National Vulnerability Database (NVD)National Vulnerability Database (CVE-2008-2364)

Mission and Overview

NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).

Resource Status

NVD contains:

CVE Vulnerabilities: 35172
Checklists: 142
US-CERT Alerts: 165
US-CERT Vuln Notes: 2303
OVAL Queries: 2097
CPE Names: 16728

Last updated: Tue Feb 10 20:54:58 EST 2009

CVE Publication rate: 21.27

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index

Vulnerability Workload Index: 12.01

About Us

NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

NIST Security Configuration Checklists - CSD

CVE

CCE - Common Configuration Enumeration

CVSS

XCCDF - security benchmark automation

OVAL

National Cyber-Alert System

Vulnerability Summary for CVE-2008-2364

Original release date:06/13/2008

Last revised:02/10/2009

Source: US-CERT/NIST

Static Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2364

Overview

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Allows disruption of serviceUnknown

Vendor Statments (disclaimer)

Official Statement from Apache (07/02/2008): Fixed in Apache HTTP Server 2.2.9. http://httpd.apache.org/security/vulnerabilities_22.html
Official Statement from Red Hat (06/26/2008): Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-2364 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: BID

Name: 29653

Type: Patch Information

Hyperlink:http://www.securityfocus.com/bid/29653

External Source: FRSIRT

Name: ADV-2008-1798

Type: Advisory; Patch Information

Hyperlink:http://www.frsirt.com/english/advisories/2008/1798

External Source: FEDORA

Name: FEDORA-2008-6314

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00153.html

External Source: FEDORA

Name: FEDORA-2008-6393

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00055.html

External Source: XF

Name: apache-modproxy-module-dos(42987)

Hyperlink:http://xforce.iss.net/xforce/xfdb/42987

External Source: SECTRACK

Name: 1020267

Hyperlink:http://www.securitytracker.com/id?1020267

External Source: BID

Name: 31681

Hyperlink:http://www.securityfocus.com/bid/31681

External Source: BUGTRAQ

Name: 20080729 rPSA-2008-0236-1 httpd mod_ssl

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/494858/100/0/threaded

External Source: REDHAT

Name: RHSA-2008:0966

Hyperlink:http://www.redhat.com/support/errata/RHSA-2008-0966.html

External Source: MANDRIVA

Name: MDVSA-2008:237

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:237

External Source: MANDRIVA

Name: MDVSA-2008:195

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:195

External Source: FRSIRT

Name: ADV-2008-2780

Hyperlink:http://www.frsirt.com/english/advisories/2008/2780

External Source: AIXAPAR

Name: PK67579

Hyperlink:http://www-1.ibm.com/support/docview.wss?uid=swg1PK67579

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg27008517

Hyperlink:http://www-01.ibm.com/support/docview.wss?uid=swg27008517

External Source: CONFIRM

Name: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154

Hyperlink:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154

External Source: CONFIRM

Name: http://support.apple.com/kb/HT3216

Hyperlink:http://support.apple.com/kb/HT3216

External Source: SUNALERT

Name: 247666

Hyperlink:http://sunsolve.sun.com/search/document.do?assetkey=1-26-247666-1

External Source: GENTOO

Name: GLSA-200807-06

Hyperlink:http://security.gentoo.org/glsa/glsa-200807-06.xml

External Source: SECUNIA

Name: 33797

Hyperlink:http://secunia.com/advisories/33797

External Source: SECUNIA

Name: 33156

Hyperlink:http://secunia.com/advisories/33156

External Source: SECUNIA

Name: 32685

Hyperlink:http://secunia.com/advisories/32685

External Source: SECUNIA

Name: 32222

Hyperlink:http://secunia.com/advisories/32222

External Source: SECUNIA

Name: 31904

Hyperlink:http://secunia.com/advisories/31904

External Source: SECUNIA

Name: 31651

Hyperlink:http://secunia.com/advisories/31651

External Source: SECUNIA

Name: 31416

Hyperlink:http://secunia.com/advisories/31416

External Source: SECUNIA

Name: 31404

Hyperlink:http://secunia.com/advisories/31404

External Source: SECUNIA

Name: 31026

Hyperlink:http://secunia.com/advisories/31026

External Source: SECUNIA

Name: 30621

Type: Advisory

Hyperlink:http://secunia.com/advisories/30621

External Source: REDHAT

Name: RHSA-2008:0967

Hyperlink:http://rhn.redhat.com/errata/RHSA-2008-0967.html

External Source: HP

Name: SSRT090005

Hyperlink:http://marc.info/?l=bugtraq&m=123376588623823&w=2

External Source: HP

Name: SSRT090005

Hyperlink:http://marc.info/?l=bugtraq&m=123376588623823&w=2

External Source: APPLE

Name: APPLE-SA-2008-10-09

Hyperlink:http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html

External Source: HP

Name: SSRT080118

Hyperlink:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539432

External Source: HP

Name: SSRT080118

Hyperlink:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539432

Vulnerable software and versions

Configuration 1

OR

* cpe:/a:apache_software_foundation:apache_http_server:2.0.63

* cpe:/a:apache_software_foundation:apache_http_server:2.2.8

* Denotes Vulnerable Software

* Changes related to vulnerability configurations

Technical Details

Vulnerability Type (View All)

Resource Management Errors (CWE-399)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364