Out-of-bounds read in Apache HTTP Server

#VU82248 Out-of-bounds read in Apache HTTP Server

Published: 2023-10-19

Vulnerability identifier: #VU82248

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-31122

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache HTTP Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within mod_macro module. A remote attacker can send specially crafted requests to the server, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache HTTP Server: 2.4 - 2.4.57

External links
http://downloads.apache.org/httpd/CHANGES_2.4_2.4.58

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Enterprise Linux 9 update for httpd

Multiple vulnerabilities in Oracle HTTP Server

Multiple vulnerabilities in Oracle Communications Element Manager

Out-of-bounds read in Oracle Communications Fraud Monitor

Multiple vulnerabilities in Oracle Communications Session Report Manager

Multiple vulnerabilities in IBM Rational Build Forge

Multiple vulnerabilities in Red Hat JBoss Core Services for RHEL 7 and 8

Multiple vulnerabilities in Red Hat JBoss Core Services Apache HTTP Server 2.4

Out-of-bounds read in IBM HTTP Server shipped with IBM Rational ClearCase

Multiple vulnerabilities in IBM i