{ "threat_severity" : "Moderate", "public_date" : "2014-07-17T00:00:00Z", "bugzilla" : { "description" : "httpd: mod_proxy denial of service", "id" : "1120599", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1120599" }, "cvss" : { "cvss_base_score" : "5.0", "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status" : "verified" }, "details" : [ "The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header.", "A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash." ], "statement" : "This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 5 and 6, Red Hat JBoss Web Server, and Red Hat JBoss Enterprise Application Platform. These products include httpd 2.2, and only httpd versions 2.4.6 through 2.4.9 include the vulnerable code.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2014-07-23T00:00:00Z", "advisory" : "RHSA-2014:0921", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "httpd-0:2.4.6-18.el7_0" }, { "product_name" : "Red Hat Software Collections 1 for Red Hat Enterprise Linux 6", "release_date" : "2014-07-23T00:00:00Z", "advisory" : "RHSA-2014:0922", "cpe" : "cpe:/a:redhat:rhel_software_collections:1::el6", "package" : "httpd24-httpd-0:2.4.6-18.el6" }, { "product_name" : "Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS", "release_date" : "2014-07-23T00:00:00Z", "advisory" : "RHSA-2014:0922", "cpe" : "cpe:/a:redhat:rhel_software_collections:1::el6", "package" : "httpd24-httpd-0:2.4.6-18.el6" }, { "product_name" : "Red Hat Software Collections 1 for Red Hat Enterprise Linux 7", "release_date" : "2014-07-23T00:00:00Z", "advisory" : "RHSA-2014:0922", "cpe" : "cpe:/a:redhat:rhel_software_collections:1::el7", "package" : "httpd24-httpd-0:2.4.6-21.el7" } ], "package_state" : [ { "product_name" : "Red Hat Directory Server 8", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:directory_server:8" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-0117\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0117\nhttp://httpd.apache.org/security/vulnerabilities_24.html" ], "name" : "CVE-2014-0117", "csaw" : false }