Boletines de Vulnerabilidades |
Denegación de servicio en Apache 2.0 |
|
Clasificación de la vulnerabilidad |
|
Propiedad | Valor |
Nivel de Confianza | Oficial |
Impacto | Denegación de Servicio |
Dificultad | Principiante |
Requerimientos del atacante | Acceso remoto sin cuenta a un servicio estandar |
Información sobre el sistema |
|
Propiedad | Valor |
Fabricant afectat | GNU/Linux |
Software afectado |
Apache 2.0 <=2.0.49 HP-UX B.11.00 & hpuxwsAPACHE HP-UX HP-UX B.11.11 & hpuxwsAPACHE HP-UX HP-UX B.11.22 & hpuxwsAPACHE HP-UX HP-UX B.11.23 & hpuxwsAPACHE HP-UX |
Descripción |
|
Se ha descubierto una vulnerabilidad en la versión 2.0.49 y anteriores de la rama 2.0 de Apache. La vulnerabilidad reside en el manejo de cabeceras muy largas que empiecen con un tabulador o un espacio ya que Apache reservará más memoria de la disponible para tratarlas. Además en sistemas de 64 bits y más de 4GB de memoria virtual el problema puede llevar a un desbordamiento de búfer (en la zona de heap) que podría ser explotable remotamente para ejecutar código arbitrario. La explotación de esta vulnerabilidad podría permitir a un atacante remoto crear una situación de denegación de servicio de Apache mediante el envío de peticiones que incluyan cabeceras especialmente diseñadas. |
|
Solución |
|
Si lo desea, aplique los mecanismos de actualización propios de su distribución, o bien baje las fuentes del software y compílelo usted mismo. Actualización de software Apache Apache httpd 2.0.50 http://httpd.apache.org/download.cgi Mandrake Linux Mandrakelinux 9.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-common-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-devel-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-manual-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-mod_dav-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-mod_ldap-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-mod_ssl-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-modules-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache2-source-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/libapr0-2.0.47-1.9.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/SRPMS/apache2-2.0.47-1.9.91mdk.src.rpm PPC ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-common-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-devel-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-manual-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-modules-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache2-source-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/libapr0-2.0.47-1.9.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/SRPMS/apache2-2.0.47-1.9.91mdk.src.rpm Mandrakelinux 9.2 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-common-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-devel-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-manual-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_cache-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_dav-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_deflate-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_file_cache-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_ldap-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_proxy-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-mod_ssl-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-modules-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache2-source-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/libapr0-2.0.47-6.6.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/SRPMS/apache2-2.0.47-6.6.92mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-common-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-devel-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-manual-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_cache-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_dav-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_deflate-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_file_cache-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_ldap-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_proxy-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-mod_ssl-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-modules-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache2-source-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/lib64apr0-2.0.47-6.6.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/SRPMS/apache2-2.0.47-6.6.92mdk.src.rpm Mandrakelinux 10.0 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-common-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-devel-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-manual-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_cache-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_dav-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_deflate-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_ldap-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_proxy-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-mod_ssl-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-modules-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache2-source-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/libapr0-2.0.48-6.3.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/apache2-2.0.48-6.3.100mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-common-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-devel-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-manual-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-mod_ssl-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-modules-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache2-source-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/lib64apr0-2.0.48-6.3.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/SRPMS/apache2-2.0.48-6.3.100mdk.src.rpm Red Hat Linux Red Hat Desktop (v. 3) AMD64 httpd-2.0.46-32.ent.3.x86_64.rpm httpd-devel-2.0.46-32.ent.3.x86_64.rpm mod_ssl-2.0.46-32.ent.3.x86_64.rpm SRPMS httpd-2.0.46-32.ent.3.src.rpm i386 httpd-2.0.46-32.ent.3.i386.rpm httpd-devel-2.0.46-32.ent.3.i386.rpm mod_ssl-2.0.46-32.ent.3.i386.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux AS (v. 3) AMD64 httpd-2.0.46-32.ent.3.x86_64.rpm httpd-devel-2.0.46-32.ent.3.x86_64.rpm mod_ssl-2.0.46-32.ent.3.x86_64.rpm SRPMS httpd-2.0.46-32.ent.3.src.rpm i386 httpd-2.0.46-32.ent.3.i386.rpm httpd-devel-2.0.46-32.ent.3.i386.rpm mod_ssl-2.0.46-32.ent.3.i386.rpm ia64 httpd-2.0.46-32.ent.3.ia64.rpm httpd-devel-2.0.46-32.ent.3.ia64.rpm mod_ssl-2.0.46-32.ent.3.ia64.rpm ppc httpd-2.0.46-32.ent.3.ppc.rpm httpd-devel-2.0.46-32.ent.3.ppc.rpm mod_ssl-2.0.46-32.ent.3.ppc.rpm s390 httpd-2.0.46-32.ent.3.s390.rpm httpd-devel-2.0.46-32.ent.3.s390.rpm mod_ssl-2.0.46-32.ent.3.s390.rpm s390x httpd-2.0.46-32.ent.3.s390x.rpm httpd-devel-2.0.46-32.ent.3.s390x.rpm mod_ssl-2.0.46-32.ent.3.s390x.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux ES (v. 3) AMD64 httpd-2.0.46-32.ent.3.x86_64.rpm httpd-devel-2.0.46-32.ent.3.x86_64.rpm mod_ssl-2.0.46-32.ent.3.x86_64.rpm SRPMS httpd-2.0.46-32.ent.3.src.rpm i386 httpd-2.0.46-32.ent.3.i386.rpm httpd-devel-2.0.46-32.ent.3.i386.rpm mod_ssl-2.0.46-32.ent.3.i386.rpm ia64 httpd-2.0.46-32.ent.3.ia64.rpm httpd-devel-2.0.46-32.ent.3.ia64.rpm mod_ssl-2.0.46-32.ent.3.ia64.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux WS (v. 3) AMD64 httpd-2.0.46-32.ent.3.x86_64.rpm httpd-devel-2.0.46-32.ent.3.x86_64.rpm mod_ssl-2.0.46-32.ent.3.x86_64.rpm SRPMS httpd-2.0.46-32.ent.3.src.rpm i386 httpd-2.0.46-32.ent.3.i386.rpm httpd-devel-2.0.46-32.ent.3.i386.rpm mod_ssl-2.0.46-32.ent.3.i386.rpm ia64 httpd-2.0.46-32.ent.3.ia64.rpm httpd-devel-2.0.46-32.ent.3.ia64.rpm mod_ssl-2.0.46-32.ent.3.ia64.rpm https://rhn.redhat.com/ HP-UX Descargue una versión actualizada del software http://software.hp.com Apple Mac OS X Server 10.2.8 http://www.apple.com/support/downloads//securityupdate_2004-09-07_(10_2_8_Server).html Mac OS X Server 10.3.4 http://www.apple.com/support/downloads//securityupdate_2004-09-07_(10_3_4_Server).html Mac OS X Server 10.3.5 http://www.apple.com/support/downloads//securityupdate_2004-09-07_(10_3_5_Server).html |
|
Identificadores estándar |
|
Propiedad | Valor |
CVE | CAN-2004-0493 |
BID | |
Recursos adicionales |
|
Overview of security vulnerabilities in Apache httpd 2.0 http://www.apacheweek.com/features/security-20 Georgi Guninski security advisory #70, 2004 http://www.guninski.com/httpd1.html Mandrakesoft Security Advisory MDKSA-2004:064 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:064 Red Hat Security Advisory RHSA-2004:342-10 https://rhn.redhat.com/errata/RHSA-2004-342.html HP security advisory HPSBUX01064 http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01064 Apple Security Update 2004-09-07 http://docs.info.apple.com/article.html?artnum=61798 |
Histórico de versiones |
||
Versión | Comentario | Data |
1.0 | Aviso emitido | 2004-06-29 |
1.1 | Aviso emitido por Mandrake (MDKSA-2004:064) | 2004-06-30 |
1.2 | Publicado Apache 2.0.50 | 2004-07-02 |
1.3 | Aviso emitido por Red Hat (RHSA-2004:342-10) | 2004-07-06 |
2.0 | Exploit público disponible | 2004-07-22 |
2.1 | Aviso emitido por HP (HPSBUX01064) | 2004-08-09 |
2.2 | Aviso emitido por Apple (2004-09-07) | 2004-09-08 |