Resource management error in Apache HTTP Server
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2012-0031 |
| CWE-ID | CWE-399 |
| Exploitation vector | Local |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Apache HTTP Server Server applications / Web servers |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Resource management error
EUVDB-ID: #VU33325
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2012-0031
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: Yes
DescriptionThe vulnerability allows a local non-authenticated attacker to read and manipulate data.
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function.
MitigationInstall update from vendor's website.
Vulnerable software versionsApache HTTP Server: 2.2.0 - 2.2.21
External linkshttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00002.html
http://marc.info/?l=bugtraq&m=133294460209056&w=2
http://marc.info/?l=bugtraq&m=133494237717847&w=2
http://marc.info/?l=bugtraq&m=134987041210674&w=2
http://rhn.redhat.com/errata/RHSA-2012-0128.html
http://rhn.redhat.com/errata/RHSA-2012-0542.html
http://rhn.redhat.com/errata/RHSA-2012-0543.html
http://secunia.com/advisories/47410
http://secunia.com/advisories/48551
http://support.apple.com/kb/HT5501
http://svn.apache.org/viewvc?view=revision&revision=1230065
http://www.debian.org/security/2012/dsa-2405
http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/
http://www.mandriva.com/security/advisories?name=MDVSA-2012:012
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
http://www.securityfocus.com/bid/51407
http://bugzilla.redhat.com/show_bug.cgi?id=773744
http://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E
http://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E
http://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
http://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
http://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E
http://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
http://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E
http://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
