CVE-2014-0118

Summary

CVE	CVE-2014-0118
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2014-07-20 11:12:00 UTC
Updated	2023-11-07 02:18:00 UTC
Description	The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.

Risk And Classification

Problem Types: CWE-400

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Http Server	All	All	All	All
Application	Apache	Http Server	2.4.1	All	All	All
Application	Apache	Http Server	2.4.2	All	All	All
Application	Apache	Http Server	2.4.3	All	All	All
Application	Apache	Http Server	2.4.4	All	All	All
Application	Apache	Http Server	2.4.6	All	All	All
Application	Apache	Http Server	2.4.7	All	All	All
Application	Apache	Http Server	2.4.8	All	All	All
Application	Apache	Http Server	2.4.1	All	All	All
Application	Apache	Http Server	2.4.2	All	All	All
Application	Apache	Http Server	2.4.3	All	All	All
Application	Apache	Http Server	2.4.4	All	All	All
Application	Apache	Http Server	2.4.6	All	All	All
Application	Apache	Http Server	2.4.7	All	All	All
Application	Apache	Http Server	2.4.8	All	All	All
Application	Apache	Http Server	All	All	All	All
Operating System	Debian	Debian Linux	7.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux	5.0	All	All	All
Operating System	Redhat	Enterprise Linux	6.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	6.0.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	6.4.0	All	All	All

References

Reference	Source	Link	Tags
Red Hat Customer Portal	REDHAT	rhn.redhat.com
'[security bulletin] HPSBUX03337 SSRT102066 rev.1 - HP-UX Apache Web Server Suite running Apache Web ' - MARC	HP	marc.info
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Mageia Advisory: MGASA-2014-0305 - Updated apache package fixes security vulnerabilities	CONFIRM	advisories.mageia.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES	CONFIRM	svn.apache.org
[Apache-SVN] Diff of /httpd/httpd/trunk/modules/filters/mod_deflate.c	CONFIRM	svn.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
'[security bulletin] HPSBMU03409 rev.1 - HP Matrix Operating Environment, Multiple Vulnerabilities' - MARC	HP	marc.info
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
CVE-2014-0118 \| Puppet	CONFIRM	puppet.com
Pony Mail!		lists.apache.org
Support / Security / Advisories / / MDVSA-2014:142 \| Mandriva	MANDRIVA	www.mandriva.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[Apache-SVN] Log of /httpd/httpd/trunk/modules/filters/mod_deflate.c	CONFIRM	svn.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update - January 2015	CONFIRM	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
APPLE-SA-2015-04-08-2 OS X 10.10.3 and Security Update 2015-004	APPLE	lists.apple.com
Apache: Multiple vulnerabilities (GLSA 201504-03) — Gentoo security	GENTOO	security.gentoo.org
'[security bulletin] HPSBUX03512 SSRT102254 rev.1 - HP-UX Web Server Suite running Apache, Remote Den' - MARC	HP	marc.info
Pony Mail!	MLIST	lists.apache.org
Mageia Advisory: MGASA-2014-0304 - Updated apache package fixes security vulnerabilities	CONFIRM	advisories.mageia.org
Debian -- Security Information -- DSA-2989-1 apache2	DEBIAN	www.debian.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Document Display \| HPE Support Center	CONFIRM	h20564.www2.hpe.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com
Apache HTTP Server CVE-2014-0118 Remote Denial of Service Vulnerability	BID	www.securityfocus.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
'[security bulletin] HPSBMU03380 rev.1 - HP System Management Homepage (SMH) on Linux and Windows, Mu' - MARC	HP	marc.info
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Bug 1120601 – CVE-2014-0118 httpd: mod_deflate denial of service	CONFIRM	bugzilla.redhat.com
About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004 - Apple Support	CONFIRM	support.apple.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project	CONFIRM	httpd.apache.org	Patch, Vendor Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

241029 Red Hat Update for JBoss Enterprise Application Platform 6.3.0 (RHSA-2014:1020)
241030 Red Hat Update for JBoss Enterprise Application Platform 6.3.0 (RHSA-2014:1019)