Vulnerability Description
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | 2.4.1 |
| Canonical | Ubuntu Linux | 10.04 |
| Redhat | Enterprise Linux Desktop | 7.0 |
| Redhat | Enterprise Linux Eus | 7.3 |
| Redhat | Enterprise Linux Server | 7.0 |
| Redhat | Enterprise Linux Server Aus | 7.3 |
| Redhat | Enterprise Linux Server Tus | 7.3 |
| Oracle | Enterprise Manager Ops Center | < 12.1.4 |
| Oracle | Linux | 6 |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlBroken LinkMailing List
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.htmlBroken LinkMailing List
- http://rhn.redhat.com/errata/RHSA-2015-0325.htmlThird Party Advisory
- http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathRelease NotesVendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=1624234PatchVendor Advisory
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.hThird Party Advisory
- http://www.securityfocus.com/bid/71656Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1031005Broken LinkThird Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-2523-1Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1149709Issue TrackingPatchThird Party Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/97027Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e10
- https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76f
FAQ
What is CVE-2014-3581?
CVE-2014-3581 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer de...
How severe is CVE-2014-3581?
CVE-2014-3581 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3581?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Canonical Ubuntu Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Eus, Redhat Enterprise Linux Server.