|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Apache httpd: denial of service via mod_proxy_ajp
Synthesis of the vulnerability
When a Web server is made of Apache httpd with mod_proxy_ajp and a Tomcat server, an attacker can send a request requiring much processing time, in oder to make httpd disconnect the Tomcat server.
Vulnerable systems: Debian, HP-UX, openSUSE, RHEL.
Severity of this threat: 3/4.
Consequences of a hack: denial of service on service.
Pirate's origin: internet client.
Creation date: 30/11/2012.
Références of this weakness: 871685, BID-56753, c03734195, c03820647, CVE-2012-4557, DSA-2579-1, HPSBUX02866, openSUSE-SU-2013:0243-1, openSUSE-SU-2013:0248-1, RHSA-2013:0512-02, SSRT101139, VIGILANCE-VUL-12194.
Description of the vulnerability
The mod_proxy module provides a generic proxy service for Apache httpd. The mod_proxy_ajp module adds the AJP13 (Apache JServe Protocol version 1.3) support, which is used with Tomcat.
The mod_proxy_ajp module manage a list of Tomcat servers that it forwards requests to, with their state (working or not). When a Tomcat server does not reply at all or send an invalid response, the module marks it as not working. However, the fonction ajp_ilink_receive() in the file modules/proxy/ajp_link.c does not distinguish between time out (error code APR_TIMEUP) and faultly responses (error code AJP_ENO_HEADER). So, a time-out makes the httpd module considers that the Tomcat process is faultly.
When a Web server is made of Apache httpd with mod_proxy_ajp and a Tomcat server, an attacker can therefore send a request requiring much processing time, in oder to make httpd disconnect the Tomcat server.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides an applications vulnerabilities note. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.