| VID |
22265 |
| Severity |
30 |
| Port |
443 |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The remote Web server is using a version of Apache mod_ssl module which is older than 2.8.18.
The mod_ssl authentication module for Apache HTTP Server is vulnerable to a stack-based buffer overflow vulnerability, which exists in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code.
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability. Several Linux distributions patched the old version of mod_ssl module, so this might be a false positive. Please contact your vendor to determine if your Web server really is vulnerable to this flaw. If the server already has been patched or reported by vendor that is not vulnerable, then ignore this alert.
* References:
http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0856.html
* Platforms Affected:
Apache HTTP Server Any version
Mandrake Linux Any version
Gentoo Linux Any version
Slackware Linux 8.1, 9.0, 9.1, current
Linux Any version
Unix Any version |
| Recommendation |
If the server identified as being vulnerable to this flaw, already has been patched or reported by vendor that is not vulnerable, please ignore this recommendation.
For Apache 1.3.x:
Upgrade to the latest version (mod_ssl 2.8.18 for Apache 1.3.31 or later) of apache and mod_ssl, available from Web site for Apache mod_ssl at http://www.modssl.org/
For Apache 2.0.x:
A patch to address this issue in the 2.0 branch of Apache is available from the following location:
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106
For Mandrake Linux (mod_ssl for Apache 2):
Upgrade to the latest apache package by referring to MandrakeSoft Security Advisory MDKSA-2004:055:apache2 at http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:055
For Mandrake Linux (mod_ssl for Apache 1.3.x):
Upgrade to the latest apache package by referring to MandrakeSoft Security Advisory MDKSA-2004:054:mod_ssl at http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:054
For Slackware Linux:
Upgrade to the latest mod_ssl package, as listed in slackware-security Mailing List, Wed, 2 Jun 2004 12:24:39 -0700 (PDT) at http://slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.583808
For Gentoo Linux Security:
Upgrade to the latest version of mod_ssl (2.8.18 or later), as listed in Gentoo Linux Security Advisory GLSA 200406-05 at http://www.linuxsecurity.com/advisories/gentoo_advisory-4458.html
For Trustix Secure Linux:
Upgrade to the latest apache package, as listed in Trustix Secure Linux Security Advisory #2004-0031 at http://www.linuxsecurity.com/advisories/trustix_advisory-4412.html
For OpenPKG:
Upgrade to the latest apache package, as listed in OpenPKG Security Advisory OpenPKG-SA-2004.026 at http://www.openpkg.org/security/OpenPKG-SA-2004.026-apache.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2004-0488 (CVE) |
| Related URL |
10355 (SecurityFocus) |
| Related URL |
16214 (ISS) |
|
