Apache mod_ssl/Apache-SSL Buffer Overflow Vulnerability

Mod_SSL and Apache-SSL are implementations of SSL (Secure Socket Layer) for the Apache webserver.

A buffer overflow vulnerability exists in mod_ssl and Apache-SSL that may allow for attackers to execute arbitrary code. The overflow exists when the modules attempt to cache SSL sessions. Vulnerable versions of mod_ssl and Apache-SSL are incapable of handling large session representations.

To exploit this vulnerability, the attacker must somehow increase the size of the data representing the session. This may be accomplished through the use of an extremely large client certificate. This is only possible if verification of client certificates is enabled, and if the certificate is verified by a CA trusted by the webserver. Though these requirements make this vulnerability theoretical, administrators are still urged to upgrade.


Privacy Statement
Copyright 2010, SecurityFocus