Advisory Details

July 18th, 2014

Apache HTTP Server mod_proxy Denial Of Service Vulnerability

ZDI-14-239
ZDI-CAN-2241

CVE ID CVE-2014-0117
CVSS SCORE 7.8, (AV:N/AC:L/Au:N/C:N/I:N/A:C)
AFFECTED VENDORS Apache
AFFECTED PRODUCTS HTTPD Server 2.x
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 13795. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to cause a denial of service condition on vulnerable installations of Apache HTTP Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the mod_proxy module. The issue lies in the processing of HTTP headers when an invalid request is made. An attacker can leverage this flaw to crash a remote instance of Apache HTTP server.

ADDITIONAL DETAILS Apache has issued an update to correct this vulnerability. More details can be found at:
http://httpd.apache.org/security/vulnerabilities_24.html
DISCLOSURE TIMELINE
  • 2014-04-07 - Vulnerability reported to vendor
  • 2014-07-18 - Coordinated public release of advisory
CREDIT AKAT-1
22733db72ab3ed94b5f8a1ffcde850251fe6f466
Marek Kroemeke
BACK TO ADVISORIES