Rapid7 Vulnerability & Exploit Database

CESA-2002:126: apache security update

Back to Search

CESA-2002:126: apache security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
07/03/2002
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

The Apache Web server contains a security vulnerability which can be used to launch a denial of service (DoS) attack or, in some cases, allow remote code execution.

Versions of the Apache Web server up to and including 1.3.24 contain a bug in the routines which deal with requests using "chunked" encoding. A carefully crafted invalid request can cause an Apache child process to call the memcpy() function in a way that will write past the end of its buffer, corrupting the stack. On some platforms this can be remotely exploited -- allowing arbitrary code to be run on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0392 to this issue. All users of Apache should update to these errata packages to correct this security issue.

Solution(s)

  • centos-upgrade-apache
  • centos-upgrade-apache-devel
  • centos-upgrade-apache-manual

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;