Signature Detail
This site is deprecated. Please CLICK HERE for latest updates
Short Name |
HTTP:APACHE:SERVER-MOD-STATS-BO |
|---|---|
Severity |
Minor |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Apache Server Mod Status Race Condition Buffer Overflow |
Release Date |
2014/09/18 |
Update Number |
2420 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
HTTP: Apache Server Mod Status Race Condition Buffer Overflow
A race condition flaw, leading to heap-based buffer overflows, was found in the aache server. A remote attacker could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the apache user.
Extended Description
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
Affected Products
- Apache http_server 2.4.1
- Apache http_server 2.4.2
- Apache http_server 2.4.3
- Apache http_server 2.4.4
- Apache http_server 2.4.6
- Apache http_server 2.4.7
- Apache http_server 2.4.8
- Apache http_server 2.4.9
References
- BugTraq: 68678
- CVE: CVE-2014-0226
- URL: http://httpd.apache.org/security/vulnerabilities_24.html