Bug 887765 (CVE-2014-0226)

Summary: VUL-0: CVE-2014-0226: apache2: mod_status heap-based buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Roman Drahtmueller <draht>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann, bbrunner, lchiquitto, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/103729/
Whiteboard: maint:released:sle11-sp1:58333 maint:released:sle11-sp3:58335 maint:released:sle10-sp3:58334
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patch against SLES11 apache

Description Victor Pereira 2014-07-17 13:39:16 UTC
CVE-2014-0226

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apache HTTPD server. Authentication is not required
to exploit this vulnerability.

The specific flaw exists within the updating of mod_status.  A race condition in
mod_status allows an attacker to disclose information or corrupt memory with
several requests to endpoints with handler server-status and other endpoints.  
By abusing this flaw, an attacker can possibly disclose credentials or leverage
this situation to achieve remote code execution.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1120603
http://httpd.apache.org/security/vulnerabilities_24.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226
http://www.zerodayinitiative.com/advisories/ZDI-14-236/
Comment 1 Swamp Workflow Management 2014-07-17 15:00:42 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-07-24.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58331
Comment 2 SMASH SMASH 2014-07-17 15:05:16 UTC
Affected packages:

SLE-10-SP3-TERADATA: apache2
SLE-11-SP3: apache2
Comment 13 Roman Drahtmueller 2014-07-18 12:37:21 UTC
The 2.2 code is different in that the 2.2.12 code does not even have the
ap_get_scoreboard_worker_from_indexes() function.
I'm trying to determine if the race is similarly present in the 2.2 code.
Comment 14 Swamp Workflow Management 2014-07-18 22:00:29 UTC
bugbot adjusting priority
Comment 16 Roman Drahtmueller 2014-07-21 11:07:47 UTC
Created attachment 599270 [details]
patch against SLES11 apache

affirmative. 

Official (upstream) changeset is: http://svn.apache.org/r1610499
Comment 18 Bernhard Wiedemann 2014-07-25 16:00:33 UTC
This is an autogenerated message for OBS integration:
This bug (887765) was mentioned in
https://build.opensuse.org/request/show/242399 Evergreen:11.4 / apache2.openSUSE_Evergreen_11.4
Comment 25 Swamp Workflow Management 2014-08-06 23:05:03 UTC
SUSE-SU-2014:0967-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 859916,869105,869106,887765,887768
CVE References: CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    apache2-2.2.12-1.46.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    apache2-2.2.12-1.46.1
SUSE Linux Enterprise Server 11 SP3 (src):    apache2-2.2.12-1.46.1
Comment 26 Swamp Workflow Management 2014-08-07 21:05:12 UTC
openSUSE-SU-2014:0969-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 859916,869105,869106,871309,887765,887768
CVE References: CVE-2013-5705,CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231
Sources used:
openSUSE 11.4 (src):    apache2-2.2.17-80.1, apache2-mod_security2-2.7.5-16.1
Comment 27 Swamp Workflow Management 2014-08-19 14:12:00 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-08-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58625
Comment 28 Swamp Workflow Management 2014-08-20 17:07:30 UTC
openSUSE-SU-2014:1044-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 869105,869106,887765,887767,887768,887771
CVE References: CVE-2013-4352,CVE-2013-6438,CVE-2014-0098,CVE-2014-0117,CVE-2014-0226,CVE-2014-0231
Sources used:
openSUSE 13.1 (src):    apache2-2.4.6-6.27.1
Comment 29 Swamp Workflow Management 2014-08-20 17:08:35 UTC
openSUSE-SU-2014:1045-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 869105,869106,887765,887768
CVE References: CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231
Sources used:
openSUSE 12.3 (src):    apache2-2.2.22-10.12.1
Comment 30 Marcus Meissner 2014-09-02 12:00:35 UTC
was released today