|
|
|
Credit:
The original article can be found at: http://seclists.org/bugtraq/2010/Jun/149
|
|
Vulnerable Systems:
* Apache httpd version 2.2.9 to 2.2.15
* Apache httpd version 2.3.4-alpha
* Apache httpd version 2.3.5-alpha
Immune Systems:
Apache httpd version 2.2.16 and higher
Apache httpd version ealier than 2.2.9
Apache httpd version 2.0.x
Apache httpd version 1.3.x
The vulnerability takes place when proxy worker pools have been enabled. A timeout detection flaw in the httpd mod_proxy_http module causes proxied response to be sent as the response to a different request, and potentially served to a different client, from the HTTP proxy pool worker pipeline. This may represent a confidential data revealing flaw.
Workaround:
Apply any one of the following mitigations to avert the possibility of confidential information disclosure.
* Do not load mod_proxy_http.
* Do not configure/enable any http proxy worker pools with ProxySet or ProxyPass optional arguments.
* The straightforward workaround to disable mod_proxy_http's reuse of backend connection pipelines is to set the following global directive; SetEnv proxy-nokeepalive 1
* Replace mod_proxy_http.so with a patched version, for source code see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/
and for binaries see the
http://www.apache.org/dist/httpd/binaries/ tree
for win32 or netware, as appropriate.
CVE Information:
CVE-2010-2068
Disclosure Timeline:
11th June 2010: Update Released
|
|
|
|