Bug 1120601 (CVE-2014-0118) - CVE-2014-0118 httpd: mod_deflate denial of service
Summary: CVE-2014-0118 httpd: mod_deflate denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0118
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1120605 1120606 1120607 1120608 1120612 1120613 1120614 1120935 1120936 1120937 1120938 1120939 1120940 1121037 1121038
Blocks: 1064757 1116304 1120610 1120623
TreeView+ depends on / blocked
 
Reported: 2014-07-17 09:12 UTC by Murray McAllister
Modified: 2021-02-17 06:22 UTC (History)
39 users (show)

Fixed In Version: httpd 2.4.10
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.
Clone Of:
Environment:
Last Closed: 2015-07-10 02:46:24 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0920 0 normal SHIPPED_LIVE Important: httpd security update 2014-07-23 13:19:05 UTC
Red Hat Product Errata RHSA-2014:0921 0 normal SHIPPED_LIVE Important: httpd security update 2014-07-23 14:00:19 UTC
Red Hat Product Errata RHSA-2014:0922 0 normal SHIPPED_LIVE Important: httpd24-httpd security update 2014-07-23 14:00:09 UTC
Red Hat Product Errata RHSA-2014:1019 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.0 update 2014-08-06 19:06:42 UTC
Red Hat Product Errata RHSA-2014:1020 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.0 update 2014-08-06 19:03:06 UTC
Red Hat Product Errata RHSA-2014:1021 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.0 update 2014-08-06 18:52:25 UTC
Red Hat Product Errata RHSA-2014:1086 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:30:27 UTC
Red Hat Product Errata RHSA-2014:1087 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:29:44 UTC
Red Hat Product Errata RHSA-2014:1088 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 update 2014-08-21 19:29:14 UTC

Description Murray McAllister 2014-07-17 09:12:54 UTC 
The following flaw has been fixed in the Apache HTTP Server:

"A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the "DEFLATE" input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration."

External References:

http://httpd.apache.org/security/vulnerabilities_24.html
Comment 2 Murray McAllister 2014-07-17 09:40:23 UTC 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1120614]
Comment 7 Tomas Hoger 2014-07-23 06:50:52 UTC 
Upstream commit:
http://svn.apache.org/viewvc?view=revision&revision=1610501
Comment 8 errata-xmlrpc 2014-07-23 09:19:30 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0920 https://rhn.redhat.com/errata/RHSA-2014-0920.html
Comment 9 errata-xmlrpc 2014-07-23 10:00:55 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7

Via RHSA-2014:0922 https://rhn.redhat.com/errata/RHSA-2014-0922.html
Comment 10 errata-xmlrpc 2014-07-23 10:01:41 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0921 https://rhn.redhat.com/errata/RHSA-2014-0921.html
Comment 11 Fedora Update System 2014-07-25 10:03:41 UTC 
httpd-2.4.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Martin Prpič 2014-07-28 11:28:34 UTC 
IssueDescription:

A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.
Comment 13 errata-xmlrpc 2014-08-06 14:53:36 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.3.0

Via RHSA-2014:1021 https://rhn.redhat.com/errata/RHSA-2014-1021.html
Comment 14 errata-xmlrpc 2014-08-06 15:09:25 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2014:1020 https://rhn.redhat.com/errata/RHSA-2014-1020.html
Comment 15 errata-xmlrpc 2014-08-06 15:11:40 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2014:1019 https://rhn.redhat.com/errata/RHSA-2014-1019.html
Comment 16 Fedora Update System 2014-08-15 02:47:07 UTC 
httpd-2.4.10-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 errata-xmlrpc 2014-08-21 15:31:45 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2014:1088 https://rhn.redhat.com/errata/RHSA-2014-1088.html
Comment 18 errata-xmlrpc 2014-08-21 15:32:14 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2014:1087 https://rhn.redhat.com/errata/RHSA-2014-1087.html
Comment 19 errata-xmlrpc 2014-08-21 15:32:49 UTC 
This issue has been addressed in following products:

  JBoss Web Server 2.1.0

Via RHSA-2014:1086 https://rhn.redhat.com/errata/RHSA-2014-1086.html
Note You need to log in before you can comment on or make changes to this bug.