SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#479268

Apache HTTPD contains denial of service vulnerability in basic authentication module

Overview

The Apache HTTP server contains a denial-of-service vulnerability that allows remote attackers to to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server.

I. Description

The Apache HTTP server contains a denial-of-service vulnerability in the apr_password_validate() function. The Apache Software Foundation has provided the following description of this vulnerability:

    Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable to a denial-of-service attack on the basic authentication module, which was reported by John Hughes <john.hughes@entegrity.com>. A bug in the configuration scripts caused the apr_password_validate() function to be thread-unsafe on platforms with crypt_r(), including AIX and Linux. All versions of Apache 2.0 have this thread-safety problem on platforms with no crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly others. When using a threaded MPM (which is not the default on these platforms), this allows remote attackers to create a denial of service which causes valid usernames and passwords for Basic Authentication to fail until Apache is restarted. We do not believe this bug could allow unauthorized users to gain access to protected resources.


For further information, please read the announcement located at

II. Impact

This vulnerability allows remote attackers to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server.

III. Solution

The Apache Software Foundation recommends that users upgrade to version 2.0.46 to address this vulnerability. The latest version of Apache is available at:


Systems Affected
VendorStatusDate NotifiedDate Updated
Apache Software FoundationVulnerable24-Jun-2003
ConectivaVulnerable23-Jun-2003
Hewlett-Packard CompanyVulnerable18-Sep-2003
MandrakeSoftVulnerable24-Jun-2003
Red Hat Inc.Vulnerable24-Jun-2003

References


http://www.apache.org/dist/httpd/Announcement2.html
http://www.secunia.com/advisories/8881/
http://www.iss.net/security_center/static/12091.php

Credit

The CERT/CC thanks John Hughes for discovering this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public:2003-05-28
Date First Published:2003-06-24
Date Last Updated:2003-09-18
CERT Advisory: 
CVE-ID(s):CAN-2003-0189
NVD-ID(s):CAN-2003-0189
US-CERT Technical Alerts: 
Metric:0.68
Document Revision:16

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader