Vulnerability Note VU#206537

Apache vulnerable to DoS

Original Release date: 08 Apr 2003 | Last revised: 18 Sep 2003

Overview

A remotely exploitable denial-of-service vulnerability exists in the Apache HTTP Server. Exploitation of this vulnerability may allow an attacker to consume all available system resources, resulting in a denial-of-service condition.

Description

The Apache HTTP Server is a very popular freely available web server that runs on a variety of operating systems, including UNIX, Linux, and Microsoft Windows (Win32).

A vulnerability exists in the way the Apache HTTP Server handles excessively large chunks of consecutive linefeed characters. Apache 2.0.44 (both the Windows & UNIX implementations) contains this vulnerability. Prior 2.x versions of Apache may contain the vulnerability. For more information, please see the iDEFENSE Advisory.

Impact

Exploitation of this vulnerability may allow an attacker to consume all available system resources, resulting in a denial-of-service condition.

Solution

Apply a patch from your vendor. If a patch is not available, you may wish to upgrade to Apache HTTP Server 2.0.45. The Apache Software Foundation has provided a patch as well.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apache Software FoundationAffected-08 Apr 2003
Apple Computer Inc.Affected08 Apr 200311 Apr 2003
ConectivaAffected08 Apr 200301 May 2003
DebianAffected-08 Apr 2003
Gentoo LinuxAffected-09 Apr 2003
Hewlett-Packard CompanyAffected08 Apr 200318 Sep 2003
MandrakeSoftAffected08 Apr 200318 Sep 2003
Red Hat Inc.Affected08 Apr 200310 Apr 2003
SGIAffected08 Apr 200318 Sep 2003
EngardeNot Affected08 Apr 200308 Apr 2003
Foundry Networks Inc.Not Affected08 Apr 200310 Apr 2003
FujitsuNot Affected08 Apr 200317 Apr 2003
HitachiNot Affected08 Apr 200314 Apr 2003
IBMNot Affected08 Apr 200309 Apr 2003
Xerox CorporationNot Affected08 Apr 200330 May 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered by iDEFENSE Inc. The CERT/CC thanks iDEFENSE Inc. for the information contained in their document, upon which this document is based.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: CAN-2003-0132
  • Date Public: 08 Apr 2003
  • Date First Published: 08 Apr 2003
  • Date Last Updated: 18 Sep 2003
  • Severity Metric: 9.72
  • Document Revision: 17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.