Vulnerability Note VU#757612

SARA Note: Reports from Apache indicate that Apache 2.0.46 is also vulnerable to attack. We will update this note when CERT publishes an appropriate Advisory

Apache Portable Runtime contains heap buffer overflow in apr_psprintf()

Overview

The Apache HTTP server contains a denial-of-service vulnerability that allows remote attackers to conduct denial-of-service attacks against an affected server.

I. Description

The Apache HTTP server contains a heap buffer overflow vulnerability in the apr_psprintf() function. The Apache Software Foundation has provided the following description of this vulnerability:
For further information, please read the announcement located at

II. Impact

This vulnerability allows remote attackers to conduct denial-of-service attacks against an affected server.

III. Solution

The Apache Software Foundation recommends that users upgrade to version 2.0.46 to address this vulnerability. The latest version of Apache is available at:


Systems Affected

VendorStatusDate Updated
Apache Software FoundationVulnerable2-Jun-2003
Apple Computer Inc.Vulnerable24-Jun-2003
ConectivaVulnerable23-Jun-2003
Hewlett-Packard CompanyVulnerable18-Sep-2003
MandrakeSoftVulnerable24-Jun-2003
Red Hat Inc.Vulnerable2-Jun-2003

References



http://www.apache.org/dist/httpd/Announcement2.html
http://www.idefense.com/advisory/05.30.03.txt
http://www.secunia.com/advisories/8881/
http://www.webdav.org/mod_dav/
http://www.iss.net/security_center/static/12090.php

Credit

The CERT/CC thanks David Endler for discovering this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public05/28/2003
Date First Published06/24/2003 01:40:09 PM
Date Last Updated09/18/2003
CERT Advisory 
CVE NameCAN-2003-0245
Metric18.00
Document Revision15

CERT Copyright Material