Apache mod_proxy Interim Response Process Bug Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1020267
|
|
SecurityTracker URL: http://securitytracker.com/id?1020267
|
|
CVE Reference: CVE-2008-2364
(Links to External Site)
|
Date: Jun 12 2008
|
Impact: Denial of service via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0.63, 2.2.8
|
Description: A vulnerability was reported in Apache mod_proxy. A remote user can cause denial of service conditions.
A remote server can send a large number of interim responses to cause the target proxy service to consume excessive memory.
The vulnerability resides in 'modules/proxy/mod_proxy_http.c'.
Ryujiro Shibuya reported this vulnerability.
|
Impact: A remote user can cause the target service to consume excessive memory.
|
Solution: The vendor has issued a source code fix, available at:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154
|
Vendor URL: httpd.apache.org/ (Links to External Site)
|
Cause: Resource error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 12 Jun 2008 00:50:50 -0400
Subject: Apache mod_proxy
|
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=666154&r2=666153&pathrev=666154
+ *) SECURITY: CVE-2008-2364 (cve.mitre.org)
+ mod_proxy_http: Better handling of excessive interim responses
+ from origin server to prevent potential denial of service and high
+ memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
+ Joe Orton, Jim Jagielski]
|
|
