Vulnerability Note VU#479268
Apache HTTPD contains denial of service vulnerability in basic authentication module
The Apache HTTP server contains a denial-of-service vulnerability that allows remote attackers to to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server.
The Apache HTTP server contains a denial-of-service vulnerability in the apr_password_validate() function. The Apache Software Foundation has provided the following description of this vulnerability:
Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable to a denial-of-service attack on the basic authentication module, which was reported by John Hughes <firstname.lastname@example.org>. A bug in the configuration scripts caused the apr_password_validate() function to be thread-unsafe on platforms with crypt_r(), including AIX and Linux. All versions of Apache 2.0 have this thread-safety problem on platforms with no crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly others. When using a threaded MPM (which is not the default on these platforms), this allows remote attackers to create a denial of service which causes valid usernames and passwords for Basic Authentication to fail until Apache is restarted. We do not believe this bug could allow unauthorized users to gain access to protected resources.
For further information, please read the announcement located at
This vulnerability allows remote attackers to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server.
The Apache Software Foundation recommends that users upgrade to version 2.0.46 to address this vulnerability. The latest version of Apache is available at:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache Software Foundation||Affected||28 May 2003||24 Jun 2003|
|Conectiva||Affected||16 Jun 2003||23 Jun 2003|
|Hewlett-Packard Company||Affected||16 Jul 2003||18 Sep 2003|
|MandrakeSoft||Affected||02 Jun 2003||24 Jun 2003|
|Red Hat Inc.||Affected||28 May 2003||24 Jun 2003|
CVSS Metrics (Learn More)
The CERT/CC thanks John Hughes for discovering this vulnerability.
This document was written by Jeffrey P. Lanza.
- CVE IDs: CAN-2003-0189
- Date Public: 28 May 2003
- Date First Published: 24 Jun 2003
- Date Last Updated: 18 Sep 2003
- Severity Metric: 0.68
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.