CVE-2009-1890 — HIGH (7.1) — White Hats Nepal

Q: How severe is CVE-2009-1890?

CVE-2009-1890 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-1890?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Enterprise Linux Desktop.

Vulnerability Description

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.

CVSS Score

7.1

HIGH

AV:N/AC:M/Au:N/C:N/I:N/A:C

Confidentiality

NONE

Integrity

NONE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.2.0, < 2.2.12
Fedoraproject	Fedora	11
Debian	Debian Linux	4.0
Canonical	Ubuntu Linux	6.06
Redhat	Enterprise Linux Desktop	5.0
Redhat	Enterprise Linux Eus	5.3
Redhat	Enterprise Linux Server	5.0
Redhat	Enterprise Linux Server Aus	5.3
Redhat	Enterprise Linux Workstation	5.0

Related Weaknesses (CWE)

CWE-400

References

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.htmlBroken LinkMailing List
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.htmlMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=129190899612998&w=2Issue TrackingMailing ListThird Party Advisory
http://osvdb.org/55553Broken Link
http://secunia.com/advisories/35691Not ApplicableVendor Advisory
http://secunia.com/advisories/35721Not Applicable
http://secunia.com/advisories/35793Not Applicable
http://secunia.com/advisories/35865Not Applicable
http://secunia.com/advisories/37152Not ApplicableVendor Advisory
http://secunia.com/advisories/37221Not ApplicableVendor Advisory
http://security.gentoo.org/glsa/glsa-200907-04.xmlThird Party Advisory
http://support.apple.com/kb/HT3937Broken Link
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrPatchVendor Advisory
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?revision=790587Vendor Advisory
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1PatchVendor Advisory

FAQ

What is CVE-2009-1890?

CVE-2009-1890 is a vulnerability with a CVSS score of 7.1 (HIGH). The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed da...

How severe is CVE-2009-1890?

CVE-2009-1890 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-1890?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Enterprise Linux Desktop.