Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2014-388

Related Vulnerabilities: CVE-2014-0118   CVE-2014-0226   CVE-2014-0231  

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2014-0226) A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. (CVE-2014-0118) A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)

Source

ALAS-2014-388

Amazon Linux AMI Security Advisory: ALAS-2014-388
Advisory Release Date: 2014-07-31 13:54 Pacific
Advisory Updated Date: 2014-09-19 11:39 Pacific
Severity: Important
Issue Overview:

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2014-0226)

A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. (CVE-2014-0118)

A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)


Affected Packages:

httpd


Issue Correction:
Run yum update httpd to update your system.

New Packages:
i686:
    httpd-tools-2.2.27-1.3.amzn1.i686
    httpd-devel-2.2.27-1.3.amzn1.i686
    httpd-2.2.27-1.3.amzn1.i686
    mod_ssl-2.2.27-1.3.amzn1.i686
    httpd-debuginfo-2.2.27-1.3.amzn1.i686

noarch:
    httpd-manual-2.2.27-1.3.amzn1.noarch

src:
    httpd-2.2.27-1.3.amzn1.src

x86_64:
    httpd-tools-2.2.27-1.3.amzn1.x86_64
    httpd-devel-2.2.27-1.3.amzn1.x86_64
    mod_ssl-2.2.27-1.3.amzn1.x86_64
    httpd-2.2.27-1.3.amzn1.x86_64
    httpd-debuginfo-2.2.27-1.3.amzn1.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started