{"vuid":"VU#479268","idnumber":"479268","name":"Apache HTTPD contains denial of service vulnerability in basic authentication module","keywords":["Apache","configuration scripts","apr_password_validate() function","thread-unsafe"],"overview":"The Apache HTTP server contains a denial-of-service vulnerability that allows remote attackers to  to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server.","clean_desc":"The Apache HTTP server contains a denial-of-service vulnerability in the apr_password_validate() function. The Apache Software Foundation has provided the following description of this vulnerability: Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable to a denial-of-service attack on the basic authentication module, which was reported by John Hughes <john.hughes@entegrity.com>. A bug in the configuration scripts caused the apr_password_validate() function to be thread-unsafe on platforms with crypt_r(), including AIX and Linux. All versions of Apache 2.0 have this thread-safety problem on platforms with no crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly others. When using a threaded MPM (which is not the default on these platforms), this allows remote attackers to create a denial of service which causes valid usernames and passwords for Basic Authentication to fail until Apache is restarted. We do not believe this bug could allow unauthorized users to gain access to protected resources. For further information, please read the announcement located at http://www.apache.org/dist/httpd/Announcement2.html","impact":"This vulnerability allows remote attackers to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server.","resolution":"The Apache Software Foundation recommends that users upgrade to version 2.0.46 to address this vulnerability. The latest version of Apache is available at: http://httpd.apache.org/download.cgi","workarounds":"","sysaffected":"","thanks":"The CERT/CC thanks John Hughes for discovering this vulnerability.","author":"This document was written by Jeffrey P. Lanza.","public":["http://www.apache.org/dist/httpd/Announcement2.html","http://www.secunia.com/advisories/8881/","http://www.iss.net/security_center/static/12091.php"],"cveids":["CVE-2003-0189"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2003-05-28T20:10:32Z","publicdate":"2003-05-28T00:00:00Z","datefirstpublished":"2003-06-24T17:27:51Z","dateupdated":"2003-09-18T18:08:51Z","revision":16,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"10","cam_internetinfrastructure":"5","cam_population":"20","cam_impact":"3","cam_easeofexploitation":"1","cam_attackeraccessrequired":"20","cam_scorecurrent":"0.675","cam_scorecurrentwidelyknown":"0.7875","cam_scorecurrentwidelyknownexploited":"1.0125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.675,"vulnote":null}