exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 23 of 23 RSS Feed

CVE-2014-0226

Status Candidate

Overview

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

Related Files

HPE Security Bulletin HPSBUX03512 SSRT102254 1
Posted Oct 16, 2015
Authored by Hewlett Packard Enterprise | Site hpe.com

HPE Security Bulletin HPSBUX03512 SSRT102254 1 - Potential security vulnerabilities have been identified with HP-UX Web Server Suite running Apache. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and other impacts including.. - The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. - The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

tags | advisory, web, denial of service, vulnerability
systems | hpux
advisories | CVE-2013-5704, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2015-2808, CVE-2015-3183, CVE-2015-4000
SHA-256 | 18b317e7f0098c34b8f49719b2e63ed788cd23d93ced85911b489c5da5329541
HP Security Bulletin HPSBMU03409 1
Posted Aug 26, 2015
Authored by HP | Site hp.com

HP Security Bulletin HPSBMU03409 1 - Potential security vulnerabilities have been identified with HP Matrix Operating Environment. The vulnerabilities could be exploited remotely resulting in unauthorized modification, unauthorized access, or unauthorized disclosure of information. Revision 1 of this advisory.

tags | advisory, vulnerability
advisories | CVE-2010-5107, CVE-2013-0248, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-1692, CVE-2014-3523, CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8142, CVE-2014-8275, CVE-2014-9427, CVE-2014-9652, CVE-2014-9653, CVE-2014-9705, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0231, CVE-2015-0232, CVE-2015-0273, CVE-2015-0285, CVE-2015-0286
SHA-256 | ed1893104d8e7dcdd770c7c2dd6eea29fcb783bd67155f6d99ab3d07423260e5
HP Security Bulletin HPSBMU03380 1
Posted Jul 21, 2015
Authored by HP | Site hp.com

HP Security Bulletin HPSBMU03380 1 - Multiple potential security vulnerabilities have been identified with HP System Management Homepage (SMH) on Linux and Windows. The vulnerabilities could be exploited remotely resulting in Denial of Service (DoS), Cross-site Request Forgery (CSRF), execution of arbitrary code, unauthorized modification, unauthorized access, or disclosure of information. Revision 1 of this advisory.

tags | advisory, denial of service, arbitrary, vulnerability, csrf
systems | linux, windows
advisories | CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-3523, CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8142, CVE-2014-8275, CVE-2014-9427, CVE-2014-9652, CVE-2014-9653, CVE-2014-9705, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0231, CVE-2015-0232, CVE-2015-0273, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289
SHA-256 | b24b33b6953298c7dff07ba7ebf547fe10934e4d227a0e52094bde980503367c
RSA Validation Manager POODLE / DoS / XSS / Race Condition
Posted Jun 16, 2015
Site emc.com

RSA Validation Manager versions 3.2 prior to build 201 suffer from race condition, cross site scripting, denial of service, and various other vulnerabilities.

tags | advisory, denial of service, vulnerability, xss
advisories | CVE-2012-3499, CVE-2013-1862, CVE-2013-2566, CVE-2014-0098, CVE-2014-0226, CVE-2014-0231, CVE-2014-3566, CVE-2015-0526
SHA-256 | 703e04b821a0df9e65975d31c6a38a8fc2688b91256b2bfeecf3b49ca2c66426
HP Security Bulletin HPSBUX03337 SSRT102066 1
Posted Jun 11, 2015
Authored by HP | Site hp.com

HP Security Bulletin HPSBUX03337 SSRT102066 1 - Potential security vulnerabilities have been identified with the HP-UX Apache Web Server Suite, Tomcat Servlet Engine, and PHP. These could be exploited remotely to create a Denial of Service (DoS) and other vulnerabilities. Revision 1 of this advisory.

tags | advisory, web, denial of service, php, vulnerability
systems | hpux
advisories | CVE-2013-5704, CVE-2014-0118, CVE-2014-0226, CVE-2014-0227, CVE-2014-0231, CVE-2014-8142, CVE-2014-9709, CVE-2015-0231, CVE-2015-0273, CVE-2015-1352, CVE-2015-2301, CVE-2015-2305, CVE-2015-2331, CVE-2015-2783
SHA-256 | 754fae670041f7a697aa8004120dac15eb6d07f2889f1104112f7ee98c3f9f82
Gentoo Linux Security Advisory 201504-03
Posted Apr 13, 2015
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201504-3 - Multiple vulnerabilities have been found in Apache HTTP Server, the worst of which could lead to arbitrary code execution. Versions less than 2.2.29 are affected.

tags | advisory, web, arbitrary, vulnerability, code execution
systems | linux, gentoo
advisories | CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-5704
SHA-256 | 93bdb4060115f5f696951b76a71bbae405be0ae58b613775011d6f63d2a80a0c
Apple Security Advisory 2015-04-08-2
Posted Apr 9, 2015
Authored by Apple | Site apple.com

Apple Security Advisory 2015-04-08-2 - OS X Yosemite 10.10.3 and Security Update 2015-004 are now available and address privilege escalation, code execution, information disclosure, and various other vulnerabilities.

tags | advisory, vulnerability, code execution, info disclosure
systems | apple, osx
advisories | CVE-2013-0118, CVE-2013-5704, CVE-2013-6438, CVE-2013-6712, CVE-2014-0098, CVE-2014-0117, CVE-2014-0118, CVE-2014-0207, CVE-2014-0226, CVE-2014-0231, CVE-2014-0237, CVE-2014-0238, CVE-2014-2497, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3523, CVE-2014-3538, CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-3587, CVE-2014-3597, CVE-2014-3668, CVE-2014-3669, CVE-2014-3670
SHA-256 | bfdc53ae50c366d1018234c77470fabd66ae9360537370dafd782122121b89cd
Mandriva Linux Security Advisory 2015-093
Posted Mar 30, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-093 - Updated apache packages fix multiple security vulnerabilities.

tags | advisory, vulnerability
systems | linux, mandriva
advisories | CVE-2013-6438, CVE-2014-0098, CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-3581, CVE-2014-5704, CVE-2014-8109, CVE-2015-0228
SHA-256 | 19a31025ffbf8447f6cdb3bb70ede57e8f0dce94fcd7cd5d396da9f7fdab3fc1
Gentoo Linux Security Advisory 201408-12
Posted Aug 29, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201408-12 - Multiple vulnerabilities have been discovered in Apache HTTP Server, the worse of which could lead to execution of arbitrary code or a Denial of Service condition. Versions less than 2.2.27-r4 are affected.

tags | advisory, web, denial of service, arbitrary, vulnerability
systems | linux, gentoo
advisories | CVE-2013-6438, CVE-2014-0098, CVE-2014-0226
SHA-256 | 74c770647893db7bdefa7fe626d5e7a9771e8d4cd1ddee8a7bd68e3e8bb6436e
Red Hat Security Advisory 2014-1086-01
Posted Aug 21, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1086-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.1, and includes several bug fixes.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2013-4590, CVE-2014-0118, CVE-2014-0119, CVE-2014-0221, CVE-2014-0226, CVE-2014-0231
SHA-256 | 1869ac672baeb6d6231ed4264632e0262537ca84832e3d8b68ec845527428f94
Red Hat Security Advisory 2014-1087-01
Posted Aug 21, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1087-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.1, and includes several bug fixes.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2013-4590, CVE-2014-0118, CVE-2014-0119, CVE-2014-0226, CVE-2014-0231
SHA-256 | 7b43399c8297d76dd46dd0933745d26b4de10eebe9f700a43e687901819a236b
Red Hat Security Advisory 2014-1088-01
Posted Aug 21, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1088-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.1, and includes several bug fixes.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2013-4590, CVE-2014-0118, CVE-2014-0119, CVE-2014-0226, CVE-2014-0231
SHA-256 | 4da1d3ba75d748e08e95de45e5cf1defc759a9a506037cddf827b73f39496145
Red Hat Security Advisory 2014-1019-01
Posted Aug 7, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1019-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression. A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.

tags | advisory, java, remote, denial of service, overflow, arbitrary
systems | linux, redhat
advisories | CVE-2014-0118, CVE-2014-0193, CVE-2014-0226, CVE-2014-0231, CVE-2014-3472
SHA-256 | ee57b0752054c43c73ccfbef2be9383a8676fce1f41ed04ca808762b2f1d516f
Red Hat Security Advisory 2014-1020-01
Posted Aug 7, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1020-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression. A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.

tags | advisory, java, remote, denial of service, overflow, arbitrary
systems | linux, redhat
advisories | CVE-2014-0118, CVE-2014-0193, CVE-2014-0226, CVE-2014-0231, CVE-2014-3472
SHA-256 | 804065533729790a5b99749f6de4660a768da8c982fc223f3cfb43c91e6a636c
Red Hat Security Advisory 2014-1021-01
Posted Aug 7, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1021-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression. A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.

tags | advisory, java, remote, denial of service, overflow, arbitrary
systems | linux, redhat
advisories | CVE-2014-0118, CVE-2014-0193, CVE-2014-0221, CVE-2014-0226, CVE-2014-0231, CVE-2014-3472
SHA-256 | 22e9d1dba5571b19e90edd9bd75c20402a5f2b415a003632541ae628f3d33b93
Mandriva Linux Security Advisory 2014-142
Posted Jul 31, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-142 - A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the apache user. A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the DEFLATE input filter. A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely.

tags | advisory, remote, denial of service, overflow, arbitrary, cgi
systems | linux, mandriva
advisories | CVE-2014-0118, CVE-2014-0226, CVE-2014-0231
SHA-256 | 6643c25c7b920a477f9ecad591516b72e4c07aed6b35d1aaad3b6ab25aeab395
Debian Security Advisory 2989-1
Posted Jul 25, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2989-1 - Several security issues were found in the Apache HTTP server.

tags | advisory, web
systems | linux, debian
advisories | CVE-2014-0118, CVE-2014-0226, CVE-2014-0231
SHA-256 | 6a2e0fe2e7dd2939b32d62124cbffac15ed98b20d36d18e10fd6076278bcd60c
Slackware Security Advisory - httpd Updates
Posted Jul 24, 2014
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

tags | advisory
systems | linux, slackware
advisories | CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231
SHA-256 | 8b2ce2fa4eaa2da3d41503e0ff66afd040e6de3710d8ec4fb82e11f6fde37915
Red Hat Security Advisory 2014-0921-01
Posted Jul 23, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0921-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching.

tags | advisory, remote, web, overflow, arbitrary
systems | linux, redhat
advisories | CVE-2013-4352, CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231
SHA-256 | 5f6342d6a0ba942fed1212f30532f2a6f06b9ce40839eb606fcaa582d6020ed3
Red Hat Security Advisory 2014-0920-01
Posted Jul 23, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0920-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression. A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.

tags | advisory, remote, web, denial of service, overflow, arbitrary
systems | linux, redhat
advisories | CVE-2014-0118, CVE-2014-0226, CVE-2014-0231
SHA-256 | 7a830cef22aa2d0447ea727c0b8c19ebb2b6de8d903602bcceaa93477c2004d8
Red Hat Security Advisory 2014-0922-01
Posted Jul 23, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0922-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching.

tags | advisory, remote, web, overflow, arbitrary
systems | linux, redhat
advisories | CVE-2013-4352, CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231
SHA-256 | e474b0462ddaef58ac68027aa2da2ff235007fd49f59f3fd341b94b4a0cbdbb9
Ubuntu Security Notice USN-2299-1
Posted Jul 23, 2014
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2299-1 - Marek Kroemeke discovered that the mod_proxy module incorrectly handled certain requests. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS. Giancarlo Pellegrino and Davide Balzarotti discovered that the mod_deflate module incorrectly handled body decompression. A remote attacker could use this issue to cause resource consumption, leading to a denial of service. Various other issues were also addressed.

tags | advisory, remote, denial of service
systems | linux, ubuntu
advisories | CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231
SHA-256 | 52c1adb5bf8f07e13c58b7beb3414522ce15e2686f455949248cc1c2d9b6f33f
Apache Scoreboard / Status Race Condition
Posted Jul 21, 2014
Authored by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466

A race condition between updating httpd's "scoreboard" and mod_status leads to scenarios where a heap buffer overflow can occur with a user supplied payload. It can also leak heap and critical memory such as htaccess credentials, SSL private keys, and more. Apache version 2.4.7 is affected.

tags | exploit, overflow
advisories | CVE-2014-0226
SHA-256 | ee93437fdd7a87a46f45a1de0aa1d92409e430a87df1e246e818c6f4f25fa1ec
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close