| Description: | Summary:
Apache HTTP Server is prone to multiple vulnerabilities.
Vulnerability Insight:
The following vulnerabilities exist:
- CVE-2013-5704: HTTP trailers could be used to replace HTTP headers late during request
processing, potentially undoing or otherwise confusing modules that examined or modified
request headers earlier. This fix adds the 'MergeTrailers' directive to restore legacy behavior.
- CVE-2014-0118: A resource consumption flaw was found in mod_deflate. If request body
decompression was configured (using the 'DEFLATE' input filter), a remote attacker could cause
the server to consume significant memory and/or CPU resources. The use of request body
decompression is not a common configuration.
- CVE-2014-0226: A race condition was found in mod_status. An attacker able to access a public
server status page on a server using a threaded MPM could send a carefully crafted request which
could lead to a heap buffer overflow. Note that it is not a default or recommended configuration
to have a public accessible server status page.
- CVE-2014-0231: A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts
which did not consume standard input, a remote attacker could cause child processes to hang
indefinitely, leading to denial of service.
Affected Software/OS:
Apache HTTP Server version 2.2.0 through 2.2.27 and 2.4.1
through 2.4.10.
Solution:
Update to version 2.2.29, 2.4.12 or later.
CVSS Score:
6.8
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
