CVE-2009-2699 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2009-2699?

CVE-2009-2699 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-2699?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Apache Portable Runtime.

Vulnerability Description

The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products, does not properly handle errors, which allows remote attackers to cause a denial of service (daemon hang) via unspecified HTTP requests, related to the prefork and event MPMs.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.2.0, < 2.2.14
Apache	Portable Runtime	< 1.3.9

Related Weaknesses (CWE)

CWE-667

References

http://marc.info/?l=bugtraq&m=133355494609819&w=2Issue TrackingMailing ListThird Party Advisory
http://securitytracker.com/id?1022988Broken LinkThird Party AdvisoryVDB Entry
http://www.apache.org/dist/httpd/CHANGES_2.2.14Broken LinkVendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150Broken Link
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.htmlThird Party Advisory
http://www.securityfocus.com/bid/36596PatchThird Party AdvisoryVDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/53666Third Party AdvisoryVDB Entry
https://issues.apache.org/bugzilla/show_bug.cgi?id=47645Issue TrackingVendor Advisory
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772Mailing ListPatch
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f74Mailing ListPatch
https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e8480Mailing ListPatch
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d65Mailing ListPatch
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6ebMailing ListPatch
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7Mailing ListPatch
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f8Mailing ListPatch

FAQ

What is CVE-2009-2699?

CVE-2009-2699 is a vulnerability with a CVSS score of 7.5 (HIGH). The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products,...

How severe is CVE-2009-2699?

CVE-2009-2699 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-2699?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Apache Portable Runtime.