ID CVE-2012-4557
Summary The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 19-09-2017 - 01:35)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
oval via4
  • accepted 2015-04-20T04:00:49.975-04:00
    class vulnerability
    contributors
    • name Ganesh Manal
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.
    family unix
    id oval:org.mitre.oval:def:18938
    status accepted
    submitted 2013-11-22T11:43:28.000-05:00
    title HP-UX Running Apache, Remote Denial of Service (DoS), Execution of Arbitrary Code and other vulnerabilities
    version 45
  • accepted 2015-04-20T04:01:04.912-04:00
    class vulnerability
    contributors
    • name Ganesh Manal
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.
    family unix
    id oval:org.mitre.oval:def:19284
    status accepted
    submitted 2013-11-22T11:43:28.000-05:00
    title HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Cross Site Scripting (XSS)
    version 42
redhat via4
advisories
bugzilla
id 876923
title condition always true - detected by Coverity
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment httpd is earlier than 0:2.2.15-26.el6
        oval oval:com.redhat.rhsa:tst:20130512005
      • comment httpd is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111245017
    • AND
      • comment httpd-devel is earlier than 0:2.2.15-26.el6
        oval oval:com.redhat.rhsa:tst:20130512013
      • comment httpd-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111245019
    • AND
      • comment httpd-manual is earlier than 0:2.2.15-26.el6
        oval oval:com.redhat.rhsa:tst:20130512011
      • comment httpd-manual is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111245025
    • AND
      • comment httpd-tools is earlier than 0:2.2.15-26.el6
        oval oval:com.redhat.rhsa:tst:20130512009
      • comment httpd-tools is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111245023
    • AND
      • comment mod_ssl is earlier than 0:2.2.15-26.el6
        oval oval:com.redhat.rhsa:tst:20130512007
      • comment mod_ssl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20111245021
rhsa
id RHSA-2013:0512
released 2013-02-21
severity Low
title RHSA-2013:0512: httpd security, bug fix, and enhancement update (Low)
rpms
  • httpd-0:2.2.15-26.el6
  • httpd-devel-0:2.2.15-26.el6
  • httpd-manual-0:2.2.15-26.el6
  • httpd-tools-0:2.2.15-26.el6
  • mod_ssl-0:2.2.15-26.el6
refmap via4
confirm
debian DSA-2579
hp
  • HPSBUX02866
  • SSRT101139
suse
  • openSUSE-SU-2013:0243
  • openSUSE-SU-2013:0248
Last major update 19-09-2017 - 01:35
Published 30-11-2012 - 19:55
Back to Top