ApacheのChunkエンコードのバグによる重大な脆弱性(続報)
先日よりお伝えしているApacheのChunkエンコードのバグによる重大な脆弱性だが、さらに各ベンダーやセキュリティサイトの情報が多数公開されている。
製品・サービス・業界動向
業界動向
Windows版に確認されていたリモートから任意のコードが実行される問題だが、あらたに1.2.2〜1.3.24、64bit版UNIX用にも同様の問題が発生する可能性があるということだ。さらに、Apacheをベースとしているその他のWebサーバープログラムにも、今回の問題が含まれている可能性があるため、引き続き注意した方がよいだろう。
また、mod_sslなどのモジュールは、Apacheのバージョンに依存している物があるので、今回のアップデートに併せて対応の物を用意する必要があるだろう。
□ 関連情報:
Apache HTTPD Project - The Apache HTTP Server Project
http://httpd.apache.org/
SECURITY ADVISORY
http://httpd.apache.org/info/security_bulletin_20020617.txt
Apache 1.3.26
http://httpd.apache.org/
Apache 2.0.39
http://httpd.apache.org/
CERT Coordination Center (CERT/CC)
CA-2002-17 Apache Web Server Chunk Handling Vulnerability
http://www.cert.org/advisories/CA-2002-17.html
CERT/CC Vulnerability Note 2002/06/20 更新
VU#944335 Apache web servers fail to handle chunks with a negative
size
http://www.kb.cert.org/vuls/id/944335
Common Vulnerabilities and Exposures (CVE)
CAN-2002-0392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
Internet Security Systems Security Advisory
Remote Compromise Vulnerability in Apache HTTP Server
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502
Internet Security Systems Security Advisory
Apache Server におけるリモートからのセキュリティ侵害の脆弱性
http://www.isskk.co.jp/support/techinfo/general/Vul_ApacheServer_xforce.html
IPA
Apache Web Server に脆弱性(CA-2002-17)
http://www.ipa.go.jp/security/news/news.html
Securiteam.com
Remote Compromise Vulnerability in Apache HTTP Server (Chunked
Encoding)
http://www.securiteam.com/unixfocus/5HP0G207FY.html
SecurityFocus
Apache httpd: vulnerability with chunked encoding
http://online.securityfocus.com/archive/1/277268/2002-06-14/2002-06-20/0
SecurityFocus
ISS Advisory: Remote Compromise Vulnerability in Apache HTTP
Server
http://online.securityfocus.com/archive/1/277249/2002-06-14/2002-06-20/0
SecurityFocus
Silicon Graphics : Apache Web Server Chunk Handling vulnerability
http://online.securityfocus.com/advisories/4212
SecurityFocus
Silicon Graphics : Apache Web Server Chunk Handling vulnerability
http://online.securityfocus.com/advisories/4213
Incidents.org - Handlers Diary 2002/06/20 追加
Remote Compromise Vulnerability in Apache HTTP Server
http://www.incidents.org/diary/index.html?id=161
Debian GNU/Linux ─ Security Information 2002/06/20 追加
DSA-131-1 apache
http://www.debian.org/security/2002/dsa-131
Debian GNU/Linux ─ Security Information 2002/06/20 追加
DebianLinux:Apache chunk handling vulnerability
http://lists.debian.org/debian-security-announce/debian-security-announce-2002/msg00041.html
Debian GNU/Linux ─ Security Information 2002/06/20 追加
DSA-131-2 apache
http://lists.debian.org/debian-security-announce/debian-security-announce-2002/msg00042.html
Debian GNU/Linux ─ Security Information 2002/06/20 追加
DSA-132-1 apache-ssl
http://lists.debian.org/debian-security-announce/debian-security-announce-2002/msg00043.html
SGI Security Advisory 2002/06/20 追加
20020605-01-A Apache Web Server Chunk Handling vulnerability
ftp://patches.sgi.com/support/free/security/advisories/20020605-01-A
Linuxsecurity 2002/06/20 追加
Apache: Remote Denial of Service
http://www.linuxsecurity.com/advisories/other_advisory-2135.html
SecurityFocus 2002/06/20 追加
KPMG-2002024: Apache Tomcat Path Disclosure
http://online.securityfocus.com/archive/1/277674/2002-06-16/2002-06-22/0
FreeBSD 2002/06/20 追加
ANNOUNCE: FreeBSD Security Notice FreeBSD-SN-02:04
http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1000
VineLinux 2002/06/20 追加
Apache にセキュリティホール:
http://vinelinux.org/errata/25x/20020619.html
Linuxsecurity 2002/06/20 追加
SuSE: buffer overflow in httpd
http://www.linuxsecurity.com/advisories/suse_advisory-2139.html
Linuxsecurity 2002/06/20 追加
EnGarde: 'apache' chunk handling overflow vulnerability
http://www.linuxsecurity.com/advisories/other_advisory-2137.html
Linuxsecurity 2002/06/20 追加
Debian: DoS attack in the Apache web-server
http://www.linuxsecurity.com/advisories/debian_advisory-2138.html
Linuxsecurity 2002/06/20 追加
OpenPKG: 'apache' Buffer overflow vulnerability
http://www.linuxsecurity.com/advisories/other_advisory-2141.html
Apache Week 2002/06/21 追加
Security issue forces release of 1.3.26, 2.0.39
http://www.apacheweek.com/issues/02-06-21
SuSE Security Announcement 2002/06/21 追加
SuSE-SA:2002:022 apache
http://www.suse.de/de/support/security/2002_22_apache.html
Red Hat Linux Security Advisory 2002/06/21 追加
RHSA-2002:103-13 Updated Apache packages fix chunked encoding
issue
http://lists2.suse.com/archive/suse-security-announce/2002-Jun/0003.html
OpenBSD Security Advisory 2002/06/21 追加
005: SECURITY FIX: June 19, 2002
http://www.jp.openbsd.org/errata.html
IPAセキュリティセンター(IPA/ISEC) 2002/06/21 追加
Apache Web サーバにおける chunkデータ処理の脆弱性
http://www.ipa.go.jp/security/ciadr/20020619apache.html
Internet Security Systems Security Alert 2002/06/21 追加
Apache HTTP Server Exploit in Circulation
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20524
CIAC (Computer Incident Advisory Capability) 2002/06/21 追加
M-093 : Apache HTTP Server Chunk Encoding Vulnerability
http://www.ciac.org/ciac/bulletins/m-093.shtml
JPCAERT/CC 2002/06/21 追加
Apache Web サーバプログラムの脆弱性に関する注意喚起
http://www.jpcert.or.jp/at/2002/at020003.txt
SecurityFocus 2002/06/21 追加
TSLSA-2002-0056 - apache
http://online.securityfocus.com/archive/1/277933/2002-06-17/2002-06-23/0
SecurityFocus 2002/06/21 追加
Implications of Apache vuln for Oracle
http://online.securityfocus.com/archive/1/277846/2002-06-17/2002-06-23/0
SecurityFocus 2002/06/21 追加
[ESA-20020619-014] 'apache' chunk handling overflow vulnerability
http://online.securityfocus.com/archive/1/277715/2002-06-17/2002-06-23/0
Debian Security Advisory 2002/06/21 追加
DSA-131-1 apache ─ remote DoS / exploit
http://www.debian.org/security/2002/dsa-131
Debian Security Advisory 2002/06/21 追加
DSA-132-1 apache-ssl ─ remote DoS / exploit
http://www.debian.org/security/2002/dsa-132
Debian Security Advisory 2002/06/21 追加
apache セキュリティホール
http://www.miraclelinux.com/support/update/data/apache.html
Internet Security Systems Security Advisory 2002/06/21 追加
Apache HTTP Server の悪用の流通
http://www.isskk.co.jp/support/techinfo/general/Apache_HTTPserver_Exploit_xforce.html
MandrakeSoft Security Advisory 2002/06/24 追加
MDKSA-2002:039 apache
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-039.php?dis=SNF7.2
Vine Linux errata 2002/06/24 追加
Apache にセキュリティホール
http://www.vinelinux.org/errata/2x/20020621.html
Red Hat Stronghold 4 Errata 2002/06/24 追加
Chunk Size Vulnerability Patch
http://stronghold.redhat.com/sh4/errata-2002-118
Red Hat Stronghold 3 Errata 2002/06/24 追加
Chunk Size Vulnerability Patch
http://stronghold.redhat.com/sh3/errata-2002-118
Debian GNU/Linux ─ Security Information 2002/06/24 追加
DSA-131-1 apache-perl
http://lists.debian.org/debian-security-announce/debian-security-announce-2002/msg00044.html
UPDATED ADVISORY 2002/06/24 追加
http://httpd.apache.org/info/security_bulletin_20020620.txt
FreeBSD Security Notice 2002/06/24 追加
FreeBSD-SN-02:04 security issues in ports
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:04.asc
MandrakeSoft Security Advisory 2002/06/24 追加
MDKSA-2002:039-1 apache
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-039-1.php?dis=8.2
MandrakeSoft Security Advisory 2002/06/24 追加
MDKSA-2002:039-2 apache
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-039-2.php?dis=8.2
Turbolinux Japan Security Center 2002/06/24 追加
apache httpdサーバーのサービス停止
http://www.turbolinux.co.jp/security/apache-1.3.26-1.html
Securiteam.com 2002/06/24 追加
Multiple Exploit Codes for Apache Chunked Buffer Vulnerability
http://www.securiteam.com/exploits/5VP0L0U7FM.html
《ScanNetSecurity》