We have pound in front of
some tomcats. Qualys (www.qualys.com) scan
our servers to report us vulnerabilities.
Here is the "Scan Vulnerabilities Report" we
||Apache Chunked-Encoding Memory Corruption
Qualys ID : 86352
CVE ID : CVE-2002-0392
Port : 80
Apache is a freely available Web
server for Unix and Linux variants, as well as Microsoft operating
systems. Various products, such as StrongHold, Oracle 9iAS and IBM
Websphere, use or bundle Apache.
The HTTP protocol specifies
a method of data coding called 'Chunked Encoding', designed to
facilitate fragmentation of HTTP requests in transit. A
vulnerability has been discovered in the Apache implementation of
'Chunked Encoding'. When processing requests coded with the 'Chunked
Encoding' mechanism, Apache fails to properly calculate required
buffer sizes. This is due to improper (signed) interpretation of an
unsigned integer value.
On Windows and Netware platforms,
Apache uses threads within a single server process to handle
concurrent connections. Causing the server process to crash on these
platforms may result in a denial of service.
http://httpd.apache.org/info/security_bulletin_20020617.txt provides additional information on
this vulnerability for Apache running on
||This vulnerability can be exploited by an
attacker to cause a Denial of Service and even execute arbitrary
code on the vulnerable machine. |
This vulnerability has been fixed in
Apache 1.3.26 and Apache 2.0.37. Please upgrade to the latest version.
An efix (via APAR
PQ62369) is available
for IHS from the IBM HTTP Server Downloads webpage.
complete list of vendor status and fixes can be found in CERT advisory
||Detailed result listings are provided
in the Free 7-day
|^ back to top
We don't have any apache running on our server, but
qualys seems to detect an Apache Vulnerability.
- Is pound secured?
- Can I make something to prevent qualys reporting a
- We believe in pound, but such reports could
prevent some company to use it. (It's a matter of trust between the company
and its customers)
- To test, you can make a qualys freescan at this
For us, pound is the best reverse-proxy solution we've seen, thank you
to help us adopt it!!!