Apache-SSL for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users
SecurityTracker Alert ID: 1003723|
SecurityTracker URL: http://securitytracker.com/id/1003723
(Links to External Site)
Date: Mar 3 2002
Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 1.3.22+1.46|
A vulnerability was reported in the Apache-SSL package for the Apache web server. A remote user may be able to overflow a buffer to potentially execute arbitrary code on the web server. [This vulnerability also affects mod_ssl, as was reported in a previous alert.]|
It is reported that a remote user may be able to trigger a buffer overflow in the DBM and SHMHT session cache by using very large certificate chains. This is reportedly due to the unbounded nature of ASN.1 representations that could overflow a large but statically allocated buffer.
This vulnerability reportedly only affects configurations that use client-side certificates.
It is not yet clear if remote code execution is feasible.
A remote user may be able to trigger a buffer overflow in Apache-SSL. It is not yet clear if remote code execution is feasible.|
The vendor has released a fix (1.3.22+1.46), available at locations listed on:|
Vendor URL: www.apache-ssl.org/advisory-20020301.txt (Links to External Site)
Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Fri, 01 Mar 2002 11:47:36 +0000|
Subject: Apache-SSL buffer overflow (fix available)
Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46)
A buffer overflow was recently found in mod_ssl, see:
for details. The offending code in mod_ssl was, in fact, derived from
Apache-SSL, and Apache-SSL is also vulnerable.
As in mod_ssl, this flaw can only be exploited if client certificates
are being used, and the certificate in question must be issued by a
Download Apache-SSL 1.3.22+1.46 from the usual places (see
Thanks to Ed Moyle for finding the flaw.
No thanks to anyone at all for alerting me before going
public. Cheers, guys.
This advisory can be found at:
A mirror which definitely has the new version:
Ben Laurie, March 1, 2002.
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff