Two security alerts point to Apache Web Server flaws

Two security alerts about new vulnerabilities affecting the popular open-source Apache Web Server have been posted by two groups Monday.

The nonprofit Apache HTTP Server Project group has issued a bulletin about a vulnerability that can allow distributed denial-of-service attacks in Apache Versions 1.3, including 1.3.24, and Apache 2, including all versions up to 2.0.36.

The Apache Project said in the announcement that an Internet Security Systems Inc. (ISS) patch posted earlier in the day for an Apache vulnerability does not fix the denial-of-service problem. A patch for that problem is expected to be ready by tonight on the group's Web site.

In a separate posting, Atlanta-based security vendor ISS reported the discovery of an Apache vulnerability that contains a flawed mechanism meant to calculate the size of "chunked" encoding for Windows 32-bit users. Chunked encoding is part of the HTTP Protocol Specification used for accepting data from Web users, according to ISS.

When data is sent from the user, the Web server needs to allocate a memory buffer of a certain size to hold the submitted data. When the size of the data being submitted is unknown, the client or Web browser will communicate with the server by creating "chunks" of data of a negotiated size.

But the flaw, affecting Apache Versions 1.x, misinterprets the size of incoming data chunks, which could lead to a signal race, heap overflow, and to exploitation of malicious code, according to ISS.

ISS said it had posted a fix for the problem on its Web site.

Chris Rouland, director of ISS's X-Force research and development group, said the two vulnerabilities are different. The ISS patch will protect Windows servers running Apache from remote compromise attacks, he said, while the denial-of-service problem reported by the Apache Project appears to be a separate issue.

"This is open-source in action," he said. referring to the wide discourse on the exact vulnerabilities being addressed by both groups. "The value is you get a lot of different minds thinking about something and the challenge is that you have to decide what to do."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ApacheInternet Security SystemsISS GroupSecurity SystemsX-Force

Show Comments