Test ID:	1.3.6.1.4.1.25623.1.0.800827
Category:	Denial of Service
Title:	Apache HTTP Server 'mod_proxy_http.c' Denial Of Service Vulnerability
Summary:	Apache HTTP Server is prone to a Denial of Service vulnerability.
Description:	Summary: Apache HTTP Server is prone to a Denial of Service vulnerability. Vulnerability Insight: The flaw is due to error in 'stream_reqbody_cl' function in 'mod_proxy_http.c' in the mod_proxy module. When a reverse proxy is configured, it does not properly handle an amount of streamed data that exceeds the Content-Length value via crafted requests. Vulnerability Impact: Successful exploitation will allow remote attackers to cause Denial of Service to the legitimate user by CPU consumption. Affected Software/OS: Apache HTTP Server version prior to 2.3.3. Solution: Update to version 2.3.3 or later. CVSS Score: 7.1 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-1890 1022509 http://www.securitytracker.com/id?1022509 20091112 rPSA-2009-0142-1 httpd mod_ssl http://www.securityfocus.com/archive/1/507852/100/0/threaded 20091113 rPSA-2009-0142-2 httpd mod_ssl http://www.securityfocus.com/archive/1/507857/100/0/threaded 35565 http://www.securityfocus.com/bid/35565 35691 http://secunia.com/advisories/35691 35721 http://secunia.com/advisories/35721 35793 http://secunia.com/advisories/35793 35865 http://secunia.com/advisories/35865 37152 http://secunia.com/advisories/37152 37221 http://secunia.com/advisories/37221 55553 http://osvdb.org/55553 ADV-2009-3184 http://www.vupen.com/english/advisories/2009/3184 APPLE-SA-2009-11-09-1 http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html DSA-1834 http://www.debian.org/security/2009/dsa-1834 FEDORA-2009-8812 https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01363.html GLSA-200907-04 http://security.gentoo.org/glsa/glsa-200907-04.xml HPSBUX02612 http://marc.info/?l=bugtraq&m=129190899612998&w=2 MDVSA-2009:149 http://www.mandriva.com/security/advisories?name=MDVSA-2009:149 MDVSA-2013:150 http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 PK91259 http://www-01.ibm.com/support/docview.wss?uid=swg1PK91259 PK99480 http://www-01.ibm.com/support/docview.wss?uid=swg1PK99480 RHSA-2009:1148 https://rhn.redhat.com/errata/RHSA-2009-1148.html RHSA-2009:1156 http://www.redhat.com/support/errata/RHSA-2009-1156.html SSRT100345 SUSE-SA:2009:050 http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html USN-802-1 http://www.ubuntu.com/usn/USN-802-1 [httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20210330 svn commit: r1073139 [5/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20210330 svn commit: r1073149 [6/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20210330 svn commit: r1888194 [5/13] - /httpd/site/trunk/content/security/json/ https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20210603 svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E [httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E [mina-users] 20210714 CWE-189 CWE-189 Numeric Errors: CVE-2009-1890 in Apache Mina SSHD SFTP 2.7.0 library https://lists.apache.org/thread.html/rb33be0aa9bd8cac9536293e3821dcd4cf8180ad95a8036eedd46365e%40%3Cusers.mina.apache.org%3E http://support.apple.com/kb/HT3937 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?revision=790587 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587 http://svn.apache.org/viewvc?view=rev&revision=790587 http://wiki.rpath.com/Advisories:rPSA-2009-0142 http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html oval:org.mitre.oval:def:12330 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12330 oval:org.mitre.oval:def:8616 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8616 oval:org.mitre.oval:def:9403 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9403
Copyright	Copyright (C) 2009 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.