A flaw was discovered in the apr_fnmatch() function in the Apache Portable Runtime (APR) library 1.4.4 (or any backported versions that contained the upstream fix for CVE-2011-0419). This could cause httpd workers to enter a hung state (100% CPU utilization).
Created attachment 499921 [details] upstream patch Patch provided by upstream to correct this issue.
This is actually public already: http://mail-archives.apache.org/mod_mbox/httpd-announce/201105.mbox/%3C4DD55092.3030403@apache.org%3E
Upstream bug and commit: https://issues.apache.org/bugzilla/show_bug.cgi?id=51219 http://svn.apache.org/viewvc?view=revision&revision=1124328
This is CVE-2011-1928.
This problem is triggered when using APR_FNM_PATHNAME flag. This is not used by mod_autoindex, so this problem is not triggered in the same way as the original problem CVE-2011-0419 (bug #703390). In certain configurations, this can be triggered by an HTTP request that does not need to be purposefully malicious. Upstream bug mentions following example: <Location "/*/WEB-INF/"> This problem can be mitigated by wildcards ('*' or '(dir1|dir2|dir3)' alternatives specifications) in the <Location> URL specifications, or using regular expression specifications instead (using <Location ~ > or <LocationMatch>). If you're temporarily downgrading to older apr version, consider applying CVE-2011-0419 mitigation as mentioned in bug #703390, comment #7.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 6 Via RHSA-2011:0844 https://rhn.redhat.com/errata/RHSA-2011-0844.html
I added some details at the related Fedora page at https://bugzilla.redhat.com/show_bug.cgi?id=714182 But the general idea is that nist.gov says that version 2.2.17 and 2.2.18 is affected by combining these CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1928 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0419 So even if the exploit doesn't exist in a patched 2.2.17 or 2.2.18 at least one vulnerably scanner company is being a pain about it. Sorry, I don't know if it is possible for you to get NIST to change the text. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1928 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0419 https://bugzilla.redhat.com/show_bug.cgi?id=714182 https://bugzilla.redhat.com/show_bug.cgi?id=703390 It seems to me the only resolution is to move to 2.2.19