CVE-2014-0118 — MEDIUM (4.3)

Q: How severe is CVE-2014-0118?

CVE-2014-0118 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-0118?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux.

Vulnerability Description

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.

CVSS Score

4.3

MEDIUM

AV:N/AC:M/Au:N/C:N/I:N/A:P

Confidentiality

NONE

Integrity

NONE

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.2.0, < 2.2.29
Debian	Debian Linux	7.0
Redhat	Jboss Enterprise Application Platform	6.0.0
Redhat	Enterprise Linux	5.0

Related Weaknesses (CWE)

CWE-400

References

http://advisories.mageia.org/MGASA-2014-0304.htmlThird Party Advisory
http://advisories.mageia.org/MGASA-2014-0305.htmlThird Party Advisory
http://httpd.apache.org/security/vulnerabilities_24.htmlPatchVendor Advisory
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlBroken LinkMailing List
http://marc.info/?l=bugtraq&m=143403519711434&w=2Issue TrackingMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=143748090628601&w=2Issue TrackingMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=144050155601375&w=2Issue TrackingMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=144493176821532&w=2Issue TrackingMailing ListThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1019.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1020.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1021.htmlBroken Link
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGESVendor Advisory
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_deflate.cVendor Advisory
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_deflate.c?r1=PatchVendor Advisory
http://www.debian.org/security/2014/dsa-2989Third Party Advisory

FAQ

What is CVE-2014-0118?

CVE-2014-0118 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial...

How severe is CVE-2014-0118?

CVE-2014-0118 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-0118?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux.