Apache HTTP Server ab.c ApacheBench long response buffer overflow

apache-apachebench-response-bo (10281)

High Risk

Description:

Apache HTTP Server is vulnerable to several buffer overflows in the ApacheBench (ab.c) support program. By sending an overly long response to ab.c, a remote attacker in control of a malicious Web server could overflow a buffer and cause the server to crash or execute arbitrary code on the system.

Note: This vulnerability also affects Oracle HTTP Server (OHS) in Oracle Database Server and Oracle9i Application Server. Refer to Oracle Security Alert #45 for more information. See References.

Platforms Affected:

• Apache, HTTP Server 1.3
• Apache, HTTP Server 1.3.1
• Apache, HTTP Server 1.3.11
• Apache, HTTP Server 1.3.12
• Apache, HTTP Server 1.3.14
• Apache, HTTP Server 1.3.17
• Apache, HTTP Server 1.3.18
• Apache, HTTP Server 1.3.19
• Apache, HTTP Server 1.3.20
• Apache, HTTP Server 1.3.22
• Apache, HTTP Server 1.3.23
• Apache, HTTP Server 1.3.24
• Apache, HTTP Server 1.3.25
• Apache, HTTP Server 1.3.26
• Apache, HTTP Server 1.3.3
• Apache, HTTP Server 1.3.4
• Apache, HTTP Server 1.3.6
• Apache, HTTP Server 1.3.9
• Oracle, Application Server 1.0.2
• Oracle, Application Server 1.0.2.1s
• Oracle, Application Server 1.0.2.2
• Oracle, Application Server 9.0.2 R2
• Oracle, Application Server 9.0.2
• Oracle, Database Server 8.1.7
• Oracle, Database Server 8.1.7.0.0 Enterprise
• Oracle, Database Server 8.1.7.1
• Oracle, Database Server 8.1.7.1.0 Enterprise
• Oracle, Database Server 9.2.2 R2
• Oracle, Reports 9.0.2
• Oracle, Reports 9.0.2.1
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux Advanced Workstation 2.1 Itanium
• RedHat, Stronghold

Remedy:

Upgrade to the latest version of Apache HTTP Server (1.3.27 or later), available from the Apache Web site. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Gain Access

References:

• Apache HTTP Server Project Web site, Apache 1.3.27 Released at http://www.apache.org/dist/httpd/Announcement.txt.
• Apache Web site, Welcome! - The Apache HTTP Server Project at http://httpd.apache.org/.
• ApacheWeek, Issue 311, 4th October 2002, Security Reports at http://www.apacheweek.com/issues/02-10-04.
• BugTraq Mailing List, Wed Oct 16 2002 - 17:32:26 CDT , Apache 1.3.26 at http://archives.neohapsis.com/archives/bugtraq/2002-10/0229.html.
• CIAC Information Bulletin N-005, Apache 1.3.27 HTTP Server Release at http://www.ciac.org/ciac/bulletins/n-005.shtml.
• CIAC Information Bulletin N-005, Apache 1.3.27 HTTP Server Release [REVISED 7 July 2004] at http://www.ciac.org/ciac/bulletins/n-005.shtml.
• Conectiva Linux Announcement CLSA-2002:530, DoS and other vulnerabilities at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000530.
• Oracle Security Alert #45, Security Release of Apache 1.3.27 at http://otn.oracle.com/deploy/security/pdf/2002alert45rev1.pdf.
• SCO Security Advisory CSSA-2002-056.0, Linux: apache vulnerabilities in shared memory, DNS, and ApacheBench at http://www.linuxsecurity.com/content/view/104390/98/.
• SCO Security Advisory CSSA-2003-SCO.10.1, OpenServer 5.0.5 OpenServer 5.0.6 : Various security fixes for Apache. at http://www.linuxsecurity.com/content/view/105346/98/. (From LinuxSecurity archive)
• BID-5887: Apache AB.C Web Benchmarking Buffer Overflow Vulnerabilities
• BID-5955: Linux-HA Heartbeat Remote Buffer Overflow Vulnerability
• BID-5995: Apache AB.C Web Benchmarking Read_Connection() Buffer Overflow Vulnerability
• BID-5996: Apache AB.C Web Benchmarking Buffer Overflow Vulnerability
• CVE-2002-0843: Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.
• DSA-187: apache -- several vulnerabilities
• DSA-188: apache-ssl -- several vulnerabilities
• DSA-195: apache-perl -- several vulnerabilities
• MDKSA-2002:068: Updated apache packages fix multiple vulnerabilities
• MDKSA-2002:068-1: Updated apache packages fix multiple vulnerabilities
• MDKSA-2003:024: Updated packages fix multiple vulnerabilities
• OpenPKG-SA-2002.009: Apache
• RHSA-2002-222: Updated apache
• RHSA-2002-248: apache
• RHSA-2002-251: apache security update
• RHSA-2003-106: Updated apache and mod_ssl packages available
• SA21425: IBM HMC Apache Buffer Overflow Vulnerability
• VUPEN/ADV-2006-3263: IBM Hardware Management Console (HMC) Remote Buffer Overflow Vulnerability

Reported:

Oct 03, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page