Bug 1121519 (CVE-2014-3523)

Summary: CVE-2014-3523 httpd: WinNT MPM denial of service
Product: [Other] Security Response Reporter: Grant Murphy <gmurphy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aneelica, aogburn, cdewolf, dandread, darran.lofthouse, dknox, fnasser, huwang, jason.greene, jawilson, jclere, jdoyle, jkaluza, jorton, lgao, mjc, mmaslano, myarboro, pahan, pgier, pslavice, rmeggins, rsvoboda, vtunka, webstack-team, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.4.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-22 08:44:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1120623, 1121528, 1395463    

Description Grant Murphy 2014-07-21 06:46:47 UTC 
The following flaw has been fixed in the Apache HTTP Server:

"A flaw was found in the WinNT MPM in httpd versions 2.4.1 to 2.4.9, when using the default AcceptFilter for that platform. A remote attacker could send carefully crafted requests that would leak memory and eventually lead to a denial of service against the server."

External References:

http://httpd.apache.org/security/vulnerabilities_24.html
Comment 1 Grant Murphy 2014-07-22 07:54:50 UTC 
Upstream fix: 

https://github.com/apache/httpd/commit/c17f0b89657cf03318fe2b624adc92cae477f81b

Code not present in 2.2
Comment 2 Grant Murphy 2014-07-22 08:44:22 UTC 
Statement:

Not affected. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 5, 6 and 7, Red Hat JBoss Web Server 1 and 2, and Red Hat JBoss Enterprise Application Platform 5 and 6. This flaw only affects httpd running on Microsoft Windows. Red Hat JBoss Web Server 1 and 2, and Red Hat JBoss Enterprise Application Platform 5 and 6 can be run on Microsoft Windows. However, these products provide httpd 2.2, which is not affected by this flaw.
Comment 3 Tomas Hoger 2014-07-23 06:47:29 UTC 
Upstream commit:
http://svn.apache.org/viewvc?view=revision&revision=1610652
Comment 4 JBoss JIRA Server 2016-09-06 13:20:40 UTC 
Michal Karm Babacek <mbabacek> updated the status of jira JWS-433 to Resolved
Comment 7 errata-xmlrpc 2016-12-15 22:13:29 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html