ID CVE-2012-4557
Summary The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server 2.2.12
    cpe:2.3:a:apache:http_server:2.2.12
  • Apache Software Foundation Apache HTTP Server 2.2.13
    cpe:2.3:a:apache:http_server:2.2.13
  • Apache Software Foundation Apache HTTP Server 2.2.14
    cpe:2.3:a:apache:http_server:2.2.14
  • Apache Software Foundation Apache HTTP Server 2.2.15
    cpe:2.3:a:apache:http_server:2.2.15
  • Apache Software Foundation Apache HTTP Server 2.2.16
    cpe:2.3:a:apache:http_server:2.2.16
  • Apache Software Foundation Apache HTTP Server 2.2.17
    cpe:2.3:a:apache:http_server:2.2.17
  • Apache Software Foundation Apache HTTP Server 2.2.18
    cpe:2.3:a:apache:http_server:2.2.18
  • Apache Software Foundation Apache HTTP Server 2.2.19
    cpe:2.3:a:apache:http_server:2.2.19
  • Apache Software Foundation Apache HTTP Server 2.2.20
    cpe:2.3:a:apache:http_server:2.2.20
  • Apache HTTP Server 2.2.21
    cpe:2.3:a:apache:http_server:2.2.21
CVSS
Base: 5.0 (as of 03-12-2012 - 10:07)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1765-1.NASL
    description Niels Heinen discovered that multiple modules incorrectly sanitized certain strings, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2012-3499, CVE-2012-4558) It was discovered that the mod_proxy_ajp module incorrectly handled error states. A remote attacker could use this issue to cause the server to stop responding, resulting in a denial of service. This issue only applied to Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 11.10. (CVE-2012-4557) It was discovered that the apache2ctl script shipped in Ubuntu packages incorrectly created the lock directory. A local attacker could possibly use this issue to gain privileges. The symlink protections in Ubuntu 11.10 and later should reduce this vulnerability to a denial of service. (CVE-2013-1048). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 65607
    published 2013-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65607
    title Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : apache2 vulnerabilities (USN-1765-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_APACHE2-130225.NASL
    description This update fixes the following issues : - Denial of Service via special requests in mod_proxy_ajp. (CVE-2012-4557) - improper LD_LIBRARY_PATH handling. (CVE-2012-0883) - filename escaping problem Additionally, some non-security bugs have been fixed:. (CVE-2012-2687) - ignore case when checking against SNI server names. [bnc#798733] - httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff reworked to reflect the upstream changes. This will prevent the 'Invalid URI in request OPTIONS *' messages in the error log. [bnc#722545] - new sysconfig variable APACHE_DISABLE_SSL_COMPRESSION; if set to on, OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache process; openssl will then transparently disable compression. This change affects start script and sysconfig fillup template. Default is on, SSL compression disabled. Please see mod_deflate for compressed transfer at http layer. [bnc#782956]
    last seen 2019-01-16
    modified 2015-01-13
    plugin id 65023
    published 2013-03-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65023
    title SuSE 11.2 Security Update : Apache (SAT Patch Number 7409)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-80.NASL
    description - ignore case when checking against SNI server names. [bnc#798733] httpd-2.2.x-bnc798733-SNI_ignorecase.diff - better cleanup of busy count after recovering from failure [bnc#789828] httpd-2.2.x-bnc789828-mod_balancer.diff - httpd-2.2.x-bnc788121-CVE-2012-4557-mod_proxy_ajp_timeout.diff: backend timeouts should not affect the entire worker. [bnc#788121] - httpd-2.2.x-envvars.diff obsoletes httpd-2.0.54-envvars.dif: Fix for low profile bug CVE-2012-0883 about improper LD_LIBRARY_PATH handling. [bnc#757710] - httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff Escape filename for the case that uploads are allowed with untrusted user's control over filenames and mod_negotiation enabled on the same directory. CVE-2012-2687 [bnc#777260] - httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff reworked to reflect the upstream changes. This will prevent the 'Invalid URI in request OPTIONS *' messages in the error log. [bnc#722545]
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 75181
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75181
    title openSUSE Security Update : apache2 (openSUSE-SU-2013:0243-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2013-0469-1.NASL
    description This Apache2 LTSS roll-up update for SUSE Linux Enterprise 10 SP3 LTSS fixes the following security issues and bugs : - CVE-2012-4557: Denial of Service via special requests in mod_proxy_ajp - CVE-2012-0883: improper LD_LIBRARY_PATH handling - CVE-2012-2687: filename escaping problem - CVE-2012-0031: Fixed a scoreboard corruption (shared mem segment) by child causes crash of privileged parent (invalid free()) during shutdown. - CVE-2012-0053: Fixed an issue in error responses that could expose 'httpOnly' cookies when no custom ErrorDocument is specified for status code 400'. - The SSL configuration template has been adjusted not to suggested weak ciphers CVE-2007-6750: The 'mod_reqtimeout' module was backported from Apache 2.2.21 to help mitigate the 'Slowloris' Denial of Service attack. You need to enable the 'mod_reqtimeout' module in your existing apache configuration to make it effective, e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2. - CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This update also includes several fixes for a mod_proxy reverse exposure via RewriteRule or ProxyPassMatch directives. - CVE-2011-1473: Fixed the SSL renegotiation DoS by disabling renegotiation by default. - CVE-2011-3607: Integer overflow in ap_pregsub function resulting in a heap-based buffer overflow could potentially allow local attackers to gain privileges Additionally, some non-security bugs have been fixed which are listed in the changelog file. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-07-31
    plugin id 83578
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83578
    title SUSE SLES10 Security Update : apache2 (SUSE-SU-2013:0469-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0512.NASL
    description From Red Hat Security Advisory 2013:0512 : Updated httpd packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation. An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687) It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557) These updated httpd packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. All users of httpd are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 68750
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68750
    title Oracle Linux 6 : httpd (ELSA-2013-0512)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130221_HTTPD_ON_SL6_X.NASL
    description An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687) It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557) After installing the updated packages, the httpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2018-12-31
    plugin id 64952
    published 2013-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64952
    title Scientific Linux Security Update : httpd on SL6.x i386/x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2579.NASL
    description A vulnerability has been found in the Apache HTTPD Server : - CVE-2012-4557 A flaw was found when mod_proxy_ajp connects to a backend server that takes too long to respond. Given a specific configuration, a remote attacker could send certain requests, putting a backend server into an error state until the retry timeout expired. This could lead to a temporary denial of service. In addition, this update also adds a server side mitigation for the following issue : - CVE-2012-4929 If using SSL/TLS data compression with HTTPS in an connection to a web browser, man-in-the-middle attackers may obtain plaintext HTTP headers. This issue is known as the 'CRIME' attack. This update of apache2 disables SSL compression by default. A new SSLCompression directive has been backported that may be used to re-enable SSL data compression in environments where the 'CRIME' attack is not an issue. For more information, please refer to the SSLCompression Directive documentation.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 63114
    published 2012-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63114
    title Debian DSA-2579-1 : apache2 - Multiple issues
  • NASL family Web Servers
    NASL id APACHE_2_2_22.NASL
    description According to its banner, the version of Apache 2.2.x installed on the remote host is prior to 2.2.22. It is, therefore, potentially affected by the following vulnerabilities : - When configured as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch directives could cause the web server to proxy requests to arbitrary hosts. This could allow a remote attacker to indirectly send requests to intranet servers. (CVE-2011-3368, CVE-2011-4317) - A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf' directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607) - A format string handling error can allow the server to be crashed via maliciously crafted cookies. (CVE-2012-0021) - An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown. (CVE-2012-0031) - An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious use of either long or malformed HTTP headers. (CVE-2012-0053) - An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time to respond could lead to a temporary denial of service. (CVE-2012-4557) Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
    last seen 2019-01-16
    modified 2018-06-29
    plugin id 57791
    published 2012-02-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57791
    title Apache 2.2.x < 2.2.22 Multiple Vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0512.NASL
    description Updated httpd packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation. An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687) It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557) These updated httpd packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. All users of httpd are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 65145
    published 2013-03-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65145
    title CentOS 6 : httpd (CESA-2013:0512)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0512.NASL
    description Updated httpd packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation. An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687) It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557) These updated httpd packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. All users of httpd are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically.
    last seen 2019-01-16
    modified 2018-11-26
    plugin id 64761
    published 2013-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64761
    title RHEL 6 : httpd (RHSA-2013:0512)
oval via4
  • accepted 2015-04-20T04:00:49.975-04:00
    class vulnerability
    contributors
    • name Ganesh Manal
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.
    family unix
    id oval:org.mitre.oval:def:18938
    status accepted
    submitted 2013-11-22T11:43:28.000-05:00
    title HP-UX Running Apache, Remote Denial of Service (DoS), Execution of Arbitrary Code and other vulnerabilities
    version 45
  • accepted 2015-04-20T04:01:04.912-04:00
    class vulnerability
    contributors
    • name Ganesh Manal
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.
    family unix
    id oval:org.mitre.oval:def:19284
    status accepted
    submitted 2013-11-22T11:43:28.000-05:00
    title HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Cross Site Scripting (XSS)
    version 42
redhat via4
advisories
bugzilla
id 876923
title condition always true - detected by Coverity
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhsa:tst:20100842001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhsa:tst:20100842002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20100842003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20100842004
  • OR
    • AND
      • comment httpd is earlier than 0:2.2.15-26.el6
        oval oval:com.redhat.rhsa:tst:20130512005
      • comment httpd is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111245017
    • AND
      • comment httpd-devel is earlier than 0:2.2.15-26.el6
        oval oval:com.redhat.rhsa:tst:20130512013
      • comment httpd-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111245019
    • AND
      • comment httpd-manual is earlier than 0:2.2.15-26.el6
        oval oval:com.redhat.rhsa:tst:20130512011
      • comment httpd-manual is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111245025
    • AND
      • comment httpd-tools is earlier than 0:2.2.15-26.el6
        oval oval:com.redhat.rhsa:tst:20130512009
      • comment httpd-tools is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111245023
    • AND
      • comment mod_ssl is earlier than 0:2.2.15-26.el6
        oval oval:com.redhat.rhsa:tst:20130512007
      • comment mod_ssl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111245021
rhsa
id RHSA-2013:0512
released 2013-02-21
severity Low
title RHSA-2013:0512: httpd security, bug fix, and enhancement update (Low)
rpms
  • httpd-0:2.2.15-26.el6
  • httpd-devel-0:2.2.15-26.el6
  • httpd-manual-0:2.2.15-26.el6
  • httpd-tools-0:2.2.15-26.el6
  • mod_ssl-0:2.2.15-26.el6
refmap via4
confirm
debian DSA-2579
hp
  • HPSBUX02866
  • SSRT101139
suse
  • openSUSE-SU-2013:0243
  • openSUSE-SU-2013:0248
Last major update 22-08-2016 - 22:05
Published 30-11-2012 - 14:55
Last modified 18-09-2017 - 21:35
Back to Top