Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 382971 (CVE-2011-3348)

Summary: <www-servers/apache-2.2.21 mod_proxy_ajp DoS (CVE-2011-3348)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: apache-bugs, gentoo, jaak, kacarstensen, karl, mno2go, naota, pva
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/46013/
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2011-09-14 16:12:01 UTC 
From secunia security advisor at $URL:

The vulnerability is caused due to an error within the processing of malformed HTTP requests in mod_proxy_ajp when being used in combination with mod_proxy_balancer. This can be exploited to put a backend server into an error state by sending specially crafted HTTP requests, resulting in a temporary DoS until the retry timeout expires.

The vulnerability is reported in versions 2.2.20.

Solution
Update to version 2.2.21.
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2011-09-15 10:41:14 UTC 
New version is in tree. Arch teams, please, test and stabilize.
Comment 2 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2011-09-15 13:00:51 UTC 
amd64: emerges fine, basic usage ok.

I wasn't able to check whether fix works or not, I used mod with tomcat and when I ran pyloris against it, apache stalled - slowloris attack was succesfull.
Maybe I've misconfigured something though, I am not familiar with apache.

note: app-admin/apache-tools-2.2.21 needs stabilisation as well.
Comment 3 Agostino Sarubbo gentoo-dev 2011-09-15 13:49:54 UTC 
ok on my box / runs on hardened server also amd64

amd64 ok
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-09-15 17:30:25 UTC 
amd64:

all emerges ok
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2011-09-15 21:21:45 UTC 
Archtested on x86: Emerges fine, tested some rdeps and started it with a very basic config. I'm no apache expert so this is as far as i go. Everything ok.
Comment 6 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-16 02:28:53 UTC 
amd64: pass
Comment 7 Andreas Schürch gentoo-dev 2011-09-16 11:54:11 UTC 
x86 stable, thanks JD.
Comment 8 Tony Vroon (RETIRED) gentoo-dev 2011-09-16 11:59:42 UTC 
+  16 Sep 2011; Tony Vroon <chainsaw@gentoo.org> apache-tools-2.2.21.ebuild:
+  Marked stable as a dependency of www-servers/apache-2.2.21 based on arch
+  testing by Tomáš "Mepho" Pružina, Agostino "ago" Sarubbo, Ian "idella4"
+  Delaney & Elijah "Armageddon" El Lazkani in bug #382971.

+  16 Sep 2011; Tony Vroon <chainsaw@gentoo.org> apache-2.2.21.ebuild:
+  Marked stable on AMD64 based on arch testing by Tomáš "Mepho" Pružina,
+  Agostino "ago" Sarubbo, Ian "idella4" Delaney & Elijah "Armageddon" El
+  Lazkani in bug #382971.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-16 14:52:11 UTC 
Standards are slipping again.

Arch teams, please test and mark stable:
=www-servers/apache-2.2.21
=app-admin/apache-tools-2.2.21
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-16 15:48:56 UTC 
Stable for HPPA.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-09-17 11:32:00 UTC 
alpha/arm/ia64/s390/sh/sparc
Comment 12 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-27 18:24:46 UTC 
ppc/ppc64 stable, last arch done
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-09-27 18:58:15 UTC 
Thans, everyone. Added to existing GLSA request.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:49:27 UTC 
CVE-2011-3348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3348):
  The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used
  with mod_proxy_balancer in certain configurations, allows remote attackers
  to cause a denial of service (temporary "error state" in the backend server)
  via a malformed HTTP request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:29:02 UTC 
This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).