| ID |
CVE-2008-2364
|
| Summary |
The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. |
| References |
|
| Vulnerable Configurations |
|
| CVSS |
| Base: | 5.0 (as of 06-06-2021 - 11:15) |
| Impact: | |
| Exploitability: | |
|
| CWE |
CWE-399 |
| CAPEC |
|
| Access |
| Vector | Complexity | Authentication |
| NETWORK |
LOW |
NONE |
|
| Impact |
| Confidentiality | Integrity | Availability |
| NONE |
NONE |
PARTIAL |
|
| cvss-vector
via4
|
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
| oval
via4
|
| accepted | 2014-07-14T04:00:10.541-04:00 | | class | vulnerability | | contributors | | name | J. Daniel Brown | | organization | DTCC |
| name | Shane Shaffer | | organization | G2, Inc. |
| name | Maria Mikhno | | organization | ALTX-SOFT |
| | definition_extensions | | comment | Apache HTTP Server 2.0.x is installed on the system | | oval | oval:org.mitre.oval:def:8605 |
| comment | Apache HTTP Server 2.2.x is installed on the system | | oval | oval:org.mitre.oval:def:8550 |
| | description | The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. | | family | windows | | id | oval:org.mitre.oval:def:11713 | | status | accepted | | submitted | 2010-07-27T17:30:00.000-05:00 | | title | Apache 'mod_proxy_http' Interim Response Denial of Service Vulnerability | | version | 11 |
| accepted | 2015-04-20T04:02:29.943-04:00 | | class | vulnerability | | contributors | | name | Michael Wood | | organization | Hewlett-Packard |
| name | Sushant Kumar Singh | | organization | Hewlett-Packard |
| name | Sushant Kumar Singh | | organization | Hewlett-Packard |
| name | Prashant Kumar | | organization | Hewlett-Packard |
| name | Mike Cokus | | organization | The MITRE Corporation |
| | description | The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. | | family | unix | | id | oval:org.mitre.oval:def:6084 | | status | accepted | | submitted | 2008-08-28T13:04:06.000-04:00 | | title | HP-UX Running Apache, Remote Cross Site Scripting (XSS) or Denial of Service (DoS) | | version | 46 |
| accepted | 2013-04-29T04:20:24.353-04:00 | | class | vulnerability | | contributors | | name | Aharon Chernin | | organization | SCAP.com, LLC |
| name | Dragos Prisaca | | organization | G2, Inc. |
| | definition_extensions | | comment | The operating system installed on the system is Red Hat Enterprise Linux 3 | | oval | oval:org.mitre.oval:def:11782 |
| comment | CentOS Linux 3.x | | oval | oval:org.mitre.oval:def:16651 |
| comment | The operating system installed on the system is Red Hat Enterprise Linux 4 | | oval | oval:org.mitre.oval:def:11831 |
| comment | CentOS Linux 4.x | | oval | oval:org.mitre.oval:def:16636 |
| comment | Oracle Linux 4.x | | oval | oval:org.mitre.oval:def:15990 |
| comment | The operating system installed on the system is Red Hat Enterprise Linux 5 | | oval | oval:org.mitre.oval:def:11414 |
| comment | The operating system installed on the system is CentOS Linux 5.x | | oval | oval:org.mitre.oval:def:15802 |
| comment | Oracle Linux 5.x | | oval | oval:org.mitre.oval:def:15459 |
| | description | The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. | | family | unix | | id | oval:org.mitre.oval:def:9577 | | status | accepted | | submitted | 2010-07-09T03:56:16-04:00 | | title | The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. | | version | 30 |
|
| redhat
via4
|
| advisories | | | rpms | - httpd-0:2.2.10-1.el5s2
- httpd-debuginfo-0:2.2.10-1.el5s2
- httpd-devel-0:2.2.10-1.el5s2
- httpd-manual-0:2.2.10-1.el5s2
- mod_ssl-1:2.2.10-1.el5s2
- mysql-0:5.0.60sp1-1.el5s2
- mysql-bench-0:5.0.60sp1-1.el5s2
- mysql-cluster-0:5.0.60sp1-1.el5s2
- mysql-connector-odbc-0:3.51.26r1127-1.el5s2
- mysql-connector-odbc-debuginfo-0:3.51.26r1127-1.el5s2
- mysql-debuginfo-0:5.0.60sp1-1.el5s2
- mysql-devel-0:5.0.60sp1-1.el5s2
- mysql-libs-0:5.0.60sp1-1.el5s2
- mysql-server-0:5.0.60sp1-1.el5s2
- mysql-test-0:5.0.60sp1-1.el5s2
- perl-DBD-MySQL-0:4.008-2.el5s2
- perl-DBD-MySQL-debuginfo-0:4.008-2.el5s2
- perl-DBD-Pg-0:1.49-4.el5s2
- perl-DBD-Pg-debuginfo-0:1.49-4.el5s2
- perl-DBI-0:1.607-3.el5s2
- perl-DBI-debuginfo-0:1.607-3.el5s2
- php-pear-1:1.7.2-2.el5s2
- postgresql-0:8.2.11-1.el5s2
- postgresql-contrib-0:8.2.11-1.el5s2
- postgresql-debuginfo-0:8.2.11-1.el5s2
- postgresql-devel-0:8.2.11-1.el5s2
- postgresql-docs-0:8.2.11-1.el5s2
- postgresql-libs-0:8.2.11-1.el5s2
- postgresql-plperl-0:8.2.11-1.el5s2
- postgresql-plpython-0:8.2.11-1.el5s2
- postgresql-pltcl-0:8.2.11-1.el5s2
- postgresql-python-0:8.2.11-1.el5s2
- postgresql-server-0:8.2.11-1.el5s2
- postgresql-tcl-0:8.2.11-1.el5s2
- postgresql-test-0:8.2.11-1.el5s2
- postgresqlclient81-0:8.1.14-1.el5s2
- postgresqlclient81-debuginfo-0:8.1.14-1.el5s2
- httpd-0:2.0.46-71.ent
- httpd-0:2.0.52-41.ent.2
- httpd-0:2.2.3-11.el5_2.4
- httpd-debuginfo-0:2.0.46-71.ent
- httpd-debuginfo-0:2.0.52-41.ent.2
- httpd-debuginfo-0:2.2.3-11.el5_2.4
- httpd-devel-0:2.0.46-71.ent
- httpd-devel-0:2.0.52-41.ent.2
- httpd-devel-0:2.2.3-11.el5_2.4
- httpd-manual-0:2.0.52-41.ent.2
- httpd-manual-0:2.2.3-11.el5_2.4
- httpd-suexec-0:2.0.52-41.ent.2
- mod_ssl-1:2.0.46-71.ent
- mod_ssl-1:2.0.52-41.ent.2
- mod_ssl-1:2.2.3-11.el5_2.4
- ant-0:1.6.5-1jpp_1rh
- avalon-logkit-0:1.2-2jpp_4rh
- axis-0:1.2.1-1jpp_3rh
- classpathx-jaf-0:1.0-2jpp_6rh
- classpathx-mail-0:1.1.1-2jpp_8rh
- geronimo-ejb-2.1-api-0:1.0-0.M4.1jpp_10rh
- geronimo-j2ee-1.4-apis-0:1.0-0.M4.1jpp_10rh
- geronimo-j2ee-connector-1.5-api-0:1.0-0.M4.1jpp_10rh
- geronimo-j2ee-deployment-1.1-api-0:1.0-0.M4.1jpp_10rh
- geronimo-j2ee-management-1.0-api-0:1.0-0.M4.1jpp_10rh
- geronimo-jms-1.1-api-0:1.0-0.M4.1jpp_10rh
- geronimo-jsp-2.0-api-0:1.0-0.M4.1jpp_10rh
- geronimo-jta-1.0.1B-api-0:1.0-0.M4.1jpp_10rh
- geronimo-servlet-2.4-api-0:1.0-0.M4.1jpp_10rh
- geronimo-specs-0:1.0-0.M4.1jpp_10rh
- geronimo-specs-javadoc-0:1.0-0.M4.1jpp_10rh
- jakarta-commons-modeler-0:2.0-3jpp_2rh
- log4j-0:1.2.12-1jpp_1rh
- mx4j-1:3.0.1-1jpp_4rh
- pcsc-lite-0:1.3.3-3.el4
- pcsc-lite-debuginfo-0:1.3.3-3.el4
- pcsc-lite-doc-0:1.3.3-3.el4
- pcsc-lite-libs-0:1.3.3-3.el4
- rhpki-ca-0:7.3.0-20.el4
- rhpki-java-tools-0:7.3.0-10.el4
- rhpki-kra-0:7.3.0-14.el4
- rhpki-manage-0:7.3.0-19.el4
- rhpki-native-tools-0:7.3.0-6.el4
- rhpki-ocsp-0:7.3.0-13.el4
- rhpki-tks-0:7.3.0-13.el4
- tomcat5-0:5.5.23-0jpp_4rh.16
- tomcat5-common-lib-0:5.5.23-0jpp_4rh.16
- tomcat5-jasper-0:5.5.23-0jpp_4rh.16
- tomcat5-jsp-2.0-api-0:5.5.23-0jpp_4rh.16
- tomcat5-server-lib-0:5.5.23-0jpp_4rh.16
- tomcat5-servlet-2.4-api-0:5.5.23-0jpp_4rh.16
- xerces-j2-0:2.7.1-1jpp_1rh
- xml-commons-0:1.3.02-2jpp_1rh
- xml-commons-apis-0:1.3.02-2jpp_1rh
|
|
| refmap
via4
|
| aixapar | PK67579 | | apple | APPLE-SA-2008-10-09 | | bid | | | bugtraq | - 20080729 rPSA-2008-0236-1 httpd mod_ssl
- 20081122 rPSA-2008-0328-1 httpd mod_ssl
| | confirm | | | fedora | - FEDORA-2008-6314
- FEDORA-2008-6393
| | gentoo | GLSA-200807-06 | | hp | - HPSBUX02365
- HPSBUX02401
- HPSBUX02465
- SSRT080118
- SSRT090005
- SSRT090192
| | mandriva | - MDVSA-2008:195
- MDVSA-2008:237
| | mlist | - [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
- [httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
| | sectrack | 1020267 | | secunia | - 30621
- 31026
- 31404
- 31416
- 31651
- 31904
- 32222
- 32685
- 32838
- 33156
- 33797
- 34219
- 34259
- 34418
| | sunalert | 247666 | | suse | - SUSE-SR:2009:006
- SUSE-SR:2009:007
| | ubuntu | USN-731-1 | | vupen | - ADV-2008-1798
- ADV-2008-2780
- ADV-2009-0320
| | xf | apache-modproxy-module-dos(42987) |
|
| statements
via4
|
| contributor | Mark J Cox | | lastmodified | 2008-07-02 | | organization | Apache | | statement | Fixed in Apache HTTP Server 2.2.9. http://httpd.apache.org/security/vulnerabilities_22.html |
| contributor | Mark J Cox | | lastmodified | 2008-06-26 | | organization | Red Hat | | statement | Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-2364
The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ |
|
| Last major update |
06-06-2021 - 11:15 |
| Published |
13-06-2008 - 18:41 |
| Last modified |
06-06-2021 - 11:15 |
