6.8

CVE-2014-0226

Exploit
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheHTTP Server Version >= 2.2.0 < 2.2.29
ApacheHTTP Server Version >= 2.4.1 < 2.4.10
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
RedhatJboss Enterprise Application Platform Version6.0.0
   RedhatEnterprise Linux Version5.0
   RedhatEnterprise Linux Version6.0
RedhatJboss Enterprise Application Platform Version6.4.0
   RedhatEnterprise Linux Version5.0
   RedhatEnterprise Linux Version6.0
OracleHTTP Server Version10.1.3.5.0
OracleHTTP Server Version11.1.1.7.0
OracleHTTP Server Version12.1.2.0
OracleHTTP Server Version12.1.3.0
OracleSecure Global Desktop Version4.63
OracleSecure Global Desktop Version4.71
OracleSecure Global Desktop Version5.0
OracleSecure Global Desktop Version5.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 85.74% 0.997
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
Third Party Advisory
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
http://httpd.apache.org/security/vulnerabilities_24.html
Patch
Vendor Advisory
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9821b0a32a1d0a1b4947abb6f3630053fcbb2ec905d9a32c2bd4d4ee%40%3Ccvs.httpd.apache.org%3E
http://marc.info/?l=bugtraq&m=144050155601375&w=2
Third Party Advisory
Mailing List
Issue Tracking
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
Broken Link
Mailing List
https://support.apple.com/HT204659
Third Party Advisory
http://secunia.com/advisories/60536
Not Applicable
http://security.gentoo.org/glsa/glsa-201408-12.xml
Third Party Advisory
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES
Vendor Advisory
https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
http://marc.info/?l=bugtraq&m=143403519711434&w=2
Third Party Advisory
Mailing List
Issue Tracking
http://marc.info/?l=bugtraq&m=144493176821532&w=2
Third Party Advisory
Mailing List
Issue Tracking
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246
Third Party Advisory
https://security.gentoo.org/glsa/201504-03
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1019.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1020.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1021.html
Broken Link
http://advisories.mageia.org/MGASA-2014-0305.html
Third Party Advisory
http://advisories.mageia.org/MGASA-2014-0304.html
Third Party Advisory
http://marc.info/?l=bugtraq&m=143748090628601&w=2
Third Party Advisory
Mailing List
Issue Tracking
http://www.debian.org/security/2014/dsa-2989
Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2014:142
Broken Link
http://seclists.org/fulldisclosure/2014/Jul/114
Third Party Advisory
Exploit
Mailing List
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c
Vendor Advisory
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=1450998&r2=1610491&diff_format=h
Patch
Vendor Advisory
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/lua_request.c
Vendor Advisory
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/lua_request.c?r1=1588989&r2=1610491&diff_format=h
Patch
Vendor Advisory
http://www.exploit-db.com/exploits/34133
Third Party Advisory
VDB Entry
http://www.osvdb.org/109216
Broken Link
http://www.securityfocus.com/bid/68678
Third Party Advisory
VDB Entry
http://zerodayinitiative.com/advisories/ZDI-14-236/
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1120603
Third Party Advisory
Issue Tracking
https://puppet.com/security/cve/cve-2014-0226
Third Party Advisory
https://www.povonsec.com/apache-2-4-7-exploit/
Broken Link