{"vuid":"VU#944335","idnumber":"944335","name":"Apache web servers fail to handle chunks with a negative size","keywords":["Apache","chunked encoding","negative size","http","httpd"],"overview":"There is a remotely exploitable vulnerability in the way that Apache web servers (or other web servers based on their source code) handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.","clean_desc":"Apache is a popular web server that includes support for chunk-encoded data according to the HTTP 1.1 standard as described in RFC2616. There is a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code. The Apache Software Foundation has published an advisory describing the details of this vulnerability. This advisory is available on their web site at http://httpd.apache.org/info/security_bulletin_20020617.txt","impact":"For Apache versions 1.2.2 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers. Exploits are publicly available that claim to allow the execution of arbitrary code. For Apache versions 2.0 through 2.0.36 inclusive, the condition causing the vulnerability is correctly detected and causes the child process to exit. Depending on a variety of factors, including the threading model supported by the vulnerable system, this may lead to a denial-of-service attack against the Apache web server.","resolution":"Upgrade to the latest version The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.26 or 2.0.39. Due to some unexpected problems with version 1.3.25, the CERT/CC has been informed by the Apache Software Foundation that the corrected version of the software is now 1.3.26. Both 1.3.26 and 2.0.39 are available on their web site at http://www.apache.org/dist/httpd/ Apply a patch from your vendor If your vendor has provided a patch to correct this vulnerability, you may want to apply that patch rather than upgrading your version of httpd. The CERT/CC is aware of a patch from ISS that corrects some of the impacts associated with this vulnerability. System administrators are encouraged to ensure that the patch they apply is based on the code by the Apache Software Foundation that also corrects additional impacts described in this advisory. More information about vendor-specific patches can be found in the vendor section of this document.","workarounds":"","sysaffected":"","thanks":"The CERT/CC thanks Mark Litchfield for reporting this vulnerability to the Apache Software Foundation, and Mark Cox for reporting this vulnerability to the CERT/CC.","author":"This document was written by Cory F. Cohen.","public":["http://httpd.apache.org/info/security_bulletin_20020617.txt","http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502","http://www.ietf.org/rfc/rfc2068.txt","http://www.ietf.org/rfc/rfc2616.txt","http://www.linuxsecurity.com/articles/server_security_article-5150.html","http://www.ciac.org/ciac/bulletins/m-093.shtml","http://www.securityfocus.com/bid/5033","http://secunia.com/advisories/21917/"],"cveids":["CVE-2002-0392"],"certadvisory":"CA-2002-17","uscerttechnicalalert":null,"datecreated":"2002-06-17T20:16:54Z","publicdate":"2002-06-17T00:00:00Z","datefirstpublished":"2002-06-18T01:38:31Z","dateupdated":"2007-11-02T16:02:53Z","revision":36,"vrda_d1_directreport":"0","vrda_d1_population":"4","vrda_d1_impact":"3","cam_widelyknown":"16","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"16","cam_impact":"19","cam_easeofexploitation":"18","cam_attackeraccessrequired":"20","cam_scorecurrent":"53.352","cam_scorecurrentwidelyknown":"61.56","cam_scorecurrentwidelyknownexploited":"102.6","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":53.352,"vulnote":null}