A potentially dangerous vulnerability has been found in the Apache Web server, but some question whether the advisory was released too quickly.
The flaw could allow attackers to launch denial-of-service against systems running certain versions of the open source Web server. Additionally, attackers could enact a stack buffer overflow allowing them to gain control of the servers themselves.
Yesterday, Internet Security Systems released an advisory and patch for the vulnerability. However, the Apache Software Foundation, which administers Apache, shot back with an advisory before creating a patch because ISS had released an alert.
"Please note that the patch provided by ISS does not correct this vulnerability," the Apache Found said in its advisory. The flaw can be corrected by upgrading to Apache version 1.3.25 or 2.0.39.
The vulnerability, which affects requests encoded using “hunked encoding,”is found in Apache versions up to 1.3.24 and 2.0.36. It can be exploited by sending an invalid request, Apache's advisory said. The functionality is enabled by default.
At the least, the invalid request will allow attackers to perpetrate a denial-of-service attack.
For systems running Apache 1.3, the flaw could allow a stack overflow on 32-bit Unix systems. On 64-bit Unix systems, the overflow could allow an attacker to run arbitrary code on the system. ISS has found the vulnerability could allow an attack to gain control of the systems running on Windows as well.
Attackers wouldn't be able to execute arbitrary code on servers running Apache 2.0.
Apache is one of the most popular Web servers and has a reputation for security. The software is actually included in commercial products from companies like Hewlett-Packard, IBM and Oracle. In fact, that is how Mark Litchfield, co-founder of Next Generation Security Software, discovered the flaw.
As part of his work, Litchfield routinely tests common software for security vulnerabilities. He originally found the denial-of-service flaw in the Oracle9i application server. "I downloaded Win32 Apache and found the vulnerability was there too," Litchfield said.
Litchfield notified the Apache Software Foundation. It was then that Mark Cox, a founding member of the Apache Software Foundation, found the vulnerability could allow an attacker to gain remote control of servers.
Coincidentally, ISS was also testing Apache and found the same vulnerability. ISS did notify the Apache Software Foundation but decided to release its own patch because of the seriousness of the vulnerability, said Dan Ingevaldson, team leader of Internet Security Systems' X-Force research and development. In the past, the company has had some trouble when dealing with flaws in open source products because a consortium or foundation is responsible for it, not a single vendor.
The debate over who can take bragging rights for the finding the vulnerability shouldn’ obscure the seriousness of the vulnerability. Both Ingevaldson and Litchfield say the flaw is one of most serious vulnerabilities they have seen in Apache for a while.