The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache HttpComponents HttpClient: denial of service via Timeout

Synthesis of the vulnerability 

An attacker owning a malicious server can stop responding, to block clients using Apache HttpComponents HttpClient, in order to trigger a denial of service.
Impacted systems: Apache HttpClient, Fedora, QRadar SIEM, Mule ESB, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Ubuntu.
Severity of this alert: 2/4.
Creation date: 02/10/2015.
Références of this alert: 1259892, 2015815, CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2015-5262, FEDORA-2015-15588, FEDORA-2015-15589, USN-2769-1, VIGILANCE-VUL-18023.

Description of the vulnerability 

The Apache HttpComponents HttpClient product implements a web client

However, there is no timeout during the connection state to a server.

An attacker owning a malicious server can therefore stop responding, to block clients using Apache HttpComponents HttpClient, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat bulletin impacts software or systems such as Apache HttpClient, Fedora, QRadar SIEM, Mule ESB, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Ubuntu.

Our Vigil@nce team determined that the severity of this security threat is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability alert.

Solutions for this threat 

Apache HttpComponents HttpClient: version 4.3.6.
The version 4.3.6 is fixed:
  https://hc.apache.org/downloads.cgi
  http://archive.apache.org/dist/httpcomponents/httpclient/source/

Apache HttpComponents HttpClient: patch for Timeout.
A patch is indicated in information sources.

Fedora: new jakarta-commons-httpclient packages.
New packages are available:
  Fedora 21: jakarta-commons-httpclient 3.1-20.fc21
  Fedora 22: jakarta-commons-httpclient 3.1-23.fc22

IBM QRadar SIEM: fixed versions for Apache HttpComponents HttpClient.
Fixed versions are indicated in information sources.

Liferay Portal: version 7.1.3 CE GA 4.
The version 7.1.3 CE GA 4 is fixed.

Mule Runtime: version 3.8.7.
The version 3.8.7 is fixed:
  https://www.mulesoft.com/

Mule Runtime: version 3.9.1.
The version 3.9.1 is fixed:
  https://www.mulesoft.com/

Mule Runtime: version 4.1.2.
The version 4.1.2 is fixed:
  https://www.mulesoft.com/

SAS: Security Update 2020-08.
A patch is available:
  https://tshf.sas.com/techsup/download/hotfix/HF2/SAS_Security_Updates.html

Ubuntu: new libcommons-httpclient-java packages.
New packages are available:
  Ubuntu 15.04: libcommons-httpclient-java 3.1-10.2ubuntu0.15.04.1
  Ubuntu 14.04 LTS: libcommons-httpclient-java 3.1-10.2ubuntu0.14.04.1
  Ubuntu 12.04 LTS: libcommons-httpclient-java 3.1-10ubuntu0.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a systems vulnerabilities announce. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.