Vulnerability Bulletins |
Denegación de Servicio en el módulo mod_dav de Apache |
|
Vulnerability classification |
|
Property | Value |
Confidence level | Oficial |
Impact | Denegación de Servicio |
Dificulty | Experto |
Required attacker level | Acceso remoto sin cuenta a un servicio estandar |
System information |
|
Property | Value |
Affected manufacturer | GNU/Linux |
Affected software |
Apache 2.0.x <=2.0.50 IBM® HTTP Server V2.0. |
Description |
|
Se ha descubierto una vulnerabilidad en la versión 2.0.50 y anteriores de la rama 2.0.x del servidor web Apache. La vulnerabilidad reside en el módulo mod_dav y puede ser explotada cuando una localización ha sido configurada para autorizar el acceso mediante WebDAV. La vulnerabilidad reside, concretamente, en el manejo de las peticiones LOCK. La explotación de esta vulnerabilidad podría permitir a un atacante remoto provocar una situación de denegación de servicio cuando se utiliza un modelo de hilos para los procesos mediante el envío de una secuencia especialmente diseñada de peticiones LOCK. |
|
Solution |
|
Si lo desea, aplique los mecanismos de actualización propios de su distribución, o bien baje las fuentes del software y compílelo usted mismo. Actualización de software Apache Apache 2.0.51 http://httpd.apache.org Red Hat Linux Red Hat Desktop (v. 3) AMD64 httpd-2.0.46-40.ent.x86_64.rpm httpd-devel-2.0.46-40.ent.x86_64.rpm mod_ssl-2.0.46-40.ent.x86_64.rpm SRPMS httpd-2.0.46-40.ent.src.rpm i386 httpd-2.0.46-40.ent.i386.rpm httpd-devel-2.0.46-40.ent.i386.rpm mod_ssl-2.0.46-40.ent.i386.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux AS (v. 3) AMD64: httpd-2.0.46-40.ent.x86_64.rpm httpd-devel-2.0.46-40.ent.x86_64.rpm mod_ssl-2.0.46-40.ent.x86_64.rpm SRPMS httpd-2.0.46-40.ent.src.rpm i386 httpd-2.0.46-40.ent.i386.rpm httpd-devel-2.0.46-40.ent.i386.rpm mod_ssl-2.0.46-40.ent.i386.rpm ia64 httpd-2.0.46-40.ent.ia64.rpm httpd-devel-2.0.46-40.ent.ia64.rpm mod_ssl-2.0.46-40.ent.ia64.rpm ppc httpd-2.0.46-40.ent.ppc.rpm httpd-devel-2.0.46-40.ent.ppc.rpm mod_ssl-2.0.46-40.ent.ppc.rpm s390 httpd-2.0.46-40.ent.s390.rpm httpd-devel-2.0.46-40.ent.s390.rpm mod_ssl-2.0.46-40.ent.s390.rpm s390x httpd-2.0.46-40.ent.s390x.rpm httpd-devel-2.0.46-40.ent.s390x.rpm mod_ssl-2.0.46-40.ent.s390x.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux ES (v. 3) AMD64 httpd-2.0.46-40.ent.x86_64.rpm httpd-devel-2.0.46-40.ent.x86_64.rpm mod_ssl-2.0.46-40.ent.x86_64.rpm SRPMS httpd-2.0.46-40.ent.src.rpm i386 httpd-2.0.46-40.ent.i386.rpm httpd-devel-2.0.46-40.ent.i386.rpm mod_ssl-2.0.46-40.ent.i386.rpm ia64 httpd-2.0.46-40.ent.ia64.rpm httpd-devel-2.0.46-40.ent.ia64.rpm mod_ssl-2.0.46-40.ent.ia64.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux WS (v. 3) AMD64 httpd-2.0.46-40.ent.x86_64.rpm httpd-devel-2.0.46-40.ent.x86_64.rpm mod_ssl-2.0.46-40.ent.x86_64.rpm SRPMS httpd-2.0.46-40.ent.src.rpm i386 httpd-2.0.46-40.ent.i386.rpm httpd-devel-2.0.46-40.ent.i386.rpm mod_ssl-2.0.46-40.ent.i386.rpm ia64 httpd-2.0.46-40.ent.ia64.rpm httpd-devel-2.0.46-40.ent.ia64.rpm mod_ssl-2.0.46-40.ent.ia64.rpm https://rhn.redhat.com/ Debian Linux Debian Linux 3.0 Source http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1.dsc http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1.diff.gz http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3.orig.tar.gz Alpha http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_alpha.deb ARM http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_arm.deb Intel IA-32 http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_i386.deb Intel IA-64 http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_ia64.deb HP Precision http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_hppa.deb Motorola 680x0 http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_m68k.deb Big endian MIPS http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_mips.deb Little endian MIPS http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_mipsel.deb PowerPC http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_powerpc.deb IBM S/390 http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_s390.deb Sun Sparc http://security.debian.org/pool/updates/main/liba/libapache-mod-dav/libapache-mod-dav_1.0.3-3.1_sparc.deb HP HP-UX B.11.00 IPv4 - Instalar hpuxwsAPACHE A.2.0.52.00 http://software.hp.com/ HP-UX B.11.11 IPv4 - Instalar hpuxwsAPACHE A.2.0.52.00 IPv6 - Instalar hpuxwsAPACHE B.2.0.52.00 http://software.hp.com/ HP-UX B.11.22 IPv4 - Actualizar a HP-UX B.11.23 HP-UX B.11.23 IPv6 - Instalar hpuxwsAPACHE B.2.0.52.00 http://software.hp.com/ IBM APAR PQ94389 http://www.ibm.com/support/docview.wss?rs=177&&uid=swg24008324 |
|
Standar resources |
|
Property | Value |
CVE | CAN-2004-0809 |
BID | |
Other resources |
|
Overview of security vulnerabilities in Apache httpd 2.0 http://www.apacheweek.com/features/security-20 Red Hat Security Advisory RHSA-2004:463-09 https://rhn.redhat.com/errata/RHSA-2004-463.html Debian Security Advisory DSA 558-1 http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00162.html HP SECURITY BULLETIN HPSBUX01090 http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01090 IBM Flash (Alert) 21190212 http://www-1.ibm.com/support/docview.wss?uid=swg21190212 |
Version history |
||
Version | Comments | Date |
1.0 | Aviso emitido | 2004-09-15 |
1.1 | Apache httpd 2.0.51 publicado | 2004-09-16 |
1.2 | Aviso emitido por Red Hat (RHSA-2004:463-09) | 2004-09-16 |
1.3 | Aviso emitido por Debian (DSA 558-1) | 2004-10-06 |
1.4 | Aviso emitido por HP (HPSBUX01090) | 2004-10-28 |
1.5 | Aviso emitido por IBM (21190212) | 2004-11-22 |