Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability alert CVE-2009-1891

Apache httpd: denial of service of mod_deflate

Synthesis of the vulnerability

An attacker can force the mod_deflate module of Apache httpd to consume CPU resources.
Severity: 3/4.
Creation date: 09/07/2009.

Description of the vulnerability

The mod_deflate module of Apache httpd is used to compress data with a gzip algorithm. It is for example used to compress some MIME types (extract of the configuration file):
  AddOutputFilterByType DEFLATE text/html text/plain text/xml

When a client requests a text file, the module of the web server compresses it, then sends the result to the client, who uncompresses it.

However, if the client interrupts his TCP session during the compression, the module continues to compress the file. The server thus continues to consume resources, for nothing.

An attacker can therefore request several files to compress, in order to force the mod_deflate module to consume CPU resources.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: Apache httpd: denial of service of mod_deflate.
Keywords: AddOutputFilterByType Apache CPU DEFLATE MIME TCP denial httpd mod_deflate service.
Identifiers: 8812, BID-35623, CVE-2009-1891, DSA 1834-1, DSA 1834-2, MDVSA-2009:149, MDVSA-2009:168, MDVSA-2009:323, PK87176, PK88341, PK88342, PK91361, PK99477, PK99478, PK99480, RHSA-2009:1148-01, RHSA-2009:1155-01, RHSA-2009:1156-01, RHSA-2009:1160-01, RHSA-2009:1205-01, RHSA-2009:1580-02, SSA:2009-214-01, SUSE-SA:2009:050, TLSA-2009-21, TLSA-2009-30, VIGILANCE-VUL-8851.

Information sources

Publications and announces

Solutions for this vulnerability

Patch or workaround

Supplements

Attack

Exploit 0day or proof of concept

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer vulnerability database



















France Télécom Copyright 1999-2010 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française