The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Apache httpd: denial of service via mod_proxy_ajp

Synthesis of the vulnerability

When mod_proxy_ajp is used with mod_proxy_balancer, an attacker can use an unknown HTTP method, in order to create a denial of service.
Severity of this alert: 2/4.
Creation date: 14/09/2011.
Références of this alert: BID-49616, c03011498, c03025215, CERTA-2011-AVI-516, CVE-2011-3348, HPSBMU02704, HPSBUX02707, MDVSA-2011:168, PSN-2013-02-846, RHSA-2011:1391-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SSA:2011-284-01, SSRT100619, SSRT100626, VIGILANCE-VUL-10991.

Description of the vulnerability

The mod_proxy module provides a generic proxy service for Apache httpd. The mod_proxy_ajp module adds the AJP13 (Apache JServe Protocol version 1.3) support, which is used with Tomcat. The mod_proxy_balancer module is used to balance the load between several proxies.

The HTTP protocol defines a list of methods (GET, POST, etc.) which are used in queries.

The ap_proxy_ajp_request() function of the modules/proxy/mod_proxy_ajp.c file does not ignore unknown HTTP methods. However, when mod_proxy_balancer is also used, the associated proxy enters in an error state. Using several queries, an attacker can thus stop all balanced proxies.

When mod_proxy_ajp is used with mod_proxy_balancer, an attacker can therefore use an unknown HTTP method, in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

This computer vulnerability alert impacts software or systems such as Apache httpd, OpenView, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, Mandriva Linux, OpenSolaris, RHEL, Slackware.

Our Vigil@nce team determined that the severity of this computer threat alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security vulnerability.

Solutions for this threat

Apache httpd: version 2.2.21.
The version 2.2.21 is corrected:
  http://httpd.apache.org/download.cgi

HP OpenView NNM: Apache version 2.2.21.
The version Apache 2.2.21 is corrected:
  ftp.usa.hp.com
  user : sb02704
  password : Secure12

HP-UX: Apache version 2.2.15.08.01.
The following version is corrected:
HP-UX Web Server Suite (WSS) v3.19 containing Apache v2.2.15.09
  https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW319
  B.11.23 & B.11.31 (32-bit) : HPUXWS22ATW-B319-32.depot
  B.11.23 & B.11.31 (64-bit) : HPUXWS22ATW-B319-64.depot

Junos Space: patch for Apache.
Patch 12.1P2.1 is available:
  http://www.juniper.net/support/downloads/?p=space#sw

Mandriva: new apache packages.
New packages are available:
  apache-2.2.15-3.5mdv2010.2
  apache-2.2.9-12.14mdvmes5.2

RHEL 6.1: new httpd packages.
New packages are available:
  httpd-2.2.15-9.el6_1.3

RHEL: new JBoss Enterprise Web Server packages.
New packages are available:
  httpd-2.2.17-15.4.ep5.el5
  httpd-2.2.17-15.4.ep5.el6
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2

Slackware: new httpd packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.21-i486-1_slack12.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.21-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.21-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.21-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.21-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.21-i486-1_slack13.37.txz

Solaris 11: patch for Apache HTTP Server.
A patch is available:
  Solaris 11 Express : snv_151a + 7092986
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities database. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.