Bug 743744 - (CVE-2012-0021) VUL-1: CVE-2012-0021: apache2: crash in mod_log_config due to specially crafted cookies
VUL-1: CVE-2012-0021: apache2: crash in mod_log_config due to specially craft...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Roman Drahtmueller
Security Team bot
maint:running:48395:moderate maint:ru...
Depends on:
  Show dependency treegraph
Reported: 2012-01-27 09:04 UTC by Matthias Weckbecker
Modified: 2017-10-25 15:19 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority: 300
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-01-27 09:04:47 UTC
A flaw [1] was found in mod_log_config.  If an administrator configured the
"%{cookiename}C" log format string to be used, a remote attacker could send a
specific cookie which would cause a crash.  This crash would only be a denial
of service if using a threaded MPM (such as event or worker).  Note that Red
Hat Enterprise Linux and Fedora use the prefork MPM by default.

This will be fixed upstream [2] in 2.2.22 and affects versions 2.2.17 up to and
including 2.2.21.

[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=52256
[2] http://svn.apache.org/viewvc?view=revision&revision=1227292
Comment 4 Marcus Meissner 2012-04-13 18:32:36 UTC
As the original description says, it only affects Apache2 between 2.2.17 and 2.2.21.

=> Statement:

This only affects Apache2 versions after 2.2.17. SUSE Linux Enterprise products currently ship 2.2.12 and older Apache2 versions and so are not affected by this problem.

openSUSE 11.4 and 12.1 will receive fixes.
Comment 5 Roman Drahtmueller 2012-04-15 03:09:08 UTC
This one was on the agenda for the February update already; the bug was known to me by xmas 2011. However, we have determined that the bug doesn't qualify for a fix due to the rather exotic circumstances under which it becomes evident.

I'll take the fix into the list for the next update, as it doesn't really expose a threat that justifies an own update.
If you agree, of course.

Comment 8 Marcus Meissner 2013-02-25 15:43:48 UTC
perl bin/addnote CVE-2012-0021 "This Apache2 security problem only existed in versions 2.2.17 up to 2.2.22. Earlier versions were not affected, so SUSE Linux Enterprise 11 and previous products are not affected by this problem."

Only openSUSE 12.1 is affected by this, as it has 2.1.21.
Comment 9 Marcus Meissner 2013-03-19 13:23:37 UTC
lets close as 12.1 is nearing EOL