Boletines de Vulnerabilidades

int(896)

Boletines de Vulnerabilidades

Denegación de servicio en Apache 2.0
Clasificación de la vulnerabilidad
Propiedad	Valor
Nivel de Confianza	Oficial
Impacto	Denegación de Servicio
Dificultad	Principiante
Requerimientos del atacante	Acceso remoto sin cuenta a un servicio estandar
Información sobre el sistema
Propiedad	Valor
Fabricant afectat	GNU/Linux
Software afectado	Apache 2.0 <=2.0.49 HP-UX B.11.00 & hpuxwsAPACHE HP-UX HP-UX B.11.11 & hpuxwsAPACHE HP-UX HP-UX B.11.22 & hpuxwsAPACHE HP-UX HP-UX B.11.23 & hpuxwsAPACHE HP-UX
Descripción
Se ha descubierto una vulnerabilidad en la versión 2.0.49 y anteriores de la rama 2.0 de Apache. La vulnerabilidad reside en el manejo de cabeceras muy largas que empiecen con un tabulador o un espacio ya que Apache reservará más memoria de la disponible para tratarlas. Además en sistemas de 64 bits y más de 4GB de memoria virtual el problema puede llevar a un desbordamiento de búfer (en la zona de heap) que podría ser explotable remotamente para ejecutar código arbitrario. La explotación de esta vulnerabilidad podría permitir a un atacante remoto crear una situación de denegación de servicio de Apache mediante el envío de peticiones que incluyan cabeceras especialmente diseñadas.
Solución
Si lo desea, aplique los mecanismos de actualización propios de su distribución, o bien baje las fuentes del software y compílelo usted mismo. Actualización de software Apache Apache httpd 2.0.50 http://httpd.apache.org/download.cgi Mandrake Linux Mandrakelinux 9.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-common-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-devel-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-manual-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-mod_dav-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-mod_ldap-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-mod_ssl-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-modules-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-source-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/libapr0-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/SRPMS/apache2-2.0.47-1.9.91mdk.src.rpm PPC ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-common-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-devel-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-manual-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-modules-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-source-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/libapr0-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/SRPMS/apache2-2.0.47-1.9.91mdk.src.rpm Mandrakelinux 9.2 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-common-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-devel-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-manual-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_cache-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_dav-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_deflate-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_file_cache-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_ldap-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_proxy-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_ssl-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-modules-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-source-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/libapr0-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/SRPMS/apache2-2.0.47-6.6.92mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-common-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-devel-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-manual-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_cache-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_dav-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_deflate-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_file_cache-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_ldap-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_proxy-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_ssl-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-modules-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-source-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/lib64apr0-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/SRPMS/apache2-2.0.47-6.6.92mdk.src.rpm Mandrakelinux 10.0 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-common-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-devel-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-manual-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_cache-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_dav-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_deflate-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_ldap-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_proxy-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_ssl-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-modules-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-source-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/libapr0-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/apache2-2.0.48-6.3.100mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-common-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-devel-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-manual-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_ssl-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-modules-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-source-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/lib64apr0-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/SRPMS/apache2-2.0.48-6.3.100mdk.src.rpm Red Hat Linux Red Hat Desktop (v. 3) AMD64 httpd-2.0.46-32.ent.3.x86_64.rpm httpd-devel-2.0.46-32.ent.3.x86_64.rpm mod_ssl-2.0.46-32.ent.3.x86_64.rpm SRPMS httpd-2.0.46-32.ent.3.src.rpm i386 httpd-2.0.46-32.ent.3.i386.rpm httpd-devel-2.0.46-32.ent.3.i386.rpm mod_ssl-2.0.46-32.ent.3.i386.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux AS (v. 3) AMD64 httpd-2.0.46-32.ent.3.x86_64.rpm httpd-devel-2.0.46-32.ent.3.x86_64.rpm mod_ssl-2.0.46-32.ent.3.x86_64.rpm SRPMS httpd-2.0.46-32.ent.3.src.rpm i386 httpd-2.0.46-32.ent.3.i386.rpm httpd-devel-2.0.46-32.ent.3.i386.rpm mod_ssl-2.0.46-32.ent.3.i386.rpm ia64 httpd-2.0.46-32.ent.3.ia64.rpm httpd-devel-2.0.46-32.ent.3.ia64.rpm mod_ssl-2.0.46-32.ent.3.ia64.rpm ppc httpd-2.0.46-32.ent.3.ppc.rpm httpd-devel-2.0.46-32.ent.3.ppc.rpm mod_ssl-2.0.46-32.ent.3.ppc.rpm s390 httpd-2.0.46-32.ent.3.s390.rpm httpd-devel-2.0.46-32.ent.3.s390.rpm mod_ssl-2.0.46-32.ent.3.s390.rpm s390x httpd-2.0.46-32.ent.3.s390x.rpm httpd-devel-2.0.46-32.ent.3.s390x.rpm mod_ssl-2.0.46-32.ent.3.s390x.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux ES (v. 3) AMD64 httpd-2.0.46-32.ent.3.x86_64.rpm httpd-devel-2.0.46-32.ent.3.x86_64.rpm mod_ssl-2.0.46-32.ent.3.x86_64.rpm SRPMS httpd-2.0.46-32.ent.3.src.rpm i386 httpd-2.0.46-32.ent.3.i386.rpm httpd-devel-2.0.46-32.ent.3.i386.rpm mod_ssl-2.0.46-32.ent.3.i386.rpm ia64 httpd-2.0.46-32.ent.3.ia64.rpm httpd-devel-2.0.46-32.ent.3.ia64.rpm mod_ssl-2.0.46-32.ent.3.ia64.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux WS (v. 3) AMD64 httpd-2.0.46-32.ent.3.x86_64.rpm httpd-devel-2.0.46-32.ent.3.x86_64.rpm mod_ssl-2.0.46-32.ent.3.x86_64.rpm SRPMS httpd-2.0.46-32.ent.3.src.rpm i386 httpd-2.0.46-32.ent.3.i386.rpm httpd-devel-2.0.46-32.ent.3.i386.rpm mod_ssl-2.0.46-32.ent.3.i386.rpm ia64 httpd-2.0.46-32.ent.3.ia64.rpm httpd-devel-2.0.46-32.ent.3.ia64.rpm mod_ssl-2.0.46-32.ent.3.ia64.rpm https://rhn.redhat.com/ HP-UX Descargue una versión actualizada del software http://software.hp.com Apple Mac OS X Server 10.2.8 http://www.apple.com/support/downloads//securityupdate_2004-09-07_(10_2_8_Server).html Mac OS X Server 10.3.4 http://www.apple.com/support/downloads//securityupdate_2004-09-07_(10_3_4_Server).html Mac OS X Server 10.3.5 http://www.apple.com/support/downloads//securityupdate_2004-09-07_(10_3_5_Server).html
Identificadores estándar
Propiedad	Valor
CVE	CAN-2004-0493
BID
Recursos adicionales
Overview of security vulnerabilities in Apache httpd 2.0 http://www.apacheweek.com/features/security-20 Georgi Guninski security advisory #70, 2004 http://www.guninski.com/httpd1.html Mandrakesoft Security Advisory MDKSA-2004:064 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:064 Red Hat Security Advisory RHSA-2004:342-10 https://rhn.redhat.com/errata/RHSA-2004-342.html HP security advisory HPSBUX01064 http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01064 Apple Security Update 2004-09-07 http://docs.info.apple.com/article.html?artnum=61798

Histórico de versiones
Versión	Comentario	Data
1.0	Aviso emitido	2004-06-29
1.1	Aviso emitido por Mandrake (MDKSA-2004:064)	2004-06-30
1.2	Publicado Apache 2.0.50	2004-07-02
1.3	Aviso emitido por Red Hat (RHSA-2004:342-10)	2004-07-06
2.0	Exploit público disponible	2004-07-22
2.1	Aviso emitido por HP (HPSBUX01064)	2004-08-09
2.2	Aviso emitido por Apple (2004-09-07)	2004-09-08

Boletines de Vulnerabilidades

Denegación de servicio en Apache 2.0

Clasificación de la vulnerabilidad

Información sobre el sistema

Descripción

Solución

Identificadores estándar

Recursos adicionales

Histórico de versiones