The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: denial déni de service via mod_log_config

Synthesis of the vulnerability 

When mod_log_config logs cookies, an attacker can send a special cookie, in order to stop Apache httpd in threaded MPM.
Vulnerable products: Apache httpd, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Mandriva Linux, Solaris, RHEL, Slackware.
Severity of this weakness: 2/4.
Creation date: 27/01/2012.
Références of this bulletin: 52256, BID-51705, c03231301, c03278391, CERTA-2012-AVI-225, CVE-2012-0021, DSA-2019-131, DSA-2019-197, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, HPSBUX02761, MDVSA-2012:012, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL15889, SSA:2012-041-01, SSRT100772, SSRT100823, VIGILANCE-VUL-11322.

Description of the vulnerability 

The mod_log_config module of Apache httpd is used to define the format of logged data. For example:
 - %a : the remote IP address
 - %D : the processing duration
 - %{var}C : the cookie named "var"
 - etc.

Clients send cookies as an HTTP header, such as:
  Cookie: var=hello

The mod_log_config module calls the apr_collapse_spaces() function to delete unneeded spaces. However, if a cookie has no name, a NULL pointer is dereferenced.

When mod_log_config logs cookies, an attacker can therefore send a special cookie, in order to stop Apache httpd in threaded MPM (a fatal error in a thread also stops other threads).
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness impacts software or systems such as Apache httpd, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Mandriva Linux, Solaris, RHEL, Slackware.

Our Vigil@nce team determined that the severity of this vulnerability note is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this cybersecurity threat.

Solutions for this threat 

Apache httpd: version 2.2.22.
The version 2.2.22 is corrected:
  http://httpd.apache.org/download.cgi

Apache httpd: patch for mod_log_config.
A patch is available in information sources.

Dell EMC VNXe3200: version 3.1.10.9946299.
The version 3.1.10.9946299 is fixed:
  https://www.dell.com/

Dell EMC VNXe: version MR4 Service Pack 5.
The version MR4 Service Pack 5 is fixed:
  https://www.dell.com/support/

F5 BIG-IP: solution for Apache.
The solution is indicated in information sources.

Fedora: new httpd packages.
New packages are available:
  httpd-2.2.22-1.fc15
  httpd-2.2.22-1.fc16

HP OV NNM: hotfix SSRT100772.
Hotfix SSRT100772 is available.

HP-UX: Apache Web Server versions 2.35 and 3.23.
Versions 2.35 and 3.23 are corrected:
  HP-UX B.11.11 :
    https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW235
    revision B.2.0.64.03
  HP-UX B.11.23, B.11.31 :
    https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW323
    revision B.2.2.15.12

Mandriva: new apache packages.
New packages are available:
  apache-2.2.22-0.1mdv2010.2
  apache-2.2.22-0.1-mdv2011.0
  apache-2.2.22-0.1mdvmes5.2

RHEL: new JBoss Enterprise Web Server packages.
New packages are available:
  httpd-2.2.17-15.4.ep5.el5
  httpd-2.2.17-15.4.ep5.el6
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2

Slackware: new httpd packages.
New packages are available:
  httpd-2.2.22-i486-1_slack12.0
  httpd-2.2.22-i486-1_slack12.1
  httpd-2.2.22-i486-1_slack13.0
  httpd-2.2.22-i486-1_slack13.1
  httpd-2.2.22-i486-1_slack13.37

Solaris 11: patch 11/11 SRU 6.6.
A patch is available:
  11/11 SRU 6.6 :
  https://support.oracle.com/CSP/main/article?type=NOT&id=1448432.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides applications vulnerabilities announces. The technology watch team tracks security threats targeting the computer system.