Thank you for your
Our servers are Fedora Core 4
Our back-end servers are Tomcat 5.5.9
We've make two different
1/ pound in front of our
Qualys detects a
severe vulnerability "Apache Chunked-Encoding Memory Corruption
Vulnerability" (see below)
2/ tomcats alone accepting direct
Qualys reports no
vulnerabilities at all.
- It seems that tomcat 5.5.9 doesn't have the
"Apache Chunked-Encoding Memory Corruption Vulnerability".
- It seems that pound is not so transparent to
According to your reply, we know that pound doesn't
buffer the data.
I'm not understanding very well, in order to
dispatch the http request to the back-end, pound must open it to macth it to a
What happen if my URL is very very very very very
long? What happen if I use Chunked Transfer
Coding? Can I cause some damage?
----- Original Message -----
Sent: Tuesday, September 20, 2005 12:35
Subject: Re: [Pound Mailing List] pound and Apache
Chunked-Encoding Memory Corruption Vulnerability
On Tue, 20 Sep 2005 11:09:29 +0200 Patrice Léonard
> We have pound in
front of some tomcats. Qualys (www.qualys.com)
> scan our servers to report us
> Here is the "Scan Vulnerabilities Report" we
> Severity Analysis
Vulnerability: Apache Chunked-Encoding Memory
Qualys ID : 86352 CVE ID : CVE-2002-0392
Port : 80
Apache is a freely available Web server for Unix and
variants, as well as Microsoft operating systems.
products, such as StrongHold, Oracle 9iAS and
Websphere, use or bundle Apache.
The HTTP protocol specifies a method of data coding
'Chunked Encoding', designed to facilitate
of HTTP requests in transit. A vulnerability has
discovered in the Apache implementation of
Encoding'. When processing requests coded with
'Chunked Encoding' mechanism, Apache fails to
calculate required buffer sizes. This is due to
(signed) interpretation of an unsigned integer value.
On Windows and Netware platforms, Apache uses
within a single server process to handle
connections. Causing the server process to crash on
platforms may result in a denial of service. The link
provides additional information on this vulnerability
Apache running on
Consequences: This vulnerability can be exploited by
attacker to cause a Denial of Service and even
arbitrary code on the vulnerable machine. Solution:
This vulnerability has been fixed in Apache 1.3.26
Apache 2.0.37. Please upgrade to the latest version.
An efix (via APAR PQ62369) is available for IHS from
IBM HTTP Server Downloads webpage.
A complete list of vendor status and fixes can be found
Result: Detailed result listings are provided in the
7-day Trial ^ back to top
don't have any apache running on our server, but qualys seems to
an Apache Vulnerability.
> a.. Is pound secured?
we believe it to be. Pound does not buffer the data at all - it
the chunks as they arrive directly to the back-end.
Can I make something to prevent qualys reporting a such
No. Pound is transparent, so your scan really reports on
server. The scanner is not even aware that Pound sits in the
in fact it reports the server to be
> c.. We believe in pound, but such reports
> prevent some company to use it. (It's a matter of
trust between the
> company and its customers)
your back-end or, even better, educate your users about the true
these scans. Attempting to use or interpret scan results
understanding of the underlying problem is not
> d.. To test, you can make a
> freescan at this URL:
> For us, pound is the best reverse-proxy solution we've
seen, thank you
> to help us adopt it!!!
Glad you like it.
Hopefully you'll help make it better.
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
To unsubscribe send an email with subject 'unsubscribe' to firstname.lastname@example.org.