CVE-2009-1890

Published: Jul 5, 2009Modified: Apr 23, 2026

7.1

Vector

AV:N/AC:M/Au:N/C:N/I:N/A:C

Exploitability: 8.6 / Impact: 6.9

Source: NVD

Description

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.

Affected (14)

Products: Apache: Http Server · Fedoraproject: Fedora · Debian: Debian Linux · +2 more

Show all products

Apache: Http Server · Fedoraproject: Fedora · Debian: Debian Linux · Canonical: Ubuntu Linux · Redhat: Enterprise Linux Desktop, Enterprise Linux Eus, Enterprise Linux Server, Enterprise Linux Server Aus, Enterprise Linux Workstation

1 product

1 product

1 product

1 product

5 products

Enterprise Linux Desktop

Enterprise Linux Eus

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Workstation

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Http Server	From 2.2.0 to 2.2.12

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 11

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 4.0
Debian Debian Linux	Version 5.0
Debian Debian Linux	Version 6.0

Configuration D

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 6.06
Canonical Ubuntu Linux	Version 8.04
Canonical Ubuntu Linux	Version 8.10
Canonical Ubuntu Linux	Version 9.04

Configuration E

5 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 5.0
Redhat Enterprise Linux Eus	Version 5.3
Redhat Enterprise Linux Server	Version 5.0
Redhat Enterprise Linux Server Aus	Version 5.3
Redhat Enterprise Linux Workstation	Version 5.0

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (98)

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

Source: secalert@redhat.com

Broken LinkMailing List

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=129190899612998&w=2

Source: secalert@redhat.com

Issue TrackingMailing ListThird Party Advisory

http://osvdb.org/55553

Source: secalert@redhat.com

Broken Link

http://secunia.com/advisories/35691

Source: secalert@redhat.com

Not ApplicableVendor Advisory

http://secunia.com/advisories/35721

Source: secalert@redhat.com

Not Applicable

http://secunia.com/advisories/35793

Source: secalert@redhat.com

Not Applicable

http://secunia.com/advisories/35865

Source: secalert@redhat.com

Not Applicable

http://secunia.com/advisories/37152

Source: secalert@redhat.com

Not ApplicableVendor Advisory

http://secunia.com/advisories/37221

Source: secalert@redhat.com

Not ApplicableVendor Advisory

http://security.gentoo.org/glsa/glsa-200907-04.xml

Source: secalert@redhat.com

Third Party Advisory

http://support.apple.com/kb/HT3937

Source: secalert@redhat.com

Broken Link

http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587

Source: secalert@redhat.com

PatchVendor Advisory

http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?revision=790587

Source: secalert@redhat.com

Vendor Advisory

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587

Source: secalert@redhat.com

PatchVendor Advisory

http://svn.apache.org/viewvc?view=rev&revision=790587

Source: secalert@redhat.com

Vendor Advisory

http://wiki.rpath.com/Advisories:rPSA-2009-0142

Source: secalert@redhat.com

Broken Link

http://www-01.ibm.com/support/docview.wss?uid=swg1PK91259

Source: secalert@redhat.com

Third Party Advisory

http://www-01.ibm.com/support/docview.wss?uid=swg1PK99480

Source: secalert@redhat.com

Third Party Advisory

http://www.debian.org/security/2009/dsa-1834

Source: secalert@redhat.com

Third Party Advisory

http://www.mandriva.com/security/advisories?name=MDVSA-2009:149

Source: secalert@redhat.com

Broken Link

http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

Source: secalert@redhat.com

Broken Link

http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html

Source: secalert@redhat.com

Third Party Advisory

http://www.redhat.com/support/errata/RHSA-2009-1156.html

Source: secalert@redhat.com

Third Party Advisory

http://www.securityfocus.com/archive/1/507852/100/0/threaded

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/archive/1/507857/100/0/threaded

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/35565

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id?1022509

Source: secalert@redhat.com

Broken LinkThird Party AdvisoryVDB Entry

http://www.ubuntu.com/usn/USN-802-1

Source: secalert@redhat.com

Third Party Advisory

http://www.vupen.com/english/advisories/2009/3184

Source: secalert@redhat.com

Permissions RequiredVendor Advisory

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rb33be0aa9bd8cac9536293e3821dcd4cf8180ad95a8036eedd46365e%40%3Cusers.mina.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

Source: secalert@redhat.com

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12330

Source: secalert@redhat.com

Third Party Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8616

Source: secalert@redhat.com

Third Party Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9403

Source: secalert@redhat.com

Third Party Advisory

https://rhn.redhat.com/errata/RHSA-2009-1148.html

Source: secalert@redhat.com

Third Party Advisory

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01363.html

Source: secalert@redhat.com

Third Party Advisory

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html