The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Apache httpd: denial of service via mod_proxy_ajp

Synthesis of the vulnerability

When a Web server is made of Apache httpd with mod_proxy_ajp and a Tomcat server, an attacker can send a request requiring much processing time, in oder to make httpd disconnect the Tomcat server.
Severity of this threat: 3/4.
Creation date: 30/11/2012.
Références of this weakness: 871685, BID-56753, c03734195, c03820647, CVE-2012-4557, DSA-2579-1, HPSBUX02866, openSUSE-SU-2013:0243-1, openSUSE-SU-2013:0248-1, RHSA-2013:0512-02, SSRT101139, VIGILANCE-VUL-12194.

Description of the vulnerability

The mod_proxy module provides a generic proxy service for Apache httpd. The mod_proxy_ajp module adds the AJP13 (Apache JServe Protocol version 1.3) support, which is used with Tomcat.

The mod_proxy_ajp module manage a list of Tomcat servers that it forwards requests to, with their state (working or not). When a Tomcat server does not reply at all or send an invalid response, the module marks it as not working. However, the fonction ajp_ilink_receive() in the file modules/proxy/ajp_link.c does not distinguish between time out (error code APR_TIMEUP) and faultly responses (error code AJP_ENO_HEADER). So, a time-out makes the httpd module considers that the Tomcat process is faultly.

When a Web server is made of Apache httpd with mod_proxy_ajp and a Tomcat server, an attacker can therefore send a request requiring much processing time, in oder to make httpd disconnect the Tomcat server.
Full Vigil@nce bulletin... (Free trial)

This weakness note impacts software or systems such as Debian, HP-UX, openSUSE, RHEL.

Our Vigil@nce team determined that the severity of this threat note is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer weakness.

Solutions for this threat

Apache httpd: version 2.2.22.
The version 2.2.22 is corrected:
  http://httpd.apache.org/download.cgi

Debian: new apache2 packages.
New packages are available:
  apache2_2.2.16-6+squeeze10

HP-UX: fixed versions for Apache and Tomcat.
The following versions are fixed:
  HP-UX B.11.23 :
    Apache : B.2.2.15.15
  HP-UX B.11.31 :
    Apache : B.2.2.15.15
    Tomcat : C.6.0.36.01, D.7.0.35.01
The updates are available at:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW326

HP-UX: patch for Apache.
A patch is available:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWST703501

openSUSE 11.4: new apache2 packages.
New packages are available:
  apache2-2.2.17-4.64.1

openSUSE 12.1: new apache2 packages.
New packages are available:
  apache2-2.2.21-3.9.1

RHEL 6: new httpd packages.
New packages are available:
  httpd-2.2.15-26.el6
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides network vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities.