CERTVU:132110Apache HTTP Server vulnerable to DoS race condition in the handling of short-lived connections
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.429 Medium
EPSS
Percentile
97.4%
Overview
A race condition exists in Apache 2 HTTP Server that may cause a denial-of-service condition on some platforms.
Description
Apache HTTP Server versions 2.0.48 and prior contain a race condition in the handling of short-lived connections. According to the Apache anouncement, when using multiple listening sockets, a short-lived connection on a rarely-used socket may cause the child process to hold the accept mutex, blocking new connections from being served until another connection uses the socket.
This vulnerability does not affect Apache 2.x servers running on FreeBSD or Linux.
Impact
A denial-of-service situation may occur due the race condition until another connection is made the the socket.
Solution
This problem is resolved in Apache HTTP Server 2.0.49.
Vendor Information
132110
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Apache Software Foundation __ Affected
Updated: March 24, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see, <http://www.apache.org/dist/httpd/Announcement2.html>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23132110 Feedback>).
Sun Microsystems Inc. __ Affected
Updated: August 25, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see, <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57628>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23132110 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Apache Software Foundation for reporting this vulnerability.
This document was written by Jason A Rafail.
Other Information
| CVE IDs: | CVE-2004-0174 |
|---|---|
| Severity Metric: | 3.38 Date Public: |
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.429 Medium
EPSS
Percentile
97.4%