CVE-2007-6422 - Resource Management Errors vulnerability in Apache Http Server

Publication

2008-01-08

Last modification

2018-10-30

Summary

The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable.

Classification

CWE-399 - Resource Management Errors

Risk level (CVSS AV:N/AC:L/Au:S/C:N/I:N/A:P)

Medium

4.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Vendor comments

  • Mark J Cox - Apache (2008-07-02)
    Fixed in Apache HTTP Server 2.2.8. http://httpd.apache.org/security/vulnerabilities_22.html

OVAL definition

{
    "accepted": "2013-04-29T04:02:52.907-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "Aharon Chernin",
            "organization": "SCAP.com, LLC"
        },
        {
            "name": "Dragos Prisaca",
            "organization": "G2, Inc."
        }
    ],
    "definition_extensions": [
        {
            "comment": "The operating system installed on the system is Red Hat Enterprise Linux 5",
            "oval": "oval:org.mitre.oval:def:11414"
        },
        {
            "comment": "The operating system installed on the system is CentOS Linux 5.x",
            "oval": "oval:org.mitre.oval:def:15802"
        },
        {
            "comment": "Oracle Linux 5.x",
            "oval": "oval:org.mitre.oval:def:15459"
        }
    ],
    "description": "The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable.",
    "family": "unix",
    "id": "oval:org.mitre.oval:def:10181",
    "status": "accepted",
    "submitted": "2010-07-09T03:56:16-04:00",
    "title": "The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable.",
    "version": "18"
}
{
    "accepted": "2014-07-14T04:01:31.203-04:00",
    "class": "vulnerability",
    "contributors": [
        {
            "name": "J. Daniel Brown",
            "organization": "DTCC"
        },
        {
            "name": "Mike Lah",
            "organization": "The MITRE Corporation"
        },
        {
            "name": "Shane Shaffer",
            "organization": "G2, Inc."
        },
        {
            "name": "Maria Mikhno",
            "organization": "ALTX-SOFT"
        }
    ],
    "definition_extensions": [
        {
            "comment": "Apache HTTP Server 2.2.x is installed on the system",
            "oval": "oval:org.mitre.oval:def:8550"
        }
    ],
    "description": "The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable.",
    "family": "windows",
    "id": "oval:org.mitre.oval:def:8690",
    "status": "accepted",
    "submitted": "2010-03-08T17:30:00.000-05:00",
    "title": "Apache 'mod_proxy_balancer' Invalid bb Variable Denial of Service Vulnerability",
    "version": "11"
}

Affected Products

Vendor Product Versions
Apache Http Server  2.2.2 , 2.2 , 2.2.1 , 2.2.4 , 2.2.3 , 2.2.6