CVE-2012-4557

Published: 30 November 2012

The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.

Priority

Status

Package	Release	Status
apache2 Launchpad, Ubuntu, Debian	hardy	Released (2.2.8-1ubuntu0.25)
	lucid	Released (2.2.14-5ubuntu8.11)
	oneiric	Released (2.2.20-1ubuntu1.4)
	precise	Not vulnerable (2.2.22-1ubuntu1)
	quantal	Not vulnerable
	upstream	Released (2.2.22-1)
	Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1227298 vendor: http://www.debian.org/security/2012/dsa-2579

References

http://httpd.apache.org/security/vulnerabilities_22.html#2.2.22
https://ubuntu.com/security/notices/USN-1765-1
https://www.cve.org/CVERecord?id=CVE-2012-4557
NVD
Launchpad
Debian

Bugs

https://bugzilla.redhat.com/show_bug.cgi?id=871685

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›