Vulnerability Note VU#479268

Apache HTTPD contains denial of service vulnerability in basic authentication module

Original Release date: 24 Jun 2003 | Last revised: 18 Sep 2003

Overview

The Apache HTTP server contains a denial-of-service vulnerability that allows remote attackers to to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server.

Description

The Apache HTTP server contains a denial-of-service vulnerability in the apr_password_validate() function. The Apache Software Foundation has provided the following description of this vulnerability:

    Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable to a denial-of-service attack on the basic authentication module, which was reported by John Hughes <john.hughes@entegrity.com>. A bug in the configuration scripts caused the apr_password_validate() function to be thread-unsafe on platforms with crypt_r(), including AIX and Linux. All versions of Apache 2.0 have this thread-safety problem on platforms with no crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly others. When using a threaded MPM (which is not the default on these platforms), this allows remote attackers to create a denial of service which causes valid usernames and passwords for Basic Authentication to fail until Apache is restarted. We do not believe this bug could allow unauthorized users to gain access to protected resources.


For further information, please read the announcement located at

Impact

This vulnerability allows remote attackers to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server.

Solution

The Apache Software Foundation recommends that users upgrade to version 2.0.46 to address this vulnerability. The latest version of Apache is available at:

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apache Software FoundationAffected28 May 200324 Jun 2003
ConectivaAffected16 Jun 200323 Jun 2003
Hewlett-Packard CompanyAffected16 Jul 200318 Sep 2003
MandrakeSoftAffected02 Jun 200324 Jun 2003
Red Hat Inc.Affected28 May 200324 Jun 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks John Hughes for discovering this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: CAN-2003-0189
  • Date Public: 28 May 2003
  • Date First Published: 24 Jun 2003
  • Date Last Updated: 18 Sep 2003
  • Severity Metric: 0.68
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.