Apache Mod_SSL HTTP Request Remote Denial Of Service Vulnerability

BID:9826

Info

Apache Mod_SSL HTTP Request Remote Denial Of Service Vulnerability

Bugtraq ID: 9826
Class: Design Error
CVE: CVE-2004-0113
Remote: Yes
Local: No
Published: Mar 09 2004 12:00AM
Updated: Jul 12 2009 03:06AM
Credit: Discovery of this vulnerability has been credited to Mick Wall <[email protected]>.
Vulnerable: Turbolinux Turbolinux Desktop 10.0
SGI ProPack 3.0
Redhat mod_ssl-2.0.40-21.i386.rpm
+ Redhat Linux 9.0 i386
 Redhat httpd-manual-2.0.40-21.i386.rpm
+ Redhat Linux 9.0 i386
 Redhat httpd-devel-2.0.40-21.i386.rpm
+ Redhat Linux 9.0 i386
 Redhat httpd-2.0.40-21.i386.rpm
+ Redhat Linux 9.0 i386
 HP HP-UX 11.23
HP HP-UX 11.22
HP HP-UX 11.11
HP HP-UX 11.0
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X 10.3.3
Apple Mac OS X 10.2.8
Apache Apache 2.0.48
+ Mandriva Linux Mandrake 10.0 AMD64
 + Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux Personal 9.0 x86_64
 + S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
+ SuSE Linux 8.1
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Apache Apache 2.0.47
+ Apple Mac OS X Server 10.3.5
+ Apple Mac OS X Server 10.3.4
+ Apple Mac OS X Server 10.3.3
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.2.8
+ Apple Mac OS X Server 10.2.7
+ Apple Mac OS X Server 10.2.6
+ Apple Mac OS X Server 10.2.5
+ Apple Mac OS X Server 10.2.4
+ Apple Mac OS X Server 10.2.3
+ Apple Mac OS X Server 10.2.2
+ Apple Mac OS X Server 10.2.1
+ Apple Mac OS X Server 10.2
+ Apple Mac OS X Server 10.1.5
+ Apple Mac OS X Server 10.1.4
+ Apple Mac OS X Server 10.1.3
+ Apple Mac OS X Server 10.1.2
+ Apple Mac OS X Server 10.1.1
+ Apple Mac OS X Server 10.1
+ Mandriva Linux Mandrake 9.2 amd64
 + Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
 + Mandriva Linux Mandrake 9.1
Apache Apache 2.0.46
+ Redhat Desktop 3.0
+ Redhat Enterprise Linux AS 3
 + Redhat Enterprise Linux ES 3
 + Redhat Enterprise Linux WS 3
 + Trustix Secure Linux 2.0
Apache Apache 2.0.45
- Apple Mac OS X 10.2.6
- Apple Mac OS X 10.2.5
- Apple Mac OS X 10.2.4
- Apple Mac OS X 10.2.3
- Apple Mac OS X 10.2.2
- Apple Mac OS X 10.2.1
- Apple Mac OS X 10.2
- Apple Mac OS X 10.1.5
- Apple Mac OS X 10.1.4
- Apple Mac OS X 10.1.3
- Apple Mac OS X 10.1.2
- Apple Mac OS X 10.1.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.0.4
- Apple Mac OS X 10.0.3
- Apple Mac OS X 10.0.2
- Apple Mac OS X 10.0.1
- Apple Mac OS X 10.0
Apache Apache 2.0.44
Apache Apache 2.0.43
Apache Apache 2.0.42
+ Gentoo Linux 1.4 _rc1
 + Gentoo Linux 1.2
Apache Apache 2.0.41
Apache Apache 2.0.40
+ Redhat Linux 9.0 i386
 + Redhat Linux 8.0
+ Terra Soft Solutions Yellow Dog Linux 3.0
Apache Apache 2.0.39
Apache Apache 2.0.38
Apache Apache 2.0.37
Apache Apache 2.0.36
Apache Apache 2.0.35
Not Vulnerable: Apache Apache 2.0.49
+ S.u.S.E. Linux Personal 9.1
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0

Discussion

Apache Mod_SSL HTTP Request Remote Denial Of Service Vulnerability

mod_ssl has been reported to be prone to a remote denial of service vulnerability. It has been reported that the issue is as a result of a memory leak and will present itself when standard HTTP requests are handled on the SSL port of an affected Apache server.

Exploit / POC

Apache Mod_SSL HTTP Request Remote Denial Of Service Vulnerability

There is no exploit required.

Solution / Fix

Apache Mod_SSL HTTP Request Remote Denial Of Service Vulnerability

Solution:
The vendor has addressed this issue, the fix is available through CVS at the following location:
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.117&r2=1.118

This issue is also addressed in Apache 2.0.49.

Red Hat has released an advisory (RHSA-2004:182-01) and fixes to address this issue in Red Hat Linux 9. Red Hat Linux users are advised to see the referenced advisory for further details regarding obtaining and applying appropriate fixes.

Turbolinux have released a security advisory (TLSA-2004-11), and updates to address this issue in Turbolinux products. Users are advised to apply these updates as soon as possible, further details regarding obtaining and installing these updates can be found in the referenced advisory.

Gentoo has released advisory GLSA200403-04 to address this issue. Gentoo updates may be applied with the following commands:
emerge sync
emerge -pv ">=net-www/apache-2.0.49"
emerge ">=net-www/apache-2.0.49"

Additional details are included in the Gentoo advisory for users who are migrating from 2.0.48-r1 or earlier releases.

Netwosix Linux has released an advisory dealing with this issue. Please see the reference section for more details.

Trustix has released an advisory that includes updates for this issue.

Conectiva Linux has released an advisory CLSA-2004:839 with fixes to address this issue. Please see the referenced advisory for more information.

SUSE has released an advisory SuSE-SA:2004:009 to address this and other issues. Please see the advisory for more information.

HP has released security bulletin HPSBUX01022 dealing with this issue as well as fixes for their HP-UX architecture. Please see the referenced advisory for more information and details on obtaining fixes.

Apple has released security advisory APPLE-SA-2004-05-03 dealing with this and other issues. Please see the referenced advisory for more information.

Mandrakelinux has released an advisory MDKSA-2004:043 to address this issue. Please see the referenced advisory for more information.

RedHat has released an advisory FEDORA-2004-117 to address this issue in Fedora Core 1. Please see the referenced advisory for more information.

HP has released advisory HPSBTU01049 - SSRT4717 dealing with this and other issues. Please see the referenced advisory for more information.

SGI has released an advisory (20040506-01-U) with Patch 10075 for SGI ProPack 3 to address this and other issues. Please see the referenced advisory for more information.


Redhat httpd-manual-2.0.40-21.i386.rpm

Redhat httpd-2.0.40-21.i386.rpm

Redhat httpd-devel-2.0.40-21.i386.rpm

Redhat mod_ssl-2.0.40-21.i386.rpm

Turbolinux Turbolinux Desktop 10.0

Apple Mac OS X 10.2.8

Apple Mac OS X Server 10.2.8

Apple Mac OS X Server 10.3.3

Apple Mac OS X 10.3.3

Apache Apache 2.0.35

Apache Apache 2.0.36

Apache Apache 2.0.37

Apache Apache 2.0.38

Apache Apache 2.0.39

Apache Apache 2.0.40

Apache Apache 2.0.41

Apache Apache 2.0.42

Apache Apache 2.0.43

Apache Apache 2.0.44

Apache Apache 2.0.45

Apache Apache 2.0.46

Apache Apache 2.0.47

Apache Apache 2.0.48

SGI ProPack 3.0

References

Apache Mod_SSL HTTP Request Remote Denial Of Service Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report