Hola:

Advierten de un grave agujero en el Apache y de la forma de resolverlo en http://www.cert.org/advisories/CA-2002-17.html

CERT® Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability
Original release date: June 17, 2002
Last revised: June 20, 2002
Source: CERT/CC
A complete revision history can be found at the end of this file.

Systems Affected

· Web servers based on Apache code versions 1.2.2 and above
· Web servers based on Apache code versions 1.3 through 1.3.24
· Web servers based on Apache code versions 2.0 through 2.0.36

Overview

There is a remotely exploitable vulnerability in the way that Apache web servers (or other web servers based on their source code) handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.

I. Description

Apache is a popular web server that includes support for chunk-encoded data according to the HTTP 1.1 standard as described in RFC2616. There is a vulnerability in the handling of certain chunk-encoded HTTP requests that may allow remote attackers to execute arbitrary code.
The Apache Software Foundation has published an advisory describing the details of this vulnerability. This advisory is available on their web site at
http://httpd.apache.org/info/securit...n_20020617.txt

Vulnerability Note VU#944335 includes a list of vendors that have been contacted about this vulnerability.

II. Impact

For Apache versions 1.2.2 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers. Exploits are publicly available that claim to allow the execution of arbitrary code.
For Apache versions 2.0 through 2.0.36 inclusive, the condition causing the vulnerability is correctly detected and causes the child process to exit. Depending on a variety of factors, including the threading model supported by the vulnerable system, this may lead to a denial-of-service attack against the Apache web server.

III. Solution

Upgrade to the latest version
The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache httpd version 1.3.26 or 2.0.39.

Due to some unexpected problems with version 1.3.25, the CERT/CC has been informed by the Apache Software Foundation that the corrected version of the software is now 1.3.26. Both 1.3.26 and 2.0.39 are available on their web site at
http://www.apache.org/dist/httpd/

Apply a patch from your vendor

If your vendor has provided a patch to correct this vulnerability, you may want to apply that patch rather than upgrading your version of httpd. The CERT/CC is aware of a patch from ISS that corrects some of the impacts associated with this vulnerability. System administrators are encouraged to ensure that the patch they apply is based on the code by the Apache Software Foundation that also corrects additional impacts described in this advisory.

specific patches can be found in the vendor section of this document. Because the publication of this advisory was unexpectedly accelerated, statements from all of the affected vendors were not available at publication time. As additional information from vendors becomes available, this document will be updated.

Saludos