in Apache Web Server Software
The NIPC is issuing this advisory to highlight the significance of a vulnerability that could affect a majority of active Web sites and which is addressed in the following:
Internet Security Systems Advisory
Apache Security Advisory
CERT Advisory CA-2002-17
NIPC research confirms the existence of a potential vulnerability in numerous versions of the open-source Apache Web Server Software. This vulnerability can allow remote access to the system. This gives an intruder the ability to take control of the system and execute root level commands.
The NIPC evaluated this vulnerability and found that Apache has a memory heap condition that, if carefully manipulated, can give an intruder the ability to run arbitrary commands on the victim's computer. To date, this vulnerability is known to affect multiple versions of the Apache Software.
The NIPC considers this to be a significant threat due to the large installed base of Apache Servers, the potential for remote compromise, and the level of access granted by this vulnerability. This advisory is being released in advance of any reported exploitations.
The Apache Software Foundation is currently working on a product release that
resolves this issue. Users are encouraged to visit http://httpd.apache.org/ in
order to obtain updated versions of this open source product, and to consider
the recommendations posted by ISS and CERT/CC.