SB2014073104 - Amazon Linux AMI update for httpd24

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Resource management error (CVE-ID: CVE-2014-0118)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.

2) Heap-based buffer overflow (CVE-ID: CVE-2014-0226)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Race condition in the mod_status module in the Apache HTTP Server before 2.4.10. A remote attacker can use a crafted request that triggers improper scoreboard handling within the status_handler function in modules to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Resource management error (CVE-ID: CVE-2014-0231)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.

Remediation

Install update from vendor's website.

References

• https://alas.aws.amazon.com/ALAS-2014-389.html