ID CVE-2010-0434
Summary The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server
    cpe:2.3:a:apache:http_server
  • Apache Software Foundation Apache HTTP Server 2.2
    cpe:2.3:a:apache:http_server:2.2
  • Apache Software Foundation Apache HTTP Server 2.2.0
    cpe:2.3:a:apache:http_server:2.2.0
  • Apache Software Foundation Apache HTTP Server 2.2.1
    cpe:2.3:a:apache:http_server:2.2.1
  • Apache Software Foundation Apache HTTP Server 2.2.2
    cpe:2.3:a:apache:http_server:2.2.2
  • Apache Software Foundation Apache HTTP Server 2.2.3
    cpe:2.3:a:apache:http_server:2.2.3
  • Apache Software Foundation Apache HTTP Server 2.2.4
    cpe:2.3:a:apache:http_server:2.2.4
  • Apache Software Foundation Apache HTTP Server 2.2.6
    cpe:2.3:a:apache:http_server:2.2.6
  • Apache Software Foundation Apache HTTP Server 2.2.8
    cpe:2.3:a:apache:http_server:2.2.8
  • Apache Software Foundation Apache HTTP Server 2.2.9
    cpe:2.3:a:apache:http_server:2.2.9
  • Apache Software Foundation Apache HTTP Server 2.2.11
    cpe:2.3:a:apache:http_server:2.2.11
  • Apache Software Foundation Apache HTTP Server 2.2.12
    cpe:2.3:a:apache:http_server:2.2.12
  • Apache Software Foundation Apache HTTP Server 2.2.13
    cpe:2.3:a:apache:http_server:2.2.13
  • Apache Software Foundation Apache HTTP Server 2.2.14
    cpe:2.3:a:apache:http_server:2.2.14
CVSS
Base: 4.3 (as of 08-03-2010 - 09:34)
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
metasploit via4
description This module triggers a use-after-free vulnerability in the Apache Software Foundation mod_isapi extension for versions 2.2.14 and earlier. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally (either an aborted TCP connection or an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later, if another request comes for that ISAPI module, previously obtained pointers will be used resulting in an access violation or potentially arbitrary code execution. Although arbitrary code execution is theoretically possible, a real-world method of invoking this consequence has not been proven. In order to do so, one would need to find a situation where a particular ISAPI module loads at an image base address that can be re-allocated by a remote attacker. Limited success was encountered using two separate ISAPI modules. In this scenario, a second ISAPI module was loaded into the same memory area as the previously unloaded module.
id MSF:AUXILIARY/DOS/HTTP/APACHE_MOD_ISAPI
last seen 2019-03-13
modified 2017-07-24
published 2010-03-08
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/apache_mod_isapi.rb
title Apache mod_isapi Dangling Pointer
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-5942.NASL
    description The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ('httpd'). This version is principally a security and bugfix release. Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408 and CVE-2010-0434 within mod_proxy_ajp and mod_headers respectively. See the upstream changes file for further information: http://www.apache.org/dist/httpd/CHANGES_2.2.15 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 47408
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47408
    title Fedora 13 : httpd-2.2.15-1.fc13 (2010-5942)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_6_5.NASL
    description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.5. Mac OS X 10.6.5 contains security fixes for the following products : - AFP Server - Apache mod_perl - Apache - AppKit - ATS - CFNetwork - CoreGraphics - CoreText - CUPS - Directory Services - diskdev_cmds - Disk Images - Flash Player plug-in - gzip - Image Capture - ImageIO - Image RAW - Kernel - MySQL - neon - Networking - OpenLDAP - OpenSSL - Password Server - PHP - Printing - python - QuickLook - QuickTime - Safari RSS - Time Machine - Wiki Server - X11 - xar
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 50548
    published 2010-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50548
    title Mac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-057.NASL
    description A vulnerability has been found and corrected in apache : The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request (CVE-2010-0434). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 44997
    published 2010-03-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44997
    title Mandriva Linux Security Advisory : apache (MDVSA-2010:057)
  • NASL family Web Servers
    NASL id APACHE_2_0_64.NASL
    description According to its banner, the version of Apache 2.0.x running on the remote host is prior to 2.0.64. It is, therefore, affected by the following vulnerabilities : - An unspecified error exists in the handling of requests without a path segment. (CVE-2010-1452) - Several modules, including 'mod_deflate', are vulnerable to a denial of service attack as the server can be forced to utilize CPU time compressing a large file after client disconnect. (CVE-2009-1891) - An unspecified error exists in 'mod_proxy' related to filtration of authentication credentials. (CVE-2009-3095) - A NULL pointer dereference issue exists in 'mod_proxy_ftp' in some error handling paths. (CVE-2009-3094) - An error exists in 'mod_ssl' making the server vulnerable to the TLC renegotiation prefix injection attack. (CVE-2009-3555) - An error exists in the handling of subrequests such that the parent request headers may be corrupted. (CVE-2010-0434) - An error exists in 'mod_proxy_http' when handling excessive interim responses making it vulnerable to a denial of service attack. (CVE-2008-2364) - An error exists in 'mod_isapi' that allows the module to be unloaded too early, which leaves orphaned callback pointers. (CVE-2010-0425) - An error exists in 'mod_proxy_ftp' when wildcards are in an FTP URL, which allows for cross-site scripting attacks. (CVE-2008-2939) Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affected modules are in use or to check for the issues themselves.
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 50069
    published 2010-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50069
    title Apache 2.0.x < 2.0.64 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-6131.NASL
    description The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ('httpd'). This version is principally a security and bugfix release. Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408 and CVE-2010-0434 within mod_proxy_ajp and mod_headers respectively. See the upstream changes file for further information: http://www.apache.org/dist/httpd/CHANGES_2.2.15 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 47417
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47417
    title Fedora 11 : httpd-2.2.15-1.fc11.1 (2010-6131)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100325_HTTPD_ON_SL4_X.NASL
    description CVE-2010-0434 httpd: request header information leak A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also fixes the following bug : - a bug was found in the mod_dav module. If a PUT request for an existing file failed, that file would be unexpectedly deleted and a 'Could not get next bucket brigade' error logged. With this update, failed PUT requests no longer cause mod_dav to delete files, which resolves this issue. (BZ#572932) As well, this update adds the following enhancement : - with the updated openssl packages from RHSA-2010:0163 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#575805) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60753
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60753
    title Scientific Linux Security Update : httpd on SL4.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0175.NASL
    description Updated httpd packages that fix one security issue, a bug, and add an enhancement are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Apache HTTP Server is a popular web server. A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also fixes the following bug : * a bug was found in the mod_dav module. If a PUT request for an existing file failed, that file would be unexpectedly deleted and a 'Could not get next bucket brigade' error logged. With this update, failed PUT requests no longer cause mod_dav to delete files, which resolves this issue. (BZ#572932) As well, this update adds the following enhancement : * with the updated openssl packages from RHSA-2010:0163 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#575805) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 45368
    published 2010-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45368
    title CentOS 4 : httpd (CESA-2010:0175)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0175.NASL
    description Updated httpd packages that fix one security issue, a bug, and add an enhancement are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Apache HTTP Server is a popular web server. A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also fixes the following bug : * a bug was found in the mod_dav module. If a PUT request for an existing file failed, that file would be unexpectedly deleted and a 'Could not get next bucket brigade' error logged. With this update, failed PUT requests no longer cause mod_dav to delete files, which resolves this issue. (BZ#572932) As well, this update adds the following enhancement : * with the updated openssl packages from RHSA-2010:0163 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#575805) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 46281
    published 2010-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46281
    title RHEL 4 : httpd (RHSA-2010:0175)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0175.NASL
    description From Red Hat Security Advisory 2010:0175 : Updated httpd packages that fix one security issue, a bug, and add an enhancement are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Apache HTTP Server is a popular web server. A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also fixes the following bug : * a bug was found in the mod_dav module. If a PUT request for an existing file failed, that file would be unexpectedly deleted and a 'Could not get next bucket brigade' error logged. With this update, failed PUT requests no longer cause mod_dav to delete files, which resolves this issue. (BZ#572932) As well, this update adds the following enhancement : * with the updated openssl packages from RHSA-2010:0163 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#575805) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68024
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68024
    title Oracle Linux 4 : httpd (ELSA-2010-0175)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2035.NASL
    description Two issues have been found in the Apache HTTPD web server : - CVE-2010-0408 mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of service. - CVE-2010-0434 A flaw in the core subrequest process code was found, which could lead to a daemon crash (segfault) or disclosure of sensitive information if the headers of a subrequest were modified by modules such as mod_headers.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 45557
    published 2010-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45557
    title Debian DSA-2035-1 : apache2 - multiple issues
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-6055.NASL
    description The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ('httpd'). This version is principally a security and bugfix release. This release fixes two minor security issues and includes a number of bug fixes. See the upstream changes file for further information: http://www.apache.org/dist/httpd/CHANGES_2.2.15 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 47412
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47412
    title Fedora 12 : httpd-2.2.15-1.fc12.2 (2010-6055)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_APACHE2-100413.NASL
    description When using a multithreaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp (CVE-2010-0408).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 46006
    published 2010-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46006
    title openSUSE Security Update : apache2 (openSUSE-SU-2010:0165-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_APACHE2-100413.NASL
    description When using a multithreaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp (CVE-2010-0408).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 46009
    published 2010-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46009
    title openSUSE Security Update : apache2 (openSUSE-SU-2010:0165-1)
  • NASL family Web Servers
    NASL id ORACLE_HTTP_SERVER_CPU_JUL_2013.NASL
    description According to its banner, the version of Oracle HTTP Server installed on the remote host is potentially affected by multiple vulnerabilities. Note that Nessus did not verify if patches or workarounds have been applied.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 69301
    published 2013-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69301
    title Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201206-25.NASL
    description The remote host is affected by the vulnerability described in GLSA-201206-25 (Apache HTTP Server: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache HTTP Server. Please review the CVE identifiers referenced below for details. Impact : A remote attacker might obtain sensitive information, gain privileges, send requests to unintended servers behind proxies, bypass certain security restrictions, obtain the values of HTTPOnly cookies, or cause a Denial of Service in various ways. A local attacker could gain escalated privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 59678
    published 2012-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59678
    title GLSA-201206-25 : Apache HTTP Server: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-6987.NASL
    description The following bugs have been fixed : When using a multi-threaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp. (CVE-2010-0408)
    last seen 2019-02-21
    modified 2013-07-20
    plugin id 49827
    published 2010-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49827
    title SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 6987)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0168.NASL
    description Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Apache HTTP Server is a popular web server. It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially crafted requests. (CVE-2010-0408) A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also adds the following enhancement : * with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 46279
    published 2010-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46279
    title RHEL 5 : httpd (RHSA-2010:0168)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_APACHE2-6984.NASL
    description The following bugs have been fixed : When using a multi-threaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp. (CVE-2010-0408)
    last seen 2019-02-21
    modified 2013-07-20
    plugin id 46013
    published 2010-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46013
    title SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 6984)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0168.NASL
    description Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Apache HTTP Server is a popular web server. It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially crafted requests. (CVE-2010-0408) A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also adds the following enhancement : * with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 45367
    published 2010-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45367
    title CentOS 5 : httpd (CESA-2010:0168)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-908-1.NASL
    description It was discovered that mod_proxy_ajp did not properly handle errors when a client doesn't send a request body. A remote attacker could exploit this with a crafted request and cause a denial of service. This issue affected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10. (CVE-2010-0408) It was discovered that Apache did not properly handle headers in subrequests under certain conditions. A remote attacker could exploit this with a crafted request and possibly obtain sensitive information from previous requests. (CVE-2010-0434). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 45037
    published 2010-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45037
    title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : apache2 vulnerabilities (USN-908-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0168.NASL
    description From Red Hat Security Advisory 2010:0168 : Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Apache HTTP Server is a popular web server. It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially crafted requests. (CVE-2010-0408) A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also adds the following enhancement : * with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68022
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68022
    title Oracle Linux 5 : httpd (ELSA-2010-0168)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_APACHE2-100413.NASL
    description When using a multithreaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp (CVE-2010-0408).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 46011
    published 2010-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46011
    title openSUSE Security Update : apache2 (openSUSE-SU-2010:0165-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100325_HTTPD_ON_SL5_X.NASL
    description CVE-2010-0408 httpd: mod_proxy_ajp remote temporary DoS CVE-2010-0434 httpd: request header information leak It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially crafted requests. (CVE-2010-0408) A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434) This update also adds the following enhancement : - with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980) Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491 After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60754
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60754
    title Scientific Linux Security Update : httpd on SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_APACHE2-100413.NASL
    description The following bugs have been fixed : - When using a multithreaded MPM Apache could leak memory of requests handled by a different thread when processing subrequests. (CVE-2010-0434) - Specially crafted requests could crash mod_proxy_ajp. (CVE-2010-0408)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 50889
    published 2010-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50889
    title SuSE 11 Security Update : Apache 2 (SAT Patch Number 2293)
  • NASL family Web Servers
    NASL id APACHE_2_2_15.NASL
    description According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.15. It is, therefore, potentially affected by multiple vulnerabilities : - A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555) - The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-end server to be put into an error state. (CVE-2010-0408) - The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-backs in an undefined state. (CVE-2010-0425) - A flaw in the core sub-request process code can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded environment is used. (CVE-2010-0434) - Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 45004
    published 2010-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45004
    title Apache 2.2.x < 2.2.15 Multiple Vulnerabilities
oval via4
  • accepted 2013-04-29T04:04:57.872-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.
    family unix
    id oval:org.mitre.oval:def:10358
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.
    version 24
  • accepted 2014-07-14T04:01:31.358-04:00
    class vulnerability
    contributors
    • name J. Daniel Brown
      organization DTCC
    • name Mike Lah
      organization The MITRE Corporation
    • name Shane Shaffer
      organization G2, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    definition_extensions
    comment Apache HTTP Server 2.2.x is installed on the system
    oval oval:org.mitre.oval:def:8550
    description The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.
    family windows
    id oval:org.mitre.oval:def:8695
    status accepted
    submitted 2010-03-04T17:30:00.000-05:00
    title Apache HTTP Server request header information disclosure
    version 11
redhat via4
advisories
  • bugzilla
    id 570171
    title CVE-2010-0434 httpd: request header information leak
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment httpd is earlier than 0:2.2.3-31.el5_4.4
          oval oval:com.redhat.rhsa:tst:20100168002
        • comment httpd is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070556003
      • AND
        • comment httpd-devel is earlier than 0:2.2.3-31.el5_4.4
          oval oval:com.redhat.rhsa:tst:20100168004
        • comment httpd-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070556005
      • AND
        • comment httpd-manual is earlier than 0:2.2.3-31.el5_4.4
          oval oval:com.redhat.rhsa:tst:20100168006
        • comment httpd-manual is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070556009
      • AND
        • comment mod_ssl is earlier than 0:2.2.3-31.el5_4.4
          oval oval:com.redhat.rhsa:tst:20100168008
        • comment mod_ssl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070556007
    rhsa
    id RHSA-2010:0168
    released 2010-03-25
    severity Moderate
    title RHSA-2010:0168: httpd security and enhancement update (Moderate)
  • bugzilla
    id 575805
    title mod_ssl: Add SSLInsecureRenegotiation directive [rhel-4]
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment httpd is earlier than 0:2.0.52-41.ent.7
          oval oval:com.redhat.rhsa:tst:20100175002
        • comment httpd is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060619003
      • AND
        • comment httpd-devel is earlier than 0:2.0.52-41.ent.7
          oval oval:com.redhat.rhsa:tst:20100175004
        • comment httpd-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060619005
      • AND
        • comment httpd-manual is earlier than 0:2.0.52-41.ent.7
          oval oval:com.redhat.rhsa:tst:20100175008
        • comment httpd-manual is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060619011
      • AND
        • comment httpd-suexec is earlier than 0:2.0.52-41.ent.7
          oval oval:com.redhat.rhsa:tst:20100175006
        • comment httpd-suexec is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070534011
      • AND
        • comment mod_ssl is earlier than 0:2.0.52-41.ent.7
          oval oval:com.redhat.rhsa:tst:20100175010
        • comment mod_ssl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060619009
    rhsa
    id RHSA-2010:0175
    released 2010-03-25
    severity Low
    title RHSA-2010:0175: httpd security, bug fix, and enhancement update (Low)
rpms
  • httpd-0:2.2.3-31.el5_4.4
  • httpd-devel-0:2.2.3-31.el5_4.4
  • httpd-manual-0:2.2.3-31.el5_4.4
  • mod_ssl-0:2.2.3-31.el5_4.4
  • httpd-0:2.0.52-41.ent.7
  • httpd-devel-0:2.0.52-41.ent.7
  • httpd-manual-0:2.0.52-41.ent.7
  • httpd-suexec-0:2.0.52-41.ent.7
  • mod_ssl-0:2.0.52-41.ent.7
refmap via4
aixapar
  • PM08939
  • PM12247
  • PM15829
apple APPLE-SA-2010-11-10-1
bid 38494
confirm
debian DSA-2035
fedora
  • FEDORA-2010-5942
  • FEDORA-2010-6131
hp
  • HPSBUX02531
  • SSRT100108
mlist [security-announce] 20100923 VMSA-2010-0014 VMware Workstation, Player, and ACE address several security issues
secunia
  • 39100
  • 39115
  • 39501
  • 39628
  • 39632
  • 39656
  • 40096
suse SUSE-SR:2010:010
vupen
  • ADV-2010-0911
  • ADV-2010-0994
  • ADV-2010-1001
  • ADV-2010-1057
  • ADV-2010-1411
xf apache-http-rh-info-disclosure(56625)
statements via4
contributor Vincent Danen
lastmodified 2010-04-13
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0434 This issue was fixed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0168.html This issue was fixed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2010-0175.html The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw on Red Hat Enterprise Linux 3. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Last major update 22-08-2016 - 22:00
Published 05-03-2010 - 14:30
Last modified 30-10-2018 - 12:25
Back to Top