IBM Linux Affinity website. The currently available version of Apache Server is susceptible to the vulnerability described here. We will update our Apache Server offering shortly to version 1.3.23, including the patch for this vulnerability; this update will be made available for downloading by accessing this URL:
and following the instructions presented there.
Please note that Apache Server, and all Linux Affinity software, is offered on an "as-is" basis. IBM does not own the source code for this software, nor has it developed and fully tested this code. IBM does not support these software packages.
The IBM HTTP Server product, which is also bundeled with the Websphere product,is based on the Apache server. As such, it is vulnerable to the current "Chunk Handling" issue and we are woring on a patch for this problem with all due haste. This statement will be updated as more information becomes available.
Information for the Websphere patches is available from the web. Go to this URL:
Click on the "Websphere Flashes" link and look for the item for "IBM HTTP Server". This will contain information on the exposure and links to the patches.
The IBM HMC product is also affected by the Apache vulnerability described above. The HMC is the hardware monitor and control console used with IBM's Regatta systems. This is a seperate hardware unit that uses a Linux-based operating system and Open Source software.
Customers are advised to obtain the latest security paches for the HMC. These patches will be available early next week from the following URL:
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Mandriva, Inc. Affected
Notified: June 14, 2002 Updated: June 21, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Mandrake published a security advisory describing this vulnerability:
http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-039.php
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Mandriva, Inc. Affected
Notified: June 17, 2002 Updated: June 19, 2002
Status
Affected
Vendor Statement
The Apache webserver shipped with Conectiva Linux is vulnerable to this problem. New packages fixing this problem will be announced to our mailing list after an official fix becomes available.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
A Conectiva security announcement is avilable at:
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000498
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Network Appliance Affected
Notified: June 14, 2002 Updated: November 02, 2007
Status
Affected
Vendor Statement
Network Appliance
Data ONTAP(R) and NetCache(R) products are not affected.
ReplicatorX versions 4.0 through 4.0.21 are affected
(This was originally released by Topio Inc, now a wholly owned subsidiary of
NetApp, as Topio Data Protection Suite (TDPS) releases 1.0 through 3.0.65).
Contact the NetApp Technical Support Center +1-888-4NETAPP for remediation
information and instructions.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Affected
Notified: June 14, 2002 Updated: June 21, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Information about the chunked encoding problem is availabe from:
A patch correcting the problem is availabel at:
- ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/005_httpd.patch
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Oracle Corporation Affected
Notified: June 14, 2002 Updated: June 21, 2002
Status
Affected
Vendor Statement
Oracle has issued Oracle Security Alert #36 in response to the chunked encoding Apache HTTP Server security vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Oracle Security Alert #36 is expected to be available at:
http://otn.oracle.com/deploy/security/alerts.htm
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat, Inc. Affected
Notified: June 14, 2002 Updated: June 18, 2002
Status
Affected
Vendor Statement
Red Hat distributes Apache 1.3 versions in all Red Hat Linux distributions, and as part of Stronghold. However we do not distribute Apache for Windows. We are currently investigating the issue and will work on producing errata packages when an official fix for the problem is made available. When these updates are complete they will be available from the URL below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool.
http://rhn.redhat.com/errata/RHSA-2002-103.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SUSE Linux Affected
Notified: June 14, 2002 Updated: June 19, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
SuSE has published security announcement SuSE-SA:2002:022 describing this issue.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Slackware Affected
Updated: June 21, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Slackware Linux posted a message to their security list indicating that updated packages were available from:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems, Inc. Affected
Notified: June 14, 2002 Updated: June 24, 2002
Status
Affected
Vendor Statement
Sun bundles the Apache Web Server freeware product with Solaris 8 (Apache/1.3.12) and 9 (Apache/1.3.22). Both versions are affected by this vulnerability. Sun are presently producing patches for this issue for Solaris 8 and 9. Once the patches are available, we will be publishing a Sun Alert available from:
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO Linux) Affected
Notified: June 14, 2002 Updated: September 18, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Caldera has published several advisories describing this vulnerability:
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt
ftp://ftp.caldera.com/pub/security/OpenUNIX/CSSA-2002-SCO.31.txt
ftp://ftp.caldera.com/pub/security/UnixWare/CSSA-2002-SCO.31.txt
ftp://ftp.caldera.com/pub/security/OpenServer/CSSA-2002-SCO.32.txt
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO Unix) Affected
Notified: June 14, 2002 Updated: September 18, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Caldera has published several advisories describing this vulnerability:
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt
ftp://ftp.caldera.com/pub/security/OpenUNIX/CSSA-2002-SCO.31.txt
ftp://ftp.caldera.com/pub/security/UnixWare/CSSA-2002-SCO.31.txt
ftp://ftp.caldera.com/pub/security/OpenServer/CSSA-2002-SCO.32.txt
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Trustix Secure Linux Affected
Updated: June 21, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Trustix Secure Linux has published an advisory on this topic:
http://www.trustix.net/errata/misc/2002/TSL-2002-0056-apache.asc.txt
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisphere Networks Affected
Notified: June 14, 2002 Updated: June 27, 2002
Status
Affected
Vendor Statement
CUSTOMER SERVICE TECHNICAL BULLETIN
SUBJECT: CERT Advisory CA-2002-17: Apache Web Server Chunk Handling Vulnerability
BULLETIN NUMBER: SSC_PSN-001
BULLETIN TYPE: Product Support Notification
AFFECTED PRODUCTS: SSC
ISSUE DATE: 06/26/2002
REVISION: 1.0
PROBLEM DESCRIPTION:
The CERT Coordination Center released an advisory on June 17, 2002 entitled, "CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability". The URL for the full text of the advisory can be found at:
AFFECTED PRODUCT(S):
SSC
SOLUTION:
The following releases of software have been found to suffer no negative effects from vulnerability outlined in CERT Advisory CA-2002-17:
- 2-0-2p2
2-0-3p2
All future releases of SSC will include the updated version of Apache web server that corrects this vulnerability.
Earlier releases of software may allow the execution of arbitrary code by remote attackers. Information needed to exploit this vulnerability is publicly known.
Affected releases include:
- 2-0-0 -- 2-0-2p1
2-0-3 -- 2-0-3p1
This Product Support Notification is publicly viewable on the Web at:
If you have any questions concerning this notice, or to obtain the latest patch release, please contact Unisphere Networks Customer Service.
Inside the U.S. call: (800) 424-2344
Outside the U.S. call: (978) 589-9000
Via the Web @
Via email @ support@unispherenetworks.com
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Xerox Corporation Affected
Notified: June 14, 2002 Updated: March 27, 2003
Status
Affected
Vendor Statement
A response to this advisory is available from our web site:
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Not Affected
Notified: June 14, 2002 Updated: June 18, 2002
Status
Not Affected
Vendor Statement
Cray, Inc. does not distribute Apache with any of its operating systems.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Not Affected
Notified: June 14, 2002 Updated: June 18, 2002
Status
Not Affected
Vendor Statement
Fujitsu's UXP/V operating system does not support Apache and is therefore not affected by the vulnerability reported in VU#944335.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lotus Software Not Affected
Notified: June 14, 2002 Updated: June 18, 2002
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has been contacted by this vendor and told they have verified that the Lotus Domino web server is not vulnerable to this type of problem. Also, we have been told they do not ship Apache code with any of their products.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Microsoft Corporation Not Affected
Notified: June 14, 2002 Updated: June 17, 2002
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has been contacted by this vendor and been told they do not ship the Apache web server in any of their products.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
3Com Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
AT&T Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Berkeley Software Design, Inc. Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cisco Systems, Inc. Unknown
Notified: June 14, 2002 Updated: July 08, 2002
Status
Unknown
Vendor Statement
Cisco Systems is evaluating the vulnerabilities identified by VU#944335. Should an issue be found, Cisco will release a Security Advisory. The most up-to-date information on all Cisco product security issues may be found at
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Computer Associates Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Data General Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Intel Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks, Inc. Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lucent Technologies Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NCSA Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NETBSD Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nortel Networks, Inc. Unknown
Notified: June 14, 2002 Updated: June 27, 2002
Status
Unknown
Vendor Statement
Nortel Networks is reviewing its portfolio to determine if any products are affected by the vulnerability noted in CERT Advisory CA-2002-17. A definitive statement will be issued shortly.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Unknown
Notified: June 14, 2002 Updated: July 15, 2002
Status
Unknown
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SGI Security Advisory
Title: Apache Web Server Chunk Handling vulnerability
Number: 20020605-01-I
Date: July 12, 2002
Reference: SGI Security Advisory 20020605-01-A
Reference: CERT CA-2002-17
Reference: Apache Security Bulletin 20020617
Reference: CAN-2002-0392
______________________________________________________________________________
- -----------------------
- --- Issue Specifics ---
- -----------------------
This bulletin is an update to SGI Security Advisory 20020605-01-A.
It has been reported that versions of the Apache web server up to and
including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the
routines which deal with invalid requests which are encoded using chunked
encoding. This bug can be triggered remotely by sending a carefully crafted
invalid request. This functionality is enabled by default.
See http://httpd.apache.org/info/security_bulletin_20020617.txt for
additional details.
SGI has investigated the issues and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
These issues have been corrected in IRIX 6.5.17, where we are now supplying
a fixed version of Apache. We are also making the fixed version of Apache
available on our security FTP site for prior releases of IRIX.
- --------------
- --- Impact ---
- --------------
The Apache webserver is supplied with IRIX versions since 6.5.12m/f as a
replacement for the older SGI FastTrack server. It is installed by default,
and is enabled through "chkconfig" by default.
In order to determine if the Apache webserver is installed, execute the
following command:
# versions -b | grep apache
If the following line is returned you are OK:
I sgi_apache 07/10/2002 SGI Web Server based on Apache, 1.3.26
But if either of these are returned you are vulnerable:
I sgi_apache 03/20/2001 SGI Apache Server, 1.3.17
I sgi_apache 06/10/2001 SGI Apache Server, 1.3.20
I sgi_apache 12/06/2001 SGI Web Server based on Apache, 1.3.22
These vulnerabilities might lead to a root compromise in some
configurations, and no local account is required.
These vulnerabilities have been publicly discussed in Usenet newsgroups
and mailing lists.
This vulnerability was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
- ----------------------------
- --- Temporary Workaround ---
- ----------------------------
SGI acknowledges that it may not always be possible to immediately install
patches or upgrade the operating system. In those cases, we recommend
removing the Apache webserver and associated products by using the following
commands:
# versions remove sgi_apache\*
# versions remove websetup\*
# versions remove gateway\*
It is not necessary to reboot the system after doing this. You should
upgrade the operating system as soon as it is possible to do so.
- ----------------
- --- Solution ---
- ----------------
SGI has not provided a patch for these issues, but instead has rolled the
fixed Apache distribution into IRIX 6.5.17 and later releases of the
operating system.
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no Note 1
IRIX 4.x no Note 1
IRIX 5.x no Note 1
IRIX 6.0.x no Note 1
IRIX 6.1 no Note 1
IRIX 6.2 no Note 1
IRIX 6.3 no Note 1
IRIX 6.4 no Note 1
IRIX 6.5 no Note 2
IRIX 6.5.1 no Note 2
IRIX 6.5.2 no Note 2
IRIX 6.5.3 no Note 2
IRIX 6.5.4 no Note 2
IRIX 6.5.5 no Note 2
IRIX 6.5.6 no Note 2
IRIX 6.5.7 no Note 2
IRIX 6.5.8 no Note 2
IRIX 6.5.9 no Note 2
IRIX 6.5.10 no Note 2
IRIX 6.5.11 no Note 2
IRIX 6.5.12 yes Note 2
IRIX 6.5.13 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.14 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.15 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.16 yes sgi_apache 1.3.26 Note 2 & 3
IRIX 6.5.17 no
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system. See
http://support.sgi.com/irix/news/index.html#policy for more
information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/
3) Install sgi_apache 1.3.26 which is supplied with the IRIX 6.5.17
Applications CD or available as sgi_apache-1.3.26.tar from:
ftp://patches.sgi.com/support/free/security/patches/{6.5.13-6.5.16}
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: sgi_apache
Algorithm #1 (sum -r): 24080 5 sgi_apache
Algorithm #2 (sum): 37968 5 sgi_apache
MD5 checksum: 1EE81B8F7A8DF9ED4D9AF507EA1D2755
Filename: sgi_apache.books
Algorithm #1 (sum -r): 65292 3274 sgi_apache.books
Algorithm #2 (sum): 32822 3274 sgi_apache.books
MD5 checksum: CD6296A58A1B6F1FF2D6B212058D1C4D
Filename: sgi_apache.idb
Algorithm #1 (sum -r): 13477 281 sgi_apache.idb
Algorithm #2 (sum): 4276 281 sgi_apache.idb
MD5 checksum: 3144B64008FF66BF858434208C6BCB5B
Filename: sgi_apache.man
Algorithm #1 (sum -r): 29483 97 sgi_apache.man
Algorithm #2 (sum): 35420 97 sgi_apache.man
MD5 checksum: A7864555852DB7ACC913F049BFC46121
Filename: sgi_apache.src
Algorithm #1 (sum -r): 43010 6244 sgi_apache.src
Algorithm #2 (sum): 58317 6244 sgi_apache.src
MD5 checksum: 7D2A6A9A226327D8D9990F80635AED80
Filename: sgi_apache.sw
Algorithm #1 (sum -r): 20406 1852 sgi_apache.sw
Algorithm #2 (sum): 32509 1852 sgi_apache.sw
MD5 checksum: 371625EE5B321A76137AD1A18B23B4C0
- -------------------
- --- Information ---
- -------------------
SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/
SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/
SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/
SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/
SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/
SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/
SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/nt/
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/
IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/colls/patches/tools/relstream/index.html
IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/irix/swupdates/
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/
For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.
- ------------------------
- --- Acknowledgments ----
- ------------------------
SGI wishes to thank Mark Litchfield, CERT, ISS and the users of the Internet
Community at large for their assistance in this matter.
- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------
If there are questions about this document, email can be sent to
security-info@sgi.com.
------oOo------
SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/
The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/
For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com.
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.
% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d
In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to. The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.
------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .
------oOo------
If there are general security questions on SGI systems, email can be sent to
security-info@sgi.com.
For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider. A support
contract is not required for submitting a security report.
______________________________________________________________________________
This information is provided freely to all interested parties
and may be redistributed provided that it is not altered in any
way, SGI is appropriately credited and the document retains and
includes its valid PGP signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBPS+/UrQ4cFApAP75AQHVJgQApjJG7ZUFT3S/wE7p1khZUiSxBpo1r0qc
inVeNOm1LskJAcr12rVpoKxAvl5UQA1AxeBuDJj1Om5DDN4jHI7mHbTGey4ZdFpJ
6TaewGXadi5xIW75Xh5dFnGYtmRCRSpekSt6VJzVmeYYocmkZyZ/VUjjDo2187Cv
o2LTSqrYsow=
=1pxh
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
An SGI Advisory describing this issue is available at:
- ftp://patches.sgi.com/support/free/security/advisories/20020605-01-A
ftp://patches.sgi.com/support/free/security/advisories/20020605-01-I
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Computer Systems, Inc. Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems, Inc. Unknown
Notified: June 14, 2002 Updated: June 17, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://httpd.apache.org/info/security_bulletin_20020617.txt
- http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502
- http://www.ietf.org/rfc/rfc2068.txt
- http://www.ietf.org/rfc/rfc2616.txt
- http://www.linuxsecurity.com/articles/server_security_article-5150.html
- http://www.ciac.org/ciac/bulletins/m-093.shtml
- http://www.securityfocus.com/bid/5033
- http://secunia.com/advisories/21917/
Acknowledgements
The CERT/CC thanks Mark Litchfield for reporting this vulnerability to the Apache Software Foundation, and Mark Cox for reporting this vulnerability to the CERT/CC.
This document was written by Cory F. Cohen.
Other Information
| CVE IDs: | CVE-2002-0392 |
| CERT Advisory: | CA-2002-17 |
| Severity Metric: | 53.35 |
| Date Public: | 2002-06-17 |
| Date First Published: | 2002-06-18 |
| Date Last Updated: | 2007-11-02 16:02 UTC |
| Document Revision: | 36 |