Bug 1121519 (CVE-2014-3523) - CVE-2014-3523 httpd: WinNT MPM denial of service
Summary: CVE-2014-3523 httpd: WinNT MPM denial of service
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-3523
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1120623 1121528 1395463
TreeView+ depends on / blocked
 
Reported: 2014-07-21 06:46 UTC by Grant Murphy
Modified: 2021-02-17 06:21 UTC (History)
26 users (show)

Fixed In Version: httpd 2.4.10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-22 08:44:22 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JCSP-95 0 Blocker Closed CVE-2014-3523 httpd: WinNT MPM denial of service 2020-01-24 03:07:38 UTC
Red Hat Issue Tracker JWS-433 0 Major Closed CVE-2014-3523 httpd: WinNT MPM denial of service 2020-01-24 03:07:38 UTC
Red Hat Product Errata RHSA-2016:2957 0 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release 2016-12-16 03:11:19 UTC

Description Grant Murphy 2014-07-21 06:46:47 UTC
The following flaw has been fixed in the Apache HTTP Server:

"A flaw was found in the WinNT MPM in httpd versions 2.4.1 to 2.4.9, when using the default AcceptFilter for that platform. A remote attacker could send carefully crafted requests that would leak memory and eventually lead to a denial of service against the server."

External References:

http://httpd.apache.org/security/vulnerabilities_24.html

Comment 1 Grant Murphy 2014-07-22 07:54:50 UTC
Upstream fix: 

https://github.com/apache/httpd/commit/c17f0b89657cf03318fe2b624adc92cae477f81b

Code not present in 2.2

Comment 2 Grant Murphy 2014-07-22 08:44:22 UTC
Statement:

Not affected. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 5, 6 and 7, Red Hat JBoss Web Server 1 and 2, and Red Hat JBoss Enterprise Application Platform 5 and 6. This flaw only affects httpd running on Microsoft Windows. Red Hat JBoss Web Server 1 and 2, and Red Hat JBoss Enterprise Application Platform 5 and 6 can be run on Microsoft Windows. However, these products provide httpd 2.2, which is not affected by this flaw.

Comment 3 Tomas Hoger 2014-07-23 06:47:29 UTC
Upstream commit:
http://svn.apache.org/viewvc?view=revision&revision=1610652

Comment 4 JBoss JIRA Server 2016-09-06 13:20:40 UTC
Michal Karm Babacek <mbabacek> updated the status of jira JWS-433 to Resolved

Comment 7 errata-xmlrpc 2016-12-15 22:13:29 UTC
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html


Note You need to log in before you can comment on or make changes to this bug.