The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Apache httpd: denial of service via mod_proxy_ajp

Synthesis of the vulnerability

When mod_proxy_ajp is used with mod_proxy_balancer, an attacker can use an unknown HTTP method, in order to create a denial of service.
Severity of this alert: 2/4.
Creation date: 14/09/2011.
Références of this alert: BID-49616, c03011498, c03025215, CERTA-2011-AVI-516, CVE-2011-3348, HPSBMU02704, HPSBUX02707, MDVSA-2011:168, PSN-2013-02-846, RHSA-2011:1391-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SSA:2011-284-01, SSRT100619, SSRT100626, VIGILANCE-VUL-10991.

Description of the vulnerability

The mod_proxy module provides a generic proxy service for Apache httpd. The mod_proxy_ajp module adds the AJP13 (Apache JServe Protocol version 1.3) support, which is used with Tomcat. The mod_proxy_balancer module is used to balance the load between several proxies.

The HTTP protocol defines a list of methods (GET, POST, etc.) which are used in queries.

The ap_proxy_ajp_request() function of the modules/proxy/mod_proxy_ajp.c file does not ignore unknown HTTP methods. However, when mod_proxy_balancer is also used, the associated proxy enters in an error state. Using several queries, an attacker can thus stop all balanced proxies.

When mod_proxy_ajp is used with mod_proxy_balancer, an attacker can therefore use an unknown HTTP method, in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)

This computer vulnerability alert impacts software or systems such as Apache httpd, OpenView, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, Mandriva Linux, OpenSolaris, RHEL, Slackware.

Our Vigil@nce team determined that the severity of this computer threat alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security vulnerability.

Solutions for this threat

Apache httpd: version 2.2.21.
The version 2.2.21 is corrected:

HP OpenView NNM: Apache version 2.2.21.
The version Apache 2.2.21 is corrected:
  user : sb02704
  password : Secure12

HP-UX: Apache version
The following version is corrected:
HP-UX Web Server Suite (WSS) v3.19 containing Apache v2.2.15.09
  B.11.23 & B.11.31 (32-bit) : HPUXWS22ATW-B319-32.depot
  B.11.23 & B.11.31 (64-bit) : HPUXWS22ATW-B319-64.depot

Junos Space: patch for Apache.
Patch 12.1P2.1 is available:

Mandriva: new apache packages.
New packages are available:

RHEL 6.1: new httpd packages.
New packages are available:

RHEL: new JBoss Enterprise Web Server packages.
New packages are available:

Slackware: new httpd packages.
New packages are available:

Solaris 11: patch for Apache HTTP Server.
A patch is available:
  Solaris 11 Express : snv_151a + 7092986
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities database. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.