1121519 – (CVE-2014-3523) CVE-2014-3523 httpd: WinNT MPM denial of service

Bug 1121519 (CVE-2014-3523) - CVE-2014-3523 httpd: WinNT MPM denial of service

Summary: CVE-2014-3523 httpd: WinNT MPM denial of service

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2014-3523
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1120623 1121528 1395463
TreeView+	depends on / blocked

Reported:	2014-07-21 06:46 UTC by Grant Murphy
Modified:	2021-02-17 06:21 UTC (History)
CC List:	26 users (show)
Fixed In Version:	httpd 2.4.10
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-22 08:44:22 UTC

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JCSP-95	Blocker	Closed	CVE-2014-3523 httpd: WinNT MPM denial of service	2020-01-24 03:07:38 UTC
Red Hat Issue Tracker	JWS-433	Major	Closed	CVE-2014-3523 httpd: WinNT MPM denial of service	2020-01-24 03:07:38 UTC
Red Hat Product Errata	RHSA-2016:2957	normal	SHIPPED_LIVE	Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release	2016-12-16 03:11:19 UTC

Description Grant Murphy 2014-07-21 06:46:47 UTC

The following flaw has been fixed in the Apache HTTP Server:

"A flaw was found in the WinNT MPM in httpd versions 2.4.1 to 2.4.9, when using the default AcceptFilter for that platform. A remote attacker could send carefully crafted requests that would leak memory and eventually lead to a denial of service against the server."

External References:

http://httpd.apache.org/security/vulnerabilities_24.html

Comment 1 Grant Murphy 2014-07-22 07:54:50 UTC

Upstream fix: 

https://github.com/apache/httpd/commit/c17f0b89657cf03318fe2b624adc92cae477f81b

Code not present in 2.2

Comment 2 Grant Murphy 2014-07-22 08:44:22 UTC

Statement:

Not affected. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 5, 6 and 7, Red Hat JBoss Web Server 1 and 2, and Red Hat JBoss Enterprise Application Platform 5 and 6. This flaw only affects httpd running on Microsoft Windows. Red Hat JBoss Web Server 1 and 2, and Red Hat JBoss Enterprise Application Platform 5 and 6 can be run on Microsoft Windows. However, these products provide httpd 2.2, which is not affected by this flaw.

Comment 3 Tomas Hoger 2014-07-23 06:47:29 UTC

Upstream commit:
http://svn.apache.org/viewvc?view=revision&revision=1610652

Comment 4 JBoss JIRA Server 2016-09-06 13:20:40 UTC

Michal Karm Babacek <mbabacek> updated the status of jira JWS-433 to Resolved

Comment 7 errata-xmlrpc 2016-12-15 22:13:29 UTC

This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html

Note You need to log in before you can comment on or make changes to this bug.

aneelica
aogburn
cdewolf
dandread
darran.lofthouse
dknox
fnasser
huwang
jason.greene
jawilson
jclere
jdoyle
jkaluza
jorton
lgao
mjc
mmaslano
myarboro
pahan
pgier
pslavice
rmeggins
rsvoboda
vtunka
webstack-team
weli