先日よりお伝えしているApacheのChunkエンコードのバグによる重大な脆弱性だが、さらに各ベンダーやセキュリティサイトの情報が多数公開されている。 Windows版に確認されていたリモートから任意のコードが実行される問題だが、あらたに1.2.2〜1.3.24、64bit版UNIX用にも同様の問題が発生する可能性があるということだ。さらに、Apacheをベースとしているその他のWebサーバープログラムにも、今回の問題が含まれている可能性があるため、引き続き注意した方がよいだろう。 また、mod_sslなどのモジュールは、Apacheのバージョンに依存している物があるので、今回のアップデートに併せて対応の物を用意する必要があるだろう。 □ 関連情報: Apache HTTPD Project - The Apache HTTP Server Project http://httpd.apache.org/ SECURITY ADVISORY http://httpd.apache.org/info/security_bulletin_20020617.txt Apache 1.3.26 http://httpd.apache.org/ Apache 2.0.39 http://httpd.apache.org/ CERT Coordination Center (CERT/CC) CA-2002-17 Apache Web Server Chunk Handling Vulnerability http://www.cert.org/advisories/CA-2002-17.html CERT/CC Vulnerability Note 2002/06/20 更新 VU#944335 Apache web servers fail to handle chunks with a negative size http://www.kb.cert.org/vuls/id/944335 Common Vulnerabilities and Exposures (CVE) CAN-2002-0392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392 Internet Security Systems Security Advisory Remote Compromise Vulnerability in Apache HTTP Server http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502 Internet Security Systems Security Advisory Apache Server におけるリモートからのセキュリティ侵害の脆弱性 http://www.isskk.co.jp/support/techinfo/general/Vul_ApacheServer_xforce.html IPA Apache Web Server に脆弱性(CA-2002-17) http://www.ipa.go.jp/security/news/news.html Securiteam.com Remote Compromise Vulnerability in Apache HTTP Server (Chunked Encoding) http://www.securiteam.com/unixfocus/5HP0G207FY.html SecurityFocus Apache httpd: vulnerability with chunked encoding http://online.securityfocus.com/archive/1/277268/2002-06-14/2002-06-20/0 SecurityFocus ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server http://online.securityfocus.com/archive/1/277249/2002-06-14/2002-06-20/0 SecurityFocus Silicon Graphics : Apache Web Server Chunk Handling vulnerability http://online.securityfocus.com/advisories/4212 SecurityFocus Silicon Graphics : Apache Web Server Chunk Handling vulnerability http://online.securityfocus.com/advisories/4213 Incidents.org - Handlers Diary 2002/06/20 追加 Remote Compromise Vulnerability in Apache HTTP Server http://www.incidents.org/diary/index.html?id=161 Debian GNU/Linux ─ Security Information 2002/06/20 追加 DSA-131-1 apache http://www.debian.org/security/2002/dsa-131 Debian GNU/Linux ─ Security Information 2002/06/20 追加 DebianLinux:Apache chunk handling vulnerability http://lists.debian.org/debian-security-announce/debian-security-announce-2002/msg00041.html Debian GNU/Linux ─ Security Information 2002/06/20 追加 DSA-131-2 apache http://lists.debian.org/debian-security-announce/debian-security-announce-2002/msg00042.html Debian GNU/Linux ─ Security Information 2002/06/20 追加 DSA-132-1 apache-ssl http://lists.debian.org/debian-security-announce/debian-security-announce-2002/msg00043.html SGI Security Advisory 2002/06/20 追加 20020605-01-A Apache Web Server Chunk Handling vulnerability ftp://patches.sgi.com/support/free/security/advisories/20020605-01-A Linuxsecurity 2002/06/20 追加 Apache: Remote Denial of Service http://www.linuxsecurity.com/advisories/other_advisory-2135.html SecurityFocus 2002/06/20 追加 KPMG-2002024: Apache Tomcat Path Disclosure http://online.securityfocus.com/archive/1/277674/2002-06-16/2002-06-22/0 FreeBSD 2002/06/20 追加 ANNOUNCE: FreeBSD Security Notice FreeBSD-SN-02:04 http://home.jp.freebsd.org/cgi-bin/showmail/announce-jp/1000 VineLinux 2002/06/20 追加 Apache にセキュリティホール: http://vinelinux.org/errata/25x/20020619.html Linuxsecurity 2002/06/20 追加 SuSE: buffer overflow in httpd http://www.linuxsecurity.com/advisories/suse_advisory-2139.html Linuxsecurity 2002/06/20 追加 EnGarde: 'apache' chunk handling overflow vulnerability http://www.linuxsecurity.com/advisories/other_advisory-2137.html Linuxsecurity 2002/06/20 追加 Debian: DoS attack in the Apache web-server http://www.linuxsecurity.com/advisories/debian_advisory-2138.html Linuxsecurity 2002/06/20 追加 OpenPKG: 'apache' Buffer overflow vulnerability http://www.linuxsecurity.com/advisories/other_advisory-2141.html Apache Week 2002/06/21 追加 Security issue forces release of 1.3.26, 2.0.39 http://www.apacheweek.com/issues/02-06-21 SuSE Security Announcement 2002/06/21 追加 SuSE-SA:2002:022 apache http://www.suse.de/de/support/security/2002_22_apache.html Red Hat Linux Security Advisory 2002/06/21 追加 RHSA-2002:103-13 Updated Apache packages fix chunked encoding issue http://lists2.suse.com/archive/suse-security-announce/2002-Jun/0003.html OpenBSD Security Advisory 2002/06/21 追加 005: SECURITY FIX: June 19, 2002 http://www.jp.openbsd.org/errata.html IPAセキュリティセンター(IPA/ISEC) 2002/06/21 追加 Apache Web サーバにおける chunkデータ処理の脆弱性 http://www.ipa.go.jp/security/ciadr/20020619apache.html Internet Security Systems Security Alert 2002/06/21 追加 Apache HTTP Server Exploit in Circulation http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20524 CIAC (Computer Incident Advisory Capability) 2002/06/21 追加 M-093 : Apache HTTP Server Chunk Encoding Vulnerability http://www.ciac.org/ciac/bulletins/m-093.shtml JPCAERT/CC 2002/06/21 追加 Apache Web サーバプログラムの脆弱性に関する注意喚起 http://www.jpcert.or.jp/at/2002/at020003.txt SecurityFocus 2002/06/21 追加 TSLSA-2002-0056 - apache http://online.securityfocus.com/archive/1/277933/2002-06-17/2002-06-23/0 SecurityFocus 2002/06/21 追加 Implications of Apache vuln for Oracle http://online.securityfocus.com/archive/1/277846/2002-06-17/2002-06-23/0 SecurityFocus 2002/06/21 追加 [ESA-20020619-014] 'apache' chunk handling overflow vulnerability http://online.securityfocus.com/archive/1/277715/2002-06-17/2002-06-23/0 Debian Security Advisory 2002/06/21 追加 DSA-131-1 apache ─ remote DoS / exploit http://www.debian.org/security/2002/dsa-131 Debian Security Advisory 2002/06/21 追加 DSA-132-1 apache-ssl ─ remote DoS / exploit http://www.debian.org/security/2002/dsa-132 Debian Security Advisory 2002/06/21 追加 apache セキュリティホール http://www.miraclelinux.com/support/update/data/apache.html Internet Security Systems Security Advisory 2002/06/21 追加 Apache HTTP Server の悪用の流通 http://www.isskk.co.jp/support/techinfo/general/Apache_HTTPserver_Exploit_xforce.html MandrakeSoft Security Advisory 2002/06/24 追加 MDKSA-2002:039 apache http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-039.php?dis=SNF7.2 Vine Linux errata 2002/06/24 追加 Apache にセキュリティホール http://www.vinelinux.org/errata/2x/20020621.html Red Hat Stronghold 4 Errata 2002/06/24 追加 Chunk Size Vulnerability Patch http://stronghold.redhat.com/sh4/errata-2002-118 Red Hat Stronghold 3 Errata 2002/06/24 追加 Chunk Size Vulnerability Patch http://stronghold.redhat.com/sh3/errata-2002-118 Debian GNU/Linux ─ Security Information 2002/06/24 追加 DSA-131-1 apache-perl http://lists.debian.org/debian-security-announce/debian-security-announce-2002/msg00044.html UPDATED ADVISORY 2002/06/24 追加 http://httpd.apache.org/info/security_bulletin_20020620.txt FreeBSD Security Notice 2002/06/24 追加 FreeBSD-SN-02:04 security issues in ports ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:04.asc MandrakeSoft Security Advisory 2002/06/24 追加 MDKSA-2002:039-1 apache http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-039-1.php?dis=8.2 MandrakeSoft Security Advisory 2002/06/24 追加 MDKSA-2002:039-2 apache http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-039-2.php?dis=8.2 Turbolinux Japan Security Center 2002/06/24 追加 apache httpdサーバーのサービス停止 http://www.turbolinux.co.jp/security/apache-1.3.26-1.html Securiteam.com 2002/06/24 追加 Multiple Exploit Codes for Apache Chunked Buffer Vulnerability http://www.securiteam.com/exploits/5VP0L0U7FM.html
