Apache mod_ssl Memory Leak Lets Remote Users Crash the Daemon
|
|
SecurityTracker Alert ID: 1009337 |
|
SecurityTracker URL: http://securitytracker.com/id/1009337
|
|
CVE Reference:
CAN-2004-0113
(Links to External Site)
|
Date: Mar 8 2004
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 2.0.35 through 2.0.48
|
Description:
A vulnerability was reported in Apache mod_ssl. A remote user may be able to deny service.
It is reported that a remote user can send plain HTTP requests to the SSL port on an SSL-enabled Apache web server to cause denial of service conditions. The vulnerability is due to a memory leak in mod_ssl, the report said.
The flaw reportedly resides in the ssl_io_filter_disable() function in the 'ssl_engine_io.c' file.
Versions 2.0.35 through 2.0.48 are reportedly affected.
Mick Wall is credited with reporting this vulnerability.
|
Impact:
A remote user can cause the web service to crash.
|
Solution:
A fixed version (2.0.49-dev) is available at:
http://httpd.apache.org/
A fix is also available via CVS at:
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.117&r2=1.118
|
Vendor URL: nagoya.apache.org/bugzilla/show_bug.cgi?id=27106 (Links to External Site)
|
Cause:
Resource error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 08 Mar 2004 08:12:55 -0500
Subject: CAN-2004-0113
|
> Fixed in Apache httpd 2.0.49-dev
> mod_ssl memory leak CAN-2004-0113
> A memory leak in mod_ssl allows a remote denial of service attack against
> an SSL-enabled server by sending plain HTTP requests to the SSL port.
Versions 2.0.35 through 2.0.48 are reportedly affected.
|
|
