| CERT-MU Vulnerability Note VN-2010-14
Apache "mod_proxy_http" Timeout Information Disclosure Vulnerability
Original Issue Date: June 18, 2010
Severity Rating: Low
Systems Affected
- Apache version 2.3.5-alpha
- Apache version 2.3.4-alpha
- Apache version 2.2.9 through 2.2.15
Overview
A vulnerability has been reported in Apache, which could be exploited by attackers to disclose sensitive information.
Description
This vulnerability is caused due to "mod_proxy_http" not properly handling certain timeout conditions, which can lead to responses being returned to the wrong users. This issue could be exploited by attackers to disclose sensitive information.
Note: This vulnerability affects configurations using proxy worker pools on Windows, Netware, and OS2 systems only.
Solution
Upgrade to Apache version 2.2.16-dev:
http://httpd.apache.org/download.cgi
Vendor Information
Apache
http://httpd.apache.org/security/vulnerabilities_22.html
References
Apache
http://httpd.apache.org/security/vulnerabilities_22.html
VUPEN
http://www.vupen.com/english/advisories/2010/1436
Secunia
http://secunia.com/advisories/40206
SecurityTracker
http://securitytracker.com/alerts/2010/Jun/1024096.html
SecurityFocus
http://www.securityfocus.com/bid/40827
CVE Name
CVE-2010-2068
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
|
