CERT-In Vulnerability Note CIVN-2010-158
Apache "mod_proxy_http" Timeout Information Disclosure Vulnerability
Original Issue Date: June 18, 2010
Severity Rating:Low
System Affected
- Apache version 2.3.5-alpha
- Apache version 2.3.4-alpha
- Apache version 2.2.9 through 2.2.15
Overview A vulnerability has been reported in Apache, which could be exploited by attackers to disclose sensitive information.
Description
This vulnerability is caused due to "mod_proxy_http" not properly handling certain timeout conditions, which can lead to responses being returned to the wrong users. This issue could be exploited by attackers to disclose sensitive information.
Note: This vulnerability a ffects configurations using proxy worker pools on Windows, Netware, and OS2 systems only.
Solution
Upgrade to Apache version 2.2.16-dev:
http://httpd.apache.org/download.cgi
Vendor Information
Apache
http://httpd.apache.org/security/vulnerabilities_22.html
References
Apache
http://httpd.apache.org/security/vulnerabilities_22.html
VUPEN
http://www.vupen.com/english/advisories/2010/1436
Secunia
http://secunia.com/advisories/40206
SecurityTracker
http://securitytracker.com/alerts/2010/Jun/1024096.html
SecurityFocus
http://www.securityfocus.com/bid/40827
CVE Name
CVE-2010-2068
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
