Multiple Vulnerabilities found in Apache

Some vulnerabilities have been reported in Apache HTTP Server, which can be exploited by malicious people to gain access to potentially sensitive information, cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1) The “ap_proxy_ajp_request()” function in modules/proxy/mod_proxy_ajp.c of the mod_proxy_ajp module returns the “HTTP_INTERNAL_SERVER_ERROR” error code when processing certain malformed requests. This can be exploited to put the backend server into an error state until the retry timeout expired by sending specially crafted requests.

2) The mod_isapi module unloads ISAPI modules before the request processing is complete, potentially leaving orphaned callback pointers behind. This can be exploited by sending a specially crafted request followed by a reset packet.

Successful exploitation may allow the execution of arbitrary code with SYSTEM privileges on Windows systems.

3) An error exists within the header handling when processing subrequests, which can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded Multi-Processing Module (MPM) is used.

To protect yourself and your server please upgrade to version 2.2.15 as soon as you can.

About Author