Vulnerabilities > CVE-2011-3348 - Resource Exhaustion vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 10 | |
Application | 1 | |
OS | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- XML Ping of the Death An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
- XML Entity Expansion An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
- Inducing Account Lockout An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
- Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2011-9.NASL description It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368) It was discovered that mod_proxy_ajp incorrectly returned an last seen 2020-06-01 modified 2020-06-02 plugin id 78270 published 2014-10-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78270 title Amazon Linux AMI : httpd (ALAS-2011-9) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2011-9. # include("compat.inc"); if (description) { script_id(78270); script_version("1.4"); script_cvs_date("Date: 2018/04/18 15:09:34"); script_cve_id("CVE-2011-3348", "CVE-2011-3368"); script_xref(name:"ALAS", value:"2011-9"); script_xref(name:"RHSA", value:"2011:1391"); script_name(english:"Amazon Linux AMI : httpd (ALAS-2011-9)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368) It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2011-3348)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2011-9.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update httpd' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd-manual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod_ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/10/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"httpd-2.2.21-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"httpd-debuginfo-2.2.21-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"httpd-devel-2.2.21-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"httpd-manual-2.2.21-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"httpd-tools-2.2.21-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"mod_ssl-2.2.21-1.19.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc"); }
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-168.NASL description A vulnerability has been discovered and corrected in apache : The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary error state in the backend server) via a malformed HTTP request (CVE-2011-3348). The fix for CVE-2011-3192 provided by the MDVSA-2011:130 advisory introduced regressions in the way httpd handled certain Range HTTP header values. The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56764 published 2011-11-10 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56764 title Mandriva Linux Security Advisory : apache (MDVSA-2011:168) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2011:168. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(56764); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:54"); script_cve_id("CVE-2011-3348"); script_bugtraq_id(49616); script_xref(name:"MDVSA", value:"2011:168"); script_name(english:"Mandriva Linux Security Advisory : apache (MDVSA-2011:168)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability has been discovered and corrected in apache : The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary error state in the backend server) via a malformed HTTP request (CVE-2011-3348). The fix for CVE-2011-3192 provided by the MDVSA-2011:130 advisory introduced regressions in the way httpd handled certain Range HTTP header values. The updated packages have been patched to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://bz.apache.org/bugzilla/show_bug.cgi?id=51878" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-htcacheclean"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_authn_dbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_deflate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_disk_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_file_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_mem_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy_ajp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy_scgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_reqtimeout"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_userdir"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-event"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-itk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-peruser"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-prefork"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-worker"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-source"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.1"); script_set_attribute(attribute:"patch_publication_date", value:"2011/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2010.1", reference:"apache-base-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-devel-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-htcacheclean-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_authn_dbd-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_cache-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_dav-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_dbd-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_deflate-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_disk_cache-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_file_cache-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_ldap-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_mem_cache-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_proxy-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_proxy_ajp-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_proxy_scgi-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_reqtimeout-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_ssl-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mod_userdir-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-modules-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mpm-event-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mpm-itk-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mpm-peruser-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mpm-prefork-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-mpm-worker-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"apache-source-2.2.15-3.5mdv2010.2", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Scientific Linux Local Security Checks NASL id SL_20111020_HTTPD_ON_SL6_X.NASL description The Apache HTTP Server is a popular web server. It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368) It was discovered that mod_proxy_ajp incorrectly returned an last seen 2020-06-01 modified 2020-06-02 plugin id 61161 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61161 title Scientific Linux Security Update : httpd on SL6.x i386/x86_64 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201206-25.NASL description The remote host is affected by the vulnerability described in GLSA-201206-25 (Apache HTTP Server: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache HTTP Server. Please review the CVE identifiers referenced below for details. Impact : A remote attacker might obtain sensitive information, gain privileges, send requests to unintended servers behind proxies, bypass certain security restrictions, obtain the values of HTTPOnly cookies, or cause a Denial of Service in various ways. A local attacker could gain escalated privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 59678 published 2012-06-25 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59678 title GLSA-201206-25 : Apache HTTP Server: Multiple vulnerabilities NASL family Web Servers NASL id HPSMH_7_0_0_24.NASL description According to the web server last seen 2020-06-01 modified 2020-06-02 plugin id 58811 published 2012-04-20 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58811 title HP System Management Homepage < 7.0 Multiple Vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0542.NASL description Updated httpd packages that fix multiple security issues and one bug are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Apache HTTP Server ( last seen 2020-06-01 modified 2020-06-02 plugin id 78923 published 2014-11-08 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78923 title RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0542) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1391.NASL description Updated httpd packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Apache HTTP Server is a popular web server. It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368) It was discovered that mod_proxy_ajp incorrectly returned an last seen 2020-06-01 modified 2020-06-02 plugin id 56578 published 2011-10-21 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56578 title RHEL 6 : httpd (RHSA-2011:1391) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1259-1.NASL description It was discovered that the mod_proxy module in Apache did not properly interact with the RewriteRule and ProxyPassMatch pattern matches in the configuration of a reverse proxy. This could allow remote attackers to contact internal webservers behind the proxy that were not intended for external exposure. (CVE-2011-3368) Stefano Nichele discovered that the mod_proxy_ajp module in Apache when used with mod_proxy_balancer in certain configurations could allow remote attackers to cause a denial of service via a malformed HTTP request. (CVE-2011-3348) Samuel Montosa discovered that the ITK Multi-Processing Module for Apache did not properly handle certain configuration sections that specify NiceValue but not AssignUserID, preventing Apache from dropping privileges correctly. This issue only affected Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1176) USN 1199-1 fixed a vulnerability in the byterange filter of Apache. The upstream patch introduced a regression in Apache when handling specific byte range requests. This update fixes the issue. A flaw was discovered in the byterange filter in Apache. A remote attacker could exploit this to cause a denial of service via resource exhaustion. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56778 published 2011-11-11 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56778 title Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : apache2, apache2-mpm-itk vulnerabilities (USN-1259-1) NASL family SuSE Local Security Checks NASL id SUSE_11_4_APACHE2-111026.NASL description This update fixes several security issues in the Apache webserver. The patch for the ByteRange remote denial of service attack (CVE-2011-3192) was refined and the configuration options used by upstream were added. Introduce new config option: Allow MaxRanges Number of ranges requested, if exceeded, the complete content is served. default: 200 0|unlimited: unlimited none: Range headers are ignored. This option is a backport from 2.2.21. Also fixed: CVE-2011-3348: Denial of service in proxy_ajp when using a undefined method. CVE-2011-3368: Exposure of internal servers via reverse proxy methods with mod_proxy enabled and incorrect Rewrite or Proxy Rules. last seen 2020-06-01 modified 2020-06-02 plugin id 75787 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75787 title openSUSE Security Update : apache2 (openSUSE-SU-2011:1217-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-1391.NASL description From Red Hat Security Advisory 2011:1391 : Updated httpd packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Apache HTTP Server is a popular web server. It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368) It was discovered that mod_proxy_ajp incorrectly returned an last seen 2020-06-01 modified 2020-06-02 plugin id 68376 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68376 title Oracle Linux 6 : httpd (ELSA-2011-1391) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2011-09.NASL description The MITRE CVE database describes these CVEs as : The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary last seen 2020-06-01 modified 2020-06-02 plugin id 69568 published 2013-09-04 reporter This script is Copyright (C) 2013-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69568 title Amazon Linux AMI : httpd (ALAS-2011-09) NASL family Web Servers NASL id APACHE_2_2_21.NASL description According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.21. It is, therefore, potentially affected by a denial of service vulnerability. An error exists in the last seen 2020-06-01 modified 2020-06-02 plugin id 56216 published 2011-09-16 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56216 title Apache 2.2.x < 2.2.21 mod_proxy_ajp DoS NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2012-001.NASL description The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2012-001 applied. This update contains multiple security-related fixes for the following components : - Apache - ATS - ColorSync - CoreAudio - CoreMedia - CoreText - curl - Data Security - dovecot - filecmds - libresolv - libsecurity - OpenGL - PHP - QuickTime - SquirrelMail - Subversion - Tomcat - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 57798 published 2012-02-02 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57798 title Mac OS X Multiple Vulnerabilities (Security Update 2012-001) (BEAST) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-130.NASL description Multiple vulnerabilities has been discovered and corrected in apache : The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086 (CVE-2011-3192). The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 56084 published 2011-09-06 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56084 title Mandriva Linux Security Advisory : apache (MDVSA-2011:130-1) NASL family MacOS X Local Security Checks NASL id MACOSX_10_7_3.NASL description The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.3. The newer version contains multiple security-related fixes for the following components : - Address Book - Apache - ATS - CFNetwork - CoreMedia - CoreText - CoreUI - curl - Data Security - dovecot - filecmds - ImageIO - Internet Sharing - Libinfo - libresolv - libsecurity - OpenGL - PHP - QuickTime - Subversion - Time Machine - WebDAV Sharing - Webmail - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 57797 published 2012-02-02 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57797 title Mac OS X 10.7.x < 10.7.3 Multiple Vulnerabilities (BEAST) NASL family SuSE Local Security Checks NASL id SUSE_11_APACHE2-111026.NASL description This update brings Apache to version 2.2.12. The main reason is the enablement of the Server Name Indication (SNI) that allows several SSL-enabled domains on one IP address (FATE#311973). See the SSLStrictSNIVHostCheck directive as documented in /usr/share/apache2/manual/mod/mod_ssl.html.en Also the patch for the ByteRange remote denial of service attack (CVE-2011-3192) was refined and the configuration options used by upstream were added. Introduce new config option: Allow MaxRanges Number of ranges requested, if exceeded, the complete content is served. default: 200 0|unlimited: unlimited none: Range headers are ignored. This option is a backport from 2.2.21. Also fixed were - Denial of service in proxy_ajp when using a undefined method. (CVE-2011-3348) - Exposure of internal servers via reverse proxy methods with mod_proxy enabled and incorrect Rewrite or Proxy Rules. This update also includes a newer apache2-vhost-ssl.template, which disables SSLv2, and allows SSLv3 and strong ciphers only. Please note that existing vhosts will not be converted. (CVE-2011-3368) last seen 2020-06-01 modified 2020-06-02 plugin id 57089 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57089 title SuSE 11.1 Security Update : Apache2 (SAT Patch Number 5344) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2011-284-01.NASL description New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56513 published 2011-10-17 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56513 title Slackware 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / current : httpd (SSA:2011-284-01) NASL family Web Servers NASL id ORACLE_HTTP_SERVER_CPU_JUL_2013.NASL description According to its banner, the version of Oracle HTTP Server installed on the remote host is potentially affected by multiple vulnerabilities. Note that Nessus did not verify if patches or workarounds have been applied. last seen 2020-06-01 modified 2020-06-02 plugin id 69301 published 2013-08-11 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69301 title Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_11_3_APACHE2-111026.NASL description This update fixes several security issues in the Apache webserver. The patch for the ByteRange remote denial of service attack (CVE-2011-3192) was refined and the configuration options used by upstream were added. Introduce new config option: Allow MaxRanges Number of ranges requested, if exceeded, the complete content is served. default: 200 0|unlimited: unlimited none: Range headers are ignored. This option is a backport from 2.2.21. Also fixed: CVE-2011-3348: Denial of service in proxy_ajp when using a undefined method. CVE-2011-3368: Exposure of internal servers via reverse proxy methods with mod_proxy enabled and incorrect Rewrite or Proxy Rules. last seen 2020-06-01 modified 2020-06-02 plugin id 75426 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75426 title openSUSE Security Update : apache2 (openSUSE-SU-2011:1217-1) NASL family Fedora Local Security Checks NASL id FEDORA_2011-12715.NASL description This update includes the latest stable release of the Apache HTTP Server, version 2.2.21. Two security issues have been fixed : mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp: balancer members in an error state, avoiding denial of service. (CVE-2011-3348) Fixes to the handling of byte-range requests to use less memory, to avoid denial of service. (CVE-2011-3192) A number of bugs have been fixed as well. See : http://www.apache.org/dist/httpd/CHANGES_2.2.21 http://www.apache.org/dist/httpd/CHANGES_2.2.20 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56217 published 2011-09-16 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56217 title Fedora 15 : httpd-2.2.21-1.fc15 (2011-12715)
Oval
accepted 2015-04-20T04:00:43.806-04:00 class vulnerability contributors name Yamini Mohan R organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Prashant Kumar organization Hewlett-Packard name Mike Cokus organization The MITRE Corporation
description The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request. family unix id oval:org.mitre.oval:def:14941 status accepted submitted 2012-01-30T13:51:11.000-05:00 title HP-UX Apache Web Server, Remote Denial of Service (DoS) version 48 accepted 2015-05-04T04:00:09.100-04:00 class vulnerability contributors name Sergey Artykhov organization ALTX-SOFT name Maria Mikhno organization ALTX-SOFT
definition_extensions comment VisualSVN Server is installed oval oval:org.mitre.oval:def:18636 description The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request. family windows id oval:org.mitre.oval:def:18154 status accepted submitted 2013-10-02T13:00:00 title Apache HTTP vulnerability before 2.2.21 in VisualSVN Server (CVE-2011-3348) version 9
Redhat
advisories |
| ||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | CVE(CAN) ID: CVE-2011-3348 Apache HTTP Server是Apache软件基金会的一个开放源代码的网页服务器,可以在大多数电脑操作系统中运行,由于其跨平台和安全性被广泛使用,是最流行的Web服务器端软件之一。 Apache HTTP Server的mod_proxy_balancer在实现上存在安全漏洞,恶意用户可利用此漏洞造成拒绝服务。 此漏洞源于结合mod_proxy_balancer使用时,mod_proxy_ajp中的畸形HTTP请求处理时的错误。通过发送特制的HTTP请求,可造成后端服务器故障,直到重试超时结束后才会结束临时DoS。 Apache Group Apache HTTP Server 2.2.x 厂商补丁: Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://httpd.apache.org/ |
id | SSV:20934 |
last seen | 2017-11-19 |
modified | 2011-09-18 |
published | 2011-09-18 |
reporter | Root |
title | Apache HTTP Server mod_proxy_ajp拒绝服务漏洞 |
References
- http://www.securityfocus.com/bid/49616
- http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21
- http://www.securitytracker.com/id?1026054
- http://secunia.com/advisories/46013
- http://www.apache.org/dist/httpd/Announcement2.2.html
- http://community.jboss.org/message/625307
- http://www.redhat.com/support/errata/RHSA-2011-1391.html
- http://marc.info/?l=bugtraq&m=131731002122529&w=2
- http://marc.info/?l=bugtraq&m=132033751509019&w=2
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:168
- http://support.apple.com/kb/HT5130
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69804
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18154
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14941
- http://rhn.redhat.com/errata/RHSA-2012-0543.html
- http://rhn.redhat.com/errata/RHSA-2012-0542.html
- https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r688df6f16f141e966a0a47f817e559312b3da27886f59116a94b273d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re2e23465bbdb17ffe109d21b4f192e6b58221cd7aa8797d530b4cd75%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r1d201e3da31a2c8aa870c8314623caef7debd74a13d0f25205e26f15%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E