Stonesoft Corp. Security Advisory
| Date: | June 26th, 2002 |
| Title: | Apache Chunked-Encoding Memory Corruption Vulnerability |
| Cross-ref: | CERT Advisory CA-2002-17 |
| CVE Entry: CAN-2002-0392 |
The information contained in this advisory is provided on an as is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.
If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.
1. Overview
A remotely exploitable vulnerability has been found in Apache Web servers. This vulnerability is present by default in configurations of Apache Web server versions 1.2.2 and above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. For more information about the vulnerabilities, see the CERT advisory at:
None of Stonesoft's products require the use of an Apache web server. However, it is installed with the default installation in some of them. This advisory provides information on how this vulnerability affects Stonesoft products and what actions system administrators should take.
2. StoneGate
StoneGate does not include an Apache Web server, and is therefore not vulnerable to this condition.
3. StoneBeat
All StoneBeat cluster products (FullCluster, SecurityCluster, WebCluster, CacheCluster), version
2.0 and above contain Apache Web server version 1.3.12 or 1.3.14 as an optional component that is
installed by default for all installations. The Apache Web server is used by the browser-based
configuration tool to deliver configuration information to the cluster nodes. StoneBeat cluster
products are not vulnerable if configured as instructed.
4. ServerCluster
ServerCluster does not include an Apache Web server, and is therefore not vulnerable to this condition.
5. Appendices
Stonesoft Security Analysis Group's PGP key is available at:
To report or inquire about a security problem with Stonesoft software, contact one or more of the following:
- Stonesoft support
- Stonesoft Security Analysis Group. Send email to: security-alert@stonesoft.com
Copyright 2002 Stonesoft, Corp. All rights reserved.
Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.
