Apache HTTP Server mod_proxy Content-Length buffer overflow

apache-modproxy-contentlength-bo (16387)

High Risk

Description:

Apache HTTP Server is vulnerable to a buffer overflow in the mod_proxy module. By supplying a specially-crafted negative Content-Length value, a remote attacker could overflow a buffer and cause a denial of service or possibly execute arbitrary code on the system.

Consequences:

Gain Access

Remedy:

Apply the patch for this vulnerability, as listed in apache-httpd-dev Mailing List posting dated 2004-06-10 13:08:51. See References.

For Red Hat Linux:
Upgrade to the latest apache package, as listed below. Refer to RHSA-2004:245-14 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 1.3.27-8.ent or later.

For OpenPKG:
Upgrade to the latest apache package, as listed in OpenPKG Security Advisory OpenPKG-SA-2004.029-apache. See References.

For OpenPKG CURRENT: 1.3.31-20040611 or later
For OpenPKG 2.0: 1.3.29-2.0.3 or later
For OpenPKG 1.3: 21.3.28-1.3.5 or later

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest apache package (1.3.26-0woody5 or later), as listed in DSA-525-1. See References.

For Gentoo Linux Security:
Upgrade to the latest version of apache (1.3.31-r2 or later), as listed in GLSA 200406-16. See References.

For Mandrake Linux:
Upgrade to the latest apache package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:065 : apache for more information.See References.

Mandrake Linux 9.1: 1.3.27-8.3.91mdk or later
Mandrake Linux 9.2: 1.3.28-3.3.92mdk or later
Mandrake Linux Corporate Server 2.1: 1.3.26-7.2.C21mdk or later
Mandrake Linux 10.0: 1.3.29-1.2.100mdk or later

For HP-UX11.04:
Upgrade to the version of apache, as listed in Hewlett-Packard Company Security Bulletin HPSBUX01057. See References.

For Sun Solaris:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57628 for more information. See References.

SPARC Platform
Solaris 8 with patch 116973-01 or later
Solaris 9 with patch 113146-05 or later

x86 Platform
Solaris 8 with patch 116974-01 or later
Solaris 9 with patch 114145-04 or later

For Slackware Linux:
Upgrade to the latest apache, mod_ssl or php package, as listed in slackware-security Mailing List, Mon, 25 Oct 2004 17:40:01 -0700 (PDT) for more information. See References.

For Trustix Secure Linux:
Upgrade to the latest apache package, as listed in Trustix Secure Linux Security Advisory #2004-0056 for more information. See References.

For Turbolinux:
Upgrade to the latest apache package, as listed below. Refer to Turbolinux Security Advisory TLSA-2004-31 for more information. See References.

Turbolinux Appliance Server 1.0 Hosting Edition, Turbolinux Appliance Server 1.0 Workgroup Edition, Turbolinux 8 Server, Turbolinux 8 Workstation, Turbolinux 7 Server, Turbolinux 7 Workstation:1.3.27-26 or later.

For HP-UX 11.00, 11.11, 11.22, and 11.20:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX01098. See References.

For Mac OS:
Apply Security Update 2004-12-02, as listed in AppleCare Knowledge Base Document 61798. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• apache-httpd-dev Mailing List, 2004-06-10 13:08:51: CAN-2004-0492 mod_proxy security issue.
• AppleCare Knowledge Base Document 61798: Security Update 2004-12-02.
• CIAC Information Bulletin O-169: Apache Buffer Overflow Vulnerability [REVISED 4 Aug 2004].
• CIAC Information Bulletin O-169: Apache Buffer Overflow Vulnerability [REVISED 29 Jun 2004].
• CIAC Information Bulletin O-169: Apache Buffer Overflow Vulnerability.
• CIAC Information Bulletin P-025: Apache HTTP Server 1.3.33 Released.
• CIAC Information Bulletin P-049: Apple Security Update 2004-12-02.
• CIAC INFORMATION BULLETIN P-273: Updated Solaris 8 Patches for Apache Security Vulnerabilities.
• Full-Disclosure Mailing List, Thu Jun 10 2004 - 09:38:26 CDT : Buffer overflow in apache mod_proxy,yet still apache much better than windows.
• Full-Disclosure Mailing List, Thu Jun 10 2004 - 10:46:45 CDT: Re: [Full-Disclosure] Buffer overflow in apache mod_proxy,yet still apache much better than windows.
• GLSA 200406-16: Apache 1.3: Buffer overflow in mod_proxy.
• slackware-security Mailing List, Mon, 25 Oct 2004 17:40:01 -0700 (PDT): [slackware-security] apache, mod_ssl, php (SSA:2004-299-01).
• Sun Alert ID: 57628: Security Vulnerabilities in the Apache Web Server and Apache Modules.
• Sun Alert ID: 57628: Security Vulnerabilities in the Apache Web Server and Apache Modules.
• BID-10508: Apache Mod_Proxy Remote Negative Content-Length Buffer Overflow Vulnerability
• CVE-2004-0492: Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.
• DSA-525: apache -- buffer overflow
• GLSA-200406-16: Apache 1.3: Buffer overflow in mod_proxy
• MDKSA-2004:065: Updated apache packages fix buffer overflow vulnerability in mod_proxy
• OpenPKG-SA-2004.029: Apache mod_proxy
• RHSA-2004-245: apache
• SA11841: Apache mod_proxy "Content-Length:" Header Buffer Overflow Vulnerability
• SUSE-SA:2004:040: samba: remote denial of service
• SUSE-SA:2004:041: xshared XFree86-libs xorg-x11-libs: remote system compromise

Platforms Affected:

• Apache HTTP Server 1.3.26
• Apache HTTP Server 1.3.27
• Apache HTTP Server 1.3.28
• Apache HTTP Server 1.3.29
• Apache HTTP Server 1.3.31
• Apple Mac OS X 10.2.8
• Apple Mac OS X 10.3.6
• Apple Mac OS X Server 10.2.8
• Apple Mac OS X Server 10.3.6
• Debian Debian Linux 3.0
• Gentoo Linux
• HP HP-UX 11.00
• HP HP-UX 11.04
• HP HP-UX 11.11
• HP HP-UX 11.20
• HP HP-UX 11.22
• IBM HTTP Server 1.3.26
• IBM HTTP Server 1.3.28
• MandrakeSoft Mandrake Linux 10.0 AMD64
• MandrakeSoft Mandrake Linux 10.0
• MandrakeSoft Mandrake Linux 9.1
• MandrakeSoft Mandrake Linux 9.1 PPC
• MandrakeSoft Mandrake Linux 9.2 AMD64
• MandrakeSoft Mandrake Linux 9.2
• MandrakeSoft Mandrake Linux Corporate Server 2.1
• MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
• Novell Linux Desktop 9
• OpenPKG OpenPKG 1.3
• OpenPKG OpenPKG 2.0
• OpenPKG OpenPKG CURRENT
• RedHat Enterprise Linux 2.1 AW
• RedHat Enterprise Linux 2.1 WS
• RedHat Enterprise Linux 2.1 ES
• RedHat Enterprise Linux 2.1 AS
• RedHat Linux Advanced Workstation 2.1 Itanium
• Slackware Slackware Linux 10.0
• Slackware Slackware Linux 8.1
• Slackware Slackware Linux 9.0
• Slackware Slackware Linux 9.1
• Slackware Slackware Linux current
• Sun Solaris 8
• Sun Solaris 9
• SuSE Linux Enterprise Server 8
• SuSE Linux Enterprise Server 9
• SUSE SuSE Linux 8.1
• SUSE SuSE Linux 8.2
• SUSE SuSE Linux 9.0
• SUSE SuSE Linux 9.1
• SUSE SuSE Linux 9.2
• SuSE SuSE Linux Desktop 1.0
• Trustix Secure Linux 1.5
• Turbolinux Turbolinux 7 Server
• Turbolinux Turbolinux 7 Workstation
• Turbolinux Turbolinux 8 Server
• Turbolinux Turbolinux 8 Workstation
• Turbolinux Turbolinux Appliance Server 1.0
• Turbolinux Turbolinux Appliance Server 1.0 Hosting Ed
• Turbolinux Turbolinux Appliance Server 1.0 Workgroup Ed

Reported:

Jun 10, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page