T-719:Apache mod_proxy_ajp HTTP Processing Error Lets Remote Users Deny Service

September 16, 2011 - 11:30am

PROBLEM:

Apache mod_proxy_ajp HTTP Processing Error Lets Remote Users Deny Service

PLATFORM:

Apache version(s) prior to 2.2.21

ABSTRACT:

A remote user can cause the backend server to remain in an error state until the retry timeout expires.

reference LINKS:

SecurityTracker Alert ID: 1026054
Apache Releases
CVE-2011-3348

IMPACT ASSESSMENT:

Medium

Discussion:

A vulnerability was reported in Apache mod_proxy_ajp. A remote user can cause denial of service conditions. When mod_proxy_ajp is used together with mod_proxy_balancer, a remote user can send specially crafted HTTP requests to place the backend server in an error state until the retry timeout expires.

Impact:

A remote user can cause the backend server to remain in an error state until the retry timeout expires.

Solution:

The vendor has issued a fix (2.2.21).

Energy.gov

Office of the Chief Information Officer

Office of the Chief Information Officer

All Offices

You are here