Advisory Details

July 18th, 2014

Apache HTTP Server mod_proxy Denial Of Service Vulnerability

ZDI-14-239
ZDI-CAN-2241

CVE ID CVE-2014-0117
CVSS SCORE 7.8, (AV:N/AC:L/Au:N/C:N/I:N/A:C)
AFFECTED VENDORS Apache
AFFECTED PRODUCTS HTTPD Server 2.x
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['13795']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to cause a denial of service condition on vulnerable installations of Apache HTTP Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the mod_proxy module. The issue lies in the processing of HTTP headers when an invalid request is made. An attacker can leverage this flaw to crash a remote instance of Apache HTTP server.

ADDITIONAL DETAILS Apache has issued an update to correct this vulnerability. More details can be found at:
http://httpd.apache.org/security/vulnerabilities_24.html
DISCLOSURE TIMELINE
  • 2014-04-07 - Vulnerability reported to vendor
  • 2014-07-18 - Coordinated public release of advisory
CREDIT AKAT-1
22733db72ab3ed94b5f8a1ffcde850251fe6f466
Marek Kroemeke
BACK TO ADVISORIES