Vigil@nce: Apache httpd, denial of service of mod_proxy
June 2008 by Emmanuelle Lamandé
A malicious web server can return several interim responses in
order to consume the memory of the mod_proxy module.
– Gravity: 2/4
– Consequences: denial of service of service
– Provenance: internet server
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 11/06/2008
– Identifier: VIGILANCE-VUL-7889
IMPACTED PRODUCTS
Apache httpd [confidential versions]
DESCRIPTION
The mod_proxy module permits to use Apache httpd as a proxy server.
The ap_proxy_http_process_response() function handles answers
provided by web servers. However, if a server returns several
intermediary answers (code 100) the proxy stores them with no
limit, which progressively saturates its memory.
A malicious web server can therefore return several interim
responses in order to progressively consume the memory of the
mod_proxy module.
CHARACTERISTICS
– Identifiers: CVE-2008-2364, VIGILANCE-VUL-7889
– Url: https://vigilance.aql.fr/tree/1/7889