Actu
Vigil@nce - Apache HTTPD: NULL pointer dereference via mod_nw_ssl.c and protocol.c
June 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a NULL pointer to be dereferenced in Apache
HTTPD, in order to trigger a denial of service.
Impacted products: Apache httpd
Severity: 2/4
Creation date: 14/04/2015
Revision date: 15/04/2015
DESCRIPTION OF THE VULNERABILITY
The Apache HTTPD server can use TLS encrypted connections.
On Netware platforms, a special version of the SSL module is used.
However, it may happens that this module attempt ro access the
data structure that describes the current HTTP request when it
does not exist yet; which leads to dereference a NULL pointer and
the termination of the server process for the current connection.
The same error occurs in the source file protocol.c, which handles
HTTP for all platforms.
An attacker can therefore force a NULL pointer to be dereferenced
in Apache HTTPD, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
