search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Buffer Overflow in mod_ssl

Vulnerability Note VU#104555

Original Release Date: 2003-04-17 | Last Revised: 2003-06-17

Overview

A buffer overflow exists in mod_ssl.

Description

mod_ssl is an Apache module that allows secure connections over X.509 authenticated channels. A buffer overflow exists in the ssl_compat_directive() function. For more detailed information, please see the original vulnerability report.

Impact

A local attacker can execute arbitrary code with the privileges of the web server. Additionally, an attacker may be able to add bogus entries to multiple web server log files. An attacker may also be able to slow down or even stop the web server.

Solution

Apply a patch from your vendor.

Do not allow per-directory config files. To accomplish this, set the AllowOverride directive to "none" in the httpd.conf file. As a reminder, you must restart the web server for the changes to take effect.

Vendor Information

104555
 
Expand all

Apple Computer Inc. Affected

Updated:  April 30, 2003

Status

Affected

Vendor Statement

This is fixed in Security Update 2002-08-02. Further information is available from:

http://docs.info.apple.com/article.html?artnum=61798

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Affected

Updated:  July 08, 2002

Status

Affected

Vendor Statement

Please see http://lwn.net/Articles/3951/.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Affected

Updated:  April 30, 2003

Status

Affected

Vendor Statement

This vulnerability was fixed in DSA-135 (02 Jul 2002):

http://www.debian.org/security/2002/dsa-135

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde Affected

Updated:  April 17, 2003

Status

Affected

Vendor Statement

http://mail-archives.engardelinux.org/engarde-users/2002/Jul/0009.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Affected

Updated:  April 17, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.securityfocus.com/advisories/4298.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Affected

Updated:  June 17, 2003

Status

Affected

Vendor Statement

The AIX operating system does not ship with mod_ssl. However, mod_ssl is available for installation on AIX from the Linux Affinity Toolbox.

Users using mod_ssl 2.8.10 are later are not vulnerable to the issues discussed in CERT Vulnerability Note VU#104555 and any advisories which follow.

This vulnerability is present in mod_ssl 2.8.9 and earlier; users are urged to upgrade as soon as possible.

The Linux Affinity Toolbox is available at:

http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

This software is offered on an "as-is" and is unwarranted.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Affected

Updated:  April 30, 2003

Status

Affected

Vendor Statement

A number of Red Hat products included mod_ssl packages vulnerable to this issue. Updated packages are available along with our advisories at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.

Red Hat Linux:
http://rhn.redhat.com/errata/RHSA-2002-134.html
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2002-136.html
Stronghold 3:
http://rhn.redhat.com/errata/RHSA-2002-164.html
Stronghold 4 (cross-platform):
http://rhn.redhat.com/errata/RHSA-2002-146.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO Affected

Updated:  April 17, 2003

Status

Affected

Vendor Statement

ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31/CSSA-2002-SCO.31.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The mod_ssl project Affected

Updated:  July 08, 2002

Status

Affected

Vendor Statement

Please see http://www.mail-archive.com/modssl-users@modssl.org/msg14451.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks Not Affected

Updated:  May 01, 2003

Status

Not Affected

Vendor Statement

Extreme Networks software suite is not vulnerable to the attack explained in VU#10455, as it does not include the Webserver implementation from Apache. Investigation and testing by Extreme Network engineering reveals the current Webserver implementation in Extreme Networks software suite is not vulnerable to the attack explained in VU#104555.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Foundry Networks Inc. Not Affected

Updated:  May 07, 2003

Status

Not Affected

Vendor Statement

Foundry Networks has tested for this vulnerability and is not affected by the buffer overflow in mod_ssl as described in VU#104555.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi Not Affected

Updated:  May 08, 2003

Status

Not Affected

Vendor Statement

Hitachi Web Server is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks Not Affected

Updated:  May 02, 2003

Status

Not Affected

Vendor Statement

Ingrian Networks products are not vulnerable to VU#104555.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Not Affected

Updated:  April 30, 2003

Status

Not Affected

Vendor Statement

The mod_ssl that SGI just started shipping as a supported offering, in IRIX 6.5.20, is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox Corporation Not Affected

Updated:  May 30, 2003

Status

Not Affected

Vendor Statement

A response to this vulnerability is available from our web site: http://www.xerox.com/security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General Unknown

Notified:  April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NeXT Unknown

Notified:  April 29, 2003 Updated: April 29, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Unknown

Updated:  May 08, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 18 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Frank Denis.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2002-0653
Severity Metric: 23.63
Date Public: 2002-06-24
Date First Published: 2003-04-17
Date Last Updated: 2003-06-17 16:38 UTC
Document Revision: 35

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis