CVE-2014-0226 — MEDIUM (6.8)

Q: How severe is CVE-2014-0226?

CVE-2014-0226 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-0226?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux, Oracle Enterprise Manager Ops Center.

Vulnerability Description

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

CVSS Score

6.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.2.0, < 2.2.29
Debian	Debian Linux	7.0
Redhat	Jboss Enterprise Application Platform	6.0.0
Redhat	Enterprise Linux	5.0
Oracle	Enterprise Manager Ops Center	11.1.3
Oracle	Http Server	10.1.3.5.0
Oracle	Secure Global Desktop	4.63

Related Weaknesses (CWE)

CWE-362

References

http://advisories.mageia.org/MGASA-2014-0304.htmlThird Party Advisory
http://advisories.mageia.org/MGASA-2014-0305.htmlThird Party Advisory
http://httpd.apache.org/security/vulnerabilities_24.htmlPatchVendor Advisory
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlBroken LinkMailing List
http://marc.info/?l=bugtraq&m=143403519711434&w=2Issue TrackingMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=143748090628601&w=2Issue TrackingMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=144050155601375&w=2Issue TrackingMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=144493176821532&w=2Issue TrackingMailing ListThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1019.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1020.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1021.htmlBroken Link
http://seclists.org/fulldisclosure/2014/Jul/114ExploitMailing ListThird Party Advisory
http://secunia.com/advisories/60536Not Applicable
http://security.gentoo.org/glsa/glsa-201408-12.xmlThird Party Advisory
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGESVendor Advisory

FAQ

What is CVE-2014-0226?

CVE-2014-0226 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credenti...

How severe is CVE-2014-0226?

CVE-2014-0226 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-0226?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux, Oracle Enterprise Manager Ops Center.