| VID |
22266 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache web server, according to its banner, is vulnerable to a Blocking Denial of Service Vulnerability.
The Apache, maintained by the Apache Software Foundation, is an extremely popular open-source Web server. When using multiple listening sockets, the version prior to 2.0.49 of Apache HTTP Server would cause a Denial of Service (blocked new connections), caused by improper handling of short-lived connections on some platforms. By establishing a connection, for a short period of time, to a listening socket that is rarely accessed, a remote attacker could cause the server to deny new connection requests until another connection is established on the socket.
* Note: This check solely relied on the version number of the remote Apache server to assess this vulnerability, so this might be a false positive.
* References:
http://marc.theaimsgroup.com/?l=bugtraq&m=107973894328806&w=2
http://www.kb.cert.org/vuls/id/132110
http://packetstormsecurity.nl/0403-advisories/apache2049.txt
* Platforms Affected:
Apache HTTP Server version 1.x prior to 1.3.31
Apache HTTP Server version 2.x prior to 2.0.49
Windows Any version
UNIX/Linux Any version |
| Recommendation |
Upgrade to the latest version of Apache HTTP Server (2.0.49 or later, 1.3.31 or later), available from the Apache Software Foundation download site at http://httpd.apache.org/download.cgi
For other distributions:
Contact your vendor for upgrade or patch information. Or see the "Solution" menu of the SecurityFocus Vulnerabilities Bulletin at http://www.securityfocus.com/bid/9921/solution/ |
| Related URL |
CVE-2004-0174 (CVE) |
| Related URL |
9921 (SecurityFocus) |
| Related URL |
15540 (ISS) |
|
