SlideShare una empresa de Scribd logo
1 de 2
Descargar para leer sin conexión
Response to CERT CA-2002-17
                                                                                                   Document version 3.0
                                                                                                Last revised: 05/13/2003


Xerox Product Response to CERT Advisory CA-2002-17: Apache Web Server
Chunk Handling Vulnerability
Audience and Purpose
The primary audience for this document is Xerox analysts and customers who want information regarding how Xerox
products respond to CERT Advisory CA-2002-17 and CERT Vulnerability Note VU#944335, issued by CERT on June
17, 2002. The following sections provide excerpts from the CERT advisory and the corresponding Xerox response.

Background
            ®
The CERT Coordination Center (CERT/CC) is a center of Internet security expertise at the Software Engineering
Institute, a federally funded research and development center operated by Carnegie Mellon University. CERT studies
Internet security vulnerabilities, handles computer security incidents, publishes security alerts, researches long-term
changes in networked systems, and develops information and training to help you improve security at your site.

CERT Advisory CA-2002-17 refers to the Apache web server (versions 1.2.2 and above, 1.3 through 1.3.24, and 2.0
through 2.0.36)and a remotely exploitable vulnerability in the way the server (or other web serves based on their source
code) handle data encoded in chunks. Apache has released two new versions of the Apache web server (1.3.26 and
2.0.39) that correct this vulnerability.

Xerox Product Response
The table below lists various products and their positions with respect to CERT Advisory CA-2002-17.

                  Product                                      Response to CERT Advisory CA-2002-17

     DigiPath                                DigiPath does not use the Apache web server and is not, therefore, affected by
                                             the vulnerability reported in CERT Advisory CA-2002-17.

     Document Centre products                Document Centre products do not use the Apache web server and are not,
     (DC220/230, DC332/340,                  therefore, affected by the vulnerability reported in CERT Advisory CA-2002-17.
     DC432/440, DC255/265,
     DC460/470,
     DC460/470/480/490)

     DocuPrint IPS, NPS                      DocuPrint is not vulnerable because it uses Apache 1.3.19 in 32-bit mode only
                                             (and only in the DocuPrint 8 series, not in the DocuPrint 7 series). (The
                                             Apache advisory states "in Apache 1.3, the issue causes a stack overflow.
                                             Due to the nature of the overflow on 32-bit Unix platforms, this will cause a
                                             segmentation violation and the child will terminate.")

     DocuShare                               DocuShare is affected by the vulnerability reported in CERT Advisory CA-
                                             2002-17. An hpptd update is available from
                                             http://docushare.xerox.com/View/Collection-7175.

     DocuSP-based products                   DocuSP 3.6 pre-launch versions were impacted by this vulnerability. The
                                             vulnerability was corrected in the DocuSP 3.60.00 launch release.

     DPServer                                DPServer does not use the Apache web server and is not, therefore, affected
                                             by the vulnerability reported in CERT Advisory CA-2002-17.




© 2002, 2003 Xerox Corporation. All rights reserved.                                                          Page 1 of 2
Response to CERT CA-2002-17
                                                                                                                   Document version 3.0
                                                                                                                Last revised: 05/13/2003

                   Product                                            Response to CERT Advisory CA-2002-17

     EX12                                      EX12 is affected by the vulnerability reported in CERT Advisory CA-2002-17.
                                               Xerox is working with Electronics for Imaging, Inc. (EFI) to ensure that patches
                                               are available soon.

     EX2000 family                             The EX2000 family of products is affected by the vulnerability reported in
                                               CERT Advisory CA-2002-17. Xerox is working with Electronics for Imaging,
                                               Inc. (EFI) to ensure that patches are available soon.

     EOMS                                      EOMS does not use the Apache web server and is not, therefore, affected by
                                               the vulnerability reported in CERT Advisory CA-2002-17.

     Flowport                                  Flowport does not use the Apache web server and is not, therefore, affected
                                               by the vulnerability reported in CERT Advisory CA-2002-17.

     Phaser products                           Phaser products do not use the Apache web server and are not, therefore,
                                               affected by the vulnerability reported in CERT Advisory CA-2002-17.

     WorkCentre Pro 35                         These WorkCentre Pro products do not use the Apache web server and are
     WorkCentre Pro 45                         not, therefore, affected by the vulnerability reported in CERT Advisory CA-
     WorkCentre Pro 55                         2002-17.
     WorkCentre Pro 65
     WorkCentre Pro 75
     WorkCentre Pro 90
     WorkCentre Pro 32 Color
     WorkCentre Pro 40 Color


  Contact
  For additional information or clarification on any of the product information given here, contact Xerox support.


  Disclaimer
  The information provided in this Xerox Product Response is provided "as is" without warranty of any kind. Xerox Corporation disclaims all
  warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Xerox
  Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this Xerox Product
  Response including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been
  advised of the possibility of such damages. Some states do no allow the exclusion or limitation of liability for consequential damages so the
  foregoing limitation may not apply.




© 2002, 2003 Xerox Corporation. All rights reserved.                                                                             Page 2 of 2

Más contenido relacionado

Destacado

лекция миома
лекция миомалекция миома
лекция миомаOlga Lebedeva
 
Лекция по контрацепции 2013
Лекция по контрацепции 2013Лекция по контрацепции 2013
Лекция по контрацепции 2013Olga Lebedeva
 
Child Psychology Module 15
Child Psychology Module 15 Child Psychology Module 15
Child Psychology Module 15 professorjcc
 
Child Psychology Module 2 Child Development
Child Psychology Module 2 Child Development Child Psychology Module 2 Child Development
Child Psychology Module 2 Child Development professorjcc
 
Hermes Visual Merchandising
Hermes Visual MerchandisingHermes Visual Merchandising
Hermes Visual MerchandisingAaliyaGujral
 
Terminating the Physician-Patient Relationship, Part 1
Terminating the Physician-Patient Relationship, Part 1Terminating the Physician-Patient Relationship, Part 1
Terminating the Physician-Patient Relationship, Part 1Texas Medical Liability Trust
 
U2.2 lesson3[lo2]
U2.2 lesson3[lo2]U2.2 lesson3[lo2]
U2.2 lesson3[lo2]HCEfareham
 
Public health ethics (KFMC,11.05.2016)
Public health ethics (KFMC,11.05.2016)Public health ethics (KFMC,11.05.2016)
Public health ethics (KFMC,11.05.2016)Dr Ghaiath Hussein
 

Destacado (9)

лекция миома
лекция миомалекция миома
лекция миома
 
Tips for Handling Patient Complaints
Tips for Handling Patient ComplaintsTips for Handling Patient Complaints
Tips for Handling Patient Complaints
 
Лекция по контрацепции 2013
Лекция по контрацепции 2013Лекция по контрацепции 2013
Лекция по контрацепции 2013
 
Child Psychology Module 15
Child Psychology Module 15 Child Psychology Module 15
Child Psychology Module 15
 
Child Psychology Module 2 Child Development
Child Psychology Module 2 Child Development Child Psychology Module 2 Child Development
Child Psychology Module 2 Child Development
 
Hermes Visual Merchandising
Hermes Visual MerchandisingHermes Visual Merchandising
Hermes Visual Merchandising
 
Terminating the Physician-Patient Relationship, Part 1
Terminating the Physician-Patient Relationship, Part 1Terminating the Physician-Patient Relationship, Part 1
Terminating the Physician-Patient Relationship, Part 1
 
U2.2 lesson3[lo2]
U2.2 lesson3[lo2]U2.2 lesson3[lo2]
U2.2 lesson3[lo2]
 
Public health ethics (KFMC,11.05.2016)
Public health ethics (KFMC,11.05.2016)Public health ethics (KFMC,11.05.2016)
Public health ethics (KFMC,11.05.2016)
 

Similar a Xerox Security Response to Apache Web Server Chunk Handling ...

ESM 5.2 Patch 2 Release Notes
ESM 5.2 Patch 2 Release NotesESM 5.2 Patch 2 Release Notes
ESM 5.2 Patch 2 Release NotesProtect724
 
5 Things to Know about Safety-Critical Applications in Aerospace
5 Things to Know about Safety-Critical Applications in Aerospace5 Things to Know about Safety-Critical Applications in Aerospace
5 Things to Know about Safety-Critical Applications in AerospaceMEN Mikro Elektronik GmbH
 
5 Things to Know about Safety-Critical Applications in Aerospace
5 Things to Know about Safety-Critical Applications in Aerospace5 Things to Know about Safety-Critical Applications in Aerospace
5 Things to Know about Safety-Critical Applications in AerospaceMEN Micro
 
Overview of asp .net
Overview of asp .netOverview of asp .net
Overview of asp .netSajan Sahu
 
Campus Technology Day Campus Security Review
Campus Technology Day Campus Security ReviewCampus Technology Day Campus Security Review
Campus Technology Day Campus Security Reviewwebhostingguy
 
ESM 5.5 Patch 1 Release Notes
ESM 5.5 Patch 1 Release NotesESM 5.5 Patch 1 Release Notes
ESM 5.5 Patch 1 Release NotesProtect724
 
Wlstudioedge 101 releasenotes
Wlstudioedge 101 releasenotesWlstudioedge 101 releasenotes
Wlstudioedge 101 releasenoteslesliepinto85
 
Oracle Web ADI Implementation Steps
Oracle Web ADI Implementation StepsOracle Web ADI Implementation Steps
Oracle Web ADI Implementation Stepsstandale
 
Avionics system Standard
Avionics system StandardAvionics system Standard
Avionics system StandardJeran Rai
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
 
Solid works manual
Solid works manualSolid works manual
Solid works manualNarendran K
 
Solid works manual
Solid works manualSolid works manual
Solid works manualNarendran K
 
Esm rel notes_6.0cp3
Esm rel notes_6.0cp3Esm rel notes_6.0cp3
Esm rel notes_6.0cp3Protect724v3
 
121adpp patching procedures
121adpp patching procedures121adpp patching procedures
121adpp patching proceduresDeepti Singh
 
USB Lock RP Operation Manual
USB Lock RP Operation ManualUSB Lock RP Operation Manual
USB Lock RP Operation ManualJavier Arrospide
 
Taylor & sons financial
Taylor & sons financialTaylor & sons financial
Taylor & sons financialTezie28
 
2023 avril Patch Tuesday
2023 avril Patch Tuesday2023 avril Patch Tuesday
2023 avril Patch TuesdayIvanti
 
ESM 6.9.1c Patch1 Release Notes
	ESM 6.9.1c Patch1 Release Notes 	ESM 6.9.1c Patch1 Release Notes
ESM 6.9.1c Patch1 Release Notes Protect724tk
 
Be6000 software loadsummary-10x11x-k9-07
Be6000 software loadsummary-10x11x-k9-07Be6000 software loadsummary-10x11x-k9-07
Be6000 software loadsummary-10x11x-k9-07sid ali ouladsmane
 

Similar a Xerox Security Response to Apache Web Server Chunk Handling ... (20)

ESM 5.2 Patch 2 Release Notes
ESM 5.2 Patch 2 Release NotesESM 5.2 Patch 2 Release Notes
ESM 5.2 Patch 2 Release Notes
 
5 Things to Know about Safety-Critical Applications in Aerospace
5 Things to Know about Safety-Critical Applications in Aerospace5 Things to Know about Safety-Critical Applications in Aerospace
5 Things to Know about Safety-Critical Applications in Aerospace
 
5 Things to Know about Safety-Critical Applications in Aerospace
5 Things to Know about Safety-Critical Applications in Aerospace5 Things to Know about Safety-Critical Applications in Aerospace
5 Things to Know about Safety-Critical Applications in Aerospace
 
Overview of asp .net
Overview of asp .netOverview of asp .net
Overview of asp .net
 
Campus Technology Day Campus Security Review
Campus Technology Day Campus Security ReviewCampus Technology Day Campus Security Review
Campus Technology Day Campus Security Review
 
ESM 5.5 Patch 1 Release Notes
ESM 5.5 Patch 1 Release NotesESM 5.5 Patch 1 Release Notes
ESM 5.5 Patch 1 Release Notes
 
Wlstudioedge 101 releasenotes
Wlstudioedge 101 releasenotesWlstudioedge 101 releasenotes
Wlstudioedge 101 releasenotes
 
Oracle Web ADI Implementation Steps
Oracle Web ADI Implementation StepsOracle Web ADI Implementation Steps
Oracle Web ADI Implementation Steps
 
Avionics System Standards
Avionics System StandardsAvionics System Standards
Avionics System Standards
 
Avionics system Standard
Avionics system StandardAvionics system Standard
Avionics system Standard
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
 
Solid works manual
Solid works manualSolid works manual
Solid works manual
 
Solid works manual
Solid works manualSolid works manual
Solid works manual
 
Esm rel notes_6.0cp3
Esm rel notes_6.0cp3Esm rel notes_6.0cp3
Esm rel notes_6.0cp3
 
121adpp patching procedures
121adpp patching procedures121adpp patching procedures
121adpp patching procedures
 
USB Lock RP Operation Manual
USB Lock RP Operation ManualUSB Lock RP Operation Manual
USB Lock RP Operation Manual
 
Taylor & sons financial
Taylor & sons financialTaylor & sons financial
Taylor & sons financial
 
2023 avril Patch Tuesday
2023 avril Patch Tuesday2023 avril Patch Tuesday
2023 avril Patch Tuesday
 
ESM 6.9.1c Patch1 Release Notes
	ESM 6.9.1c Patch1 Release Notes 	ESM 6.9.1c Patch1 Release Notes
ESM 6.9.1c Patch1 Release Notes
 
Be6000 software loadsummary-10x11x-k9-07
Be6000 software loadsummary-10x11x-k9-07Be6000 software loadsummary-10x11x-k9-07
Be6000 software loadsummary-10x11x-k9-07
 

Más de webhostingguy

Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Frameworkwebhostingguy
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guidewebhostingguy
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serverswebhostingguy
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidationwebhostingguy
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreementwebhostingguy
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...webhostingguy
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...webhostingguy
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructurewebhostingguy
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.pptwebhostingguy
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy webhostingguy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandiserswebhostingguy
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Productswebhostingguy
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mbwebhostingguy
 

Más de webhostingguy (20)

File Upload
File UploadFile Upload
File Upload
 
Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Framework
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guide
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web servers
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreement
 
Notes8
Notes8Notes8
Notes8
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructure
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.ppt
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandisers
 
OLUG_xen.ppt
OLUG_xen.pptOLUG_xen.ppt
OLUG_xen.ppt
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Products
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mb
 
Reseller's Guide
Reseller's GuideReseller's Guide
Reseller's Guide
 

Xerox Security Response to Apache Web Server Chunk Handling ...

  • 1. Response to CERT CA-2002-17 Document version 3.0 Last revised: 05/13/2003 Xerox Product Response to CERT Advisory CA-2002-17: Apache Web Server Chunk Handling Vulnerability Audience and Purpose The primary audience for this document is Xerox analysts and customers who want information regarding how Xerox products respond to CERT Advisory CA-2002-17 and CERT Vulnerability Note VU#944335, issued by CERT on June 17, 2002. The following sections provide excerpts from the CERT advisory and the corresponding Xerox response. Background ® The CERT Coordination Center (CERT/CC) is a center of Internet security expertise at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. CERT studies Internet security vulnerabilities, handles computer security incidents, publishes security alerts, researches long-term changes in networked systems, and develops information and training to help you improve security at your site. CERT Advisory CA-2002-17 refers to the Apache web server (versions 1.2.2 and above, 1.3 through 1.3.24, and 2.0 through 2.0.36)and a remotely exploitable vulnerability in the way the server (or other web serves based on their source code) handle data encoded in chunks. Apache has released two new versions of the Apache web server (1.3.26 and 2.0.39) that correct this vulnerability. Xerox Product Response The table below lists various products and their positions with respect to CERT Advisory CA-2002-17. Product Response to CERT Advisory CA-2002-17 DigiPath DigiPath does not use the Apache web server and is not, therefore, affected by the vulnerability reported in CERT Advisory CA-2002-17. Document Centre products Document Centre products do not use the Apache web server and are not, (DC220/230, DC332/340, therefore, affected by the vulnerability reported in CERT Advisory CA-2002-17. DC432/440, DC255/265, DC460/470, DC460/470/480/490) DocuPrint IPS, NPS DocuPrint is not vulnerable because it uses Apache 1.3.19 in 32-bit mode only (and only in the DocuPrint 8 series, not in the DocuPrint 7 series). (The Apache advisory states "in Apache 1.3, the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms, this will cause a segmentation violation and the child will terminate.") DocuShare DocuShare is affected by the vulnerability reported in CERT Advisory CA- 2002-17. An hpptd update is available from http://docushare.xerox.com/View/Collection-7175. DocuSP-based products DocuSP 3.6 pre-launch versions were impacted by this vulnerability. The vulnerability was corrected in the DocuSP 3.60.00 launch release. DPServer DPServer does not use the Apache web server and is not, therefore, affected by the vulnerability reported in CERT Advisory CA-2002-17. © 2002, 2003 Xerox Corporation. All rights reserved. Page 1 of 2
  • 2. Response to CERT CA-2002-17 Document version 3.0 Last revised: 05/13/2003 Product Response to CERT Advisory CA-2002-17 EX12 EX12 is affected by the vulnerability reported in CERT Advisory CA-2002-17. Xerox is working with Electronics for Imaging, Inc. (EFI) to ensure that patches are available soon. EX2000 family The EX2000 family of products is affected by the vulnerability reported in CERT Advisory CA-2002-17. Xerox is working with Electronics for Imaging, Inc. (EFI) to ensure that patches are available soon. EOMS EOMS does not use the Apache web server and is not, therefore, affected by the vulnerability reported in CERT Advisory CA-2002-17. Flowport Flowport does not use the Apache web server and is not, therefore, affected by the vulnerability reported in CERT Advisory CA-2002-17. Phaser products Phaser products do not use the Apache web server and are not, therefore, affected by the vulnerability reported in CERT Advisory CA-2002-17. WorkCentre Pro 35 These WorkCentre Pro products do not use the Apache web server and are WorkCentre Pro 45 not, therefore, affected by the vulnerability reported in CERT Advisory CA- WorkCentre Pro 55 2002-17. WorkCentre Pro 65 WorkCentre Pro 75 WorkCentre Pro 90 WorkCentre Pro 32 Color WorkCentre Pro 40 Color Contact For additional information or clarification on any of the product information given here, contact Xerox support. Disclaimer The information provided in this Xerox Product Response is provided "as is" without warranty of any kind. Xerox Corporation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this Xerox Product Response including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages. Some states do no allow the exclusion or limitation of liability for consequential damages so the foregoing limitation may not apply. © 2002, 2003 Xerox Corporation. All rights reserved. Page 2 of 2