Apache Httpd < 2.2.19 : apr_fnmatch flaw leads to mod_autoindex remote DoS

2011-03-0200:00:00

Apache Team Foundation

httpd.apache.org

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.969 High

EPSS

Percentile

99.7%

JSON

A flaw was found in the apr_fnmatch() function of the bundled APR library. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a remote attacker could send a carefully crafted request which would cause excessive CPU usage. This could be used in a denial of service attack.
Workaround: Setting the ‘IgnoreClient’ option to the ‘IndexOptions’ directive disables processing of the client-supplied request query arguments, preventing this attack.
Resolution: Update APR to release 1.4.5 (bundled with httpd 2.2.19) or release 0.9.20 (bundled with httpd 2.0.65)

CPENameOperatorVersion
apache httpdeq2.2.18
apache httpdeq2.2.17
apache httpdeq2.2.16
apache httpdeq2.2.15
apache httpdeq2.2.14
apache httpdeq2.2.13
apache httpdeq2.2.12
apache httpdeq2.2.11
apache httpdeq2.2.10
apache httpdeq2.2.9

Name	Operator	Version
apache httpd	eq	2.2.18
apache httpd	eq	2.2.17
apache httpd	eq	2.2.16
apache httpd	eq	2.2.15
apache httpd	eq	2.2.14
apache httpd	eq	2.2.13
apache httpd	eq	2.2.12
apache httpd	eq	2.2.11
apache httpd	eq	2.2.10
apache httpd	eq	2.2.9