ID CVE-2010-0408
Summary The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server
    cpe:2.3:a:apache:http_server
  • Apache Software Foundation Apache HTTP Server 2.2
    cpe:2.3:a:apache:http_server:2.2
  • Apache Software Foundation Apache HTTP Server 2.2.0
    cpe:2.3:a:apache:http_server:2.2.0
  • Apache Software Foundation Apache HTTP Server 2.2.2
    cpe:2.3:a:apache:http_server:2.2.2
  • Apache Software Foundation Apache HTTP Server 2.2.3
    cpe:2.3:a:apache:http_server:2.2.3
  • Apache Software Foundation Apache HTTP Server 2.2.4
    cpe:2.3:a:apache:http_server:2.2.4
  • Apache Software Foundation Apache HTTP Server 2.2.6
    cpe:2.3:a:apache:http_server:2.2.6
  • Apache Software Foundation Apache HTTP Server 2.2.8
    cpe:2.3:a:apache:http_server:2.2.8
  • Apache Software Foundation Apache HTTP Server 2.2.9
    cpe:2.3:a:apache:http_server:2.2.9
  • Apache Software Foundation Apache HTTP Server 2.2.11
    cpe:2.3:a:apache:http_server:2.2.11
  • Apache Software Foundation Apache HTTP Server 2.2.12
    cpe:2.3:a:apache:http_server:2.2.12
  • Apache Software Foundation Apache HTTP Server 2.2.13
    cpe:2.3:a:apache:http_server:2.2.13
  • Apache Software Foundation Apache HTTP Server 2.2.14
    cpe:2.3:a:apache:http_server:2.2.14
CVSS
Base: 5.0 (as of 05-03-2010 - 15:03)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2010-067-01.NASL
    description New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, and -current to fix security issues. mod_ssl: A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated renegotiations. mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR. mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [This is the most serious flaw, but does not affect Linux systems]
    last seen 2019-02-21
    modified 2016-01-27
    plugin id 45007
    published 2010-03-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45007
    title Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : httpd (SSA:2010-067-01)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-5942.NASL
    description The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ('httpd'). This version is principally a security and bugfix release. Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408 and CVE-2010-0434 within mod_proxy_ajp and mod_headers respectively. See the upstream changes file for further information: http://www.apache.org/dist/httpd/CHANGES_2.2.15 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 47408
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47408
    title Fedora 13 : httpd-2.2.15-1.fc13 (2010-5942)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_6_5.NASL
    description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.5. Mac OS X 10.6.5 contains security fixes for the following products : - AFP Server - Apache mod_perl - Apache - AppKit - ATS - CFNetwork - CoreGraphics - CoreText - CUPS - Directory Services - diskdev_cmds - Disk Images - Flash Player plug-in - gzip - Image Capture - ImageIO - Image RAW - Kernel - MySQL - neon - Networking - OpenLDAP - OpenSSL - Password Server - PHP - Printing - python - QuickLook - QuickTime - Safari RSS - Time Machine - Wiki Server - X11 - xar
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 50548
    published 2010-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50548
    title Mac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-053.NASL
    description A vulnerability has been found and corrected in apache : mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent after request headers indicate a request body is incoming; this is not a case of HTTP_INTERNAL_SERVER_ERROR (CVE-2010-0408). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 44963
    published 2010-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44963
    title Mandriva Linux Security Advisory : apache (MDVSA-2010:053)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-6131.NASL
    description The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ('httpd'). This version is principally a security and bugfix release. Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408 and CVE-2010-0434 within mod_proxy_ajp and mod_headers respectively. See the upstream changes file for further information: http://www.apache.org/dist/httpd/CHANGES_2.2.15 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 47417
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47417
    title Fedora 11 : httpd-2.2.15-1.fc11.1 (2010-6131)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2035.NASL
    description Two issues have been found in the Apache HTTPD web server : - CVE-2010-0408 mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of service. - CVE-2010-0434 A flaw in the core subrequest process code was found, which could lead to a daemon crash (segfault) or disclosure of sensitive information if the headers of a subrequest were modified by modules such as mod_headers.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 45557
    published 2010-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45557
    title Debian DSA-2035-1 : apache2 - multiple issues
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-6055.NASL
    description The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ('httpd'). This version is principally a security and bugfix release. This release fixes two minor security issues and includes a number of bug fixes. See the upstream changes file for further information: http://www.apache.org/dist/httpd/CHANGES_2.2.15 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 47412
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47412
    title Fedora 12 : httpd-2.2.15-1.fc12.2 (2010-6055)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_APACHE2-100413.NASL
    description When using a multithreaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp (CVE-2010-0408).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 46006
    published 2010-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46006
    title openSUSE Security Update : apache2 (openSUSE-SU-2010:0165-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_APACHE2-100413.NASL
    description When using a multithreaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp (CVE-2010-0408).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 46009
    published 2010-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46009
    title openSUSE Security Update : apache2 (openSUSE-SU-2010:0165-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201206-25.NASL
    description The remote host is affected by the vulnerability described in GLSA-201206-25 (Apache HTTP Server: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache HTTP Server. Please review the CVE identifiers referenced below for details. Impact : A remote attacker might obtain sensitive information, gain privileges, send requests to unintended servers behind proxies, bypass certain security restrictions, obtain the values of HTTPOnly cookies, or cause a Denial of Service in various ways. A local attacker could gain escalated privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 59678
    published 2012-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59678
    title GLSA-201206-25 : Apache HTTP Server: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-6987.NASL
    description The following bugs have been fixed : When using a multi-threaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp. (CVE-2010-0408)
    last seen 2019-02-21
    modified 2013-07-20
    plugin id 49827
    published 2010-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49827
    title SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 6987)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0168.NASL
    description Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Apache HTTP Server is a popular web server. It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially crafted requests. (CVE-2010-0408) A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also adds the following enhancement : * with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 46279
    published 2010-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46279
    title RHEL 5 : httpd (RHSA-2010:0168)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-6984.NASL
    description The following bugs have been fixed : When using a multi-threaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp. (CVE-2010-0408)
    last seen 2019-02-21
    modified 2013-07-20
    plugin id 46013
    published 2010-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46013
    title SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 6984)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0168.NASL
    description Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Apache HTTP Server is a popular web server. It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially crafted requests. (CVE-2010-0408) A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also adds the following enhancement : * with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 45367
    published 2010-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45367
    title CentOS 5 : httpd (CESA-2010:0168)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-908-1.NASL
    description It was discovered that mod_proxy_ajp did not properly handle errors when a client doesn't send a request body. A remote attacker could exploit this with a crafted request and cause a denial of service. This issue affected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10. (CVE-2010-0408) It was discovered that Apache did not properly handle headers in subrequests under certain conditions. A remote attacker could exploit this with a crafted request and possibly obtain sensitive information from previous requests. (CVE-2010-0434). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 45037
    published 2010-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45037
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : apache2 vulnerabilities (USN-908-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0168.NASL
    description From Red Hat Security Advisory 2010:0168 : Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Apache HTTP Server is a popular web server. It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially crafted requests. (CVE-2010-0408) A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also adds the following enhancement : * with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68022
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68022
    title Oracle Linux 5 : httpd (ELSA-2010-0168)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_APACHE2-100413.NASL
    description When using a multithreaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp (CVE-2010-0408).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 46011
    published 2010-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46011
    title openSUSE Security Update : apache2 (openSUSE-SU-2010:0165-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100325_HTTPD_ON_SL5_X.NASL
    description CVE-2010-0408 httpd: mod_proxy_ajp remote temporary DoS CVE-2010-0434 httpd: request header information leak It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially crafted requests. (CVE-2010-0408) A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also adds the following enhancement : - with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60754
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60754
    title Scientific Linux Security Update : httpd on SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_APACHE2-100413.NASL
    description The following bugs have been fixed : - When using a multithreaded MPM Apache could leak memory of requests handled by a different thread when processing subrequests. (CVE-2010-0434) - Specially crafted requests could crash mod_proxy_ajp. (CVE-2010-0408)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 50889
    published 2010-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50889
    title SuSE 11 Security Update : Apache 2 (SAT Patch Number 2293)
  • NASL family Web Servers
    NASL id APACHE_2_2_15.NASL
    description According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.15. It is, therefore, potentially affected by multiple vulnerabilities : - A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555) - The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-end server to be put into an error state. (CVE-2010-0408) - The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-backs in an undefined state. (CVE-2010-0425) - A flaw in the core sub-request process code can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded environment is used. (CVE-2010-0434) - Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 45004
    published 2010-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45004
    title Apache 2.2.x < 2.2.15 Multiple Vulnerabilities
oval via4
  • accepted 2014-07-14T04:01:30.549-04:00
    class vulnerability
    contributors
    • name J. Daniel Brown
      organization DTCC
    • name Mike Lah
      organization The MITRE Corporation
    • name Shane Shaffer
      organization G2, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    definition_extensions
    comment Apache HTTP Server 2.2.x is installed on the system
    oval oval:org.mitre.oval:def:8550
    description The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.
    family windows
    id oval:org.mitre.oval:def:8619
    status accepted
    submitted 2010-03-08T17:30:00.000-05:00
    title Apache mod_proxy_ajp Module Incoming Request Body Denial Of Service Vulnerability
    version 11
  • accepted 2013-04-29T04:23:26.979-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.
    family unix
    id oval:org.mitre.oval:def:9935
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.
    version 18
redhat via4
advisories
rhsa
id RHSA-2010:0168
rpms
  • httpd-0:2.2.3-31.el5_4.4
  • httpd-devel-0:2.2.3-31.el5_4.4
  • httpd-manual-0:2.2.3-31.el5_4.4
  • mod_ssl-0:2.2.3-31.el5_4.4
refmap via4
aixapar
  • PM08939
  • PM12247
  • PM15829
apple APPLE-SA-2010-11-10-1
bid 38491
confirm
debian DSA-2035
fedora
  • FEDORA-2010-5942
  • FEDORA-2010-6131
hp
  • HPSBUX02531
  • SSRT100108
mandriva
  • MDVSA-2010:053
  • MDVSA-2013:150
secunia
  • 39100
  • 39501
  • 39628
  • 39632
  • 39656
  • 40096
suse SUSE-SR:2010:010
vupen
  • ADV-2010-0911
  • ADV-2010-0994
  • ADV-2010-1001
  • ADV-2010-1057
  • ADV-2010-1411
Last major update 22-08-2016 - 22:00
Published 05-03-2010 - 11:30
Last modified 30-10-2018 - 12:25
Back to Top