Bug 1120596 (CVE-2014-0231)

Summary: CVE-2014-0231 httpd: mod_cgid denial of service
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anmiller, bdunne, bressers, cdewolf, chazlett, dajohnso, dandread, darran.lofthouse, dclarizi, dknox, fnasser, gmccullo, grocha, huwang, jason.greene, jawilson, jclere, jdoyle, jfrey, jkaluza, jkudrnac, jorton, jprause, jrafanie, jvlcek, kseifried, lgao, mmaslano, myarboro, obarenbo, pahan, pgier, pslavice, rmeggins, rsvoboda, vtunka, webstack-team, weli, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.4.10 Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-10 02:47:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1120605, 1120606, 1120607, 1120608, 1120612, 1120613, 1120614, 1120935, 1120936, 1120937, 1120938, 1120939, 1120940, 1121037, 1121038    
Bug Blocks: 1064757, 1116304, 1120610, 1120623    

Description Murray McAllister 2014-07-17 09:06:08 UTC
The following flaw has been fixed in the Apache HTTP Server:

"A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service."

External References:

http://httpd.apache.org/security/vulnerabilities_24.html

Comment 2 Murray McAllister 2014-07-17 09:39:07 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1120614]

Comment 10 errata-xmlrpc 2014-07-23 09:19:25 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0920 https://rhn.redhat.com/errata/RHSA-2014-0920.html

Comment 11 errata-xmlrpc 2014-07-23 10:00:44 UTC
This issue has been addressed in following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7

Via RHSA-2014:0922 https://rhn.redhat.com/errata/RHSA-2014-0922.html

Comment 12 errata-xmlrpc 2014-07-23 10:01:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0921 https://rhn.redhat.com/errata/RHSA-2014-0921.html

Comment 13 Jakub Cechacek 2014-07-23 11:20:17 UTC
@Andrew
As I am working on this verification only as kind of a backup, would you mind being more specific about how to determine the status of httpd child processes?

Comment 16 Fedora Update System 2014-07-25 10:03:31 UTC
httpd-2.4.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Martin Prpič 2014-07-28 11:28:28 UTC
IssueDescription:

A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely.

Comment 18 errata-xmlrpc 2014-08-06 14:53:30 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.3.0

Via RHSA-2014:1021 https://rhn.redhat.com/errata/RHSA-2014-1021.html

Comment 19 errata-xmlrpc 2014-08-06 15:09:21 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2014:1020 https://rhn.redhat.com/errata/RHSA-2014-1020.html

Comment 20 errata-xmlrpc 2014-08-06 15:11:36 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2014:1019 https://rhn.redhat.com/errata/RHSA-2014-1019.html

Comment 21 Fedora Update System 2014-08-15 02:46:56 UTC
httpd-2.4.10-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 errata-xmlrpc 2014-08-21 15:31:40 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html

Comment 23 errata-xmlrpc 2014-08-21 15:32:08 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html

Comment 24 errata-xmlrpc 2014-08-21 15:32:43 UTC
This issue has been addressed in following products:

  JBoss Web Server 2.1.0

Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html