(IBM Issues Fix for IBM HTTP Server) Apache HTTPD scoreboard Protection Flaw Lets Local Users Terminate Arbitrary Processes
|
|
SecurityTracker Alert ID: 1018668 |
|
SecurityTracker URL: http://securitytracker.com/id/1018668
|
|
CVE Reference:
CVE-2007-3304
(Links to External Site)
|
Date: Sep 10 2007
|
Impact:
Denial of service via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in Apache HTTPD. A local user can cause denial of service conditions. IBM HTTP Server is affected.
The server does not verify that a process is actually an Apache child process before sending signals to the process. A local user with the ability to run scripts can modify the scoreboard arrays to reference arbitrary process IDs and cause arbitrary processes to be terminated.
The vendor was notified on May 16, 2006.
PSNC Security Team discovered this vulnerability.
|
Impact:
A local user with privileges to run scripts on the target system can terminate arbitrary processes on the target system.
|
Solution:
IBM has issued a fix for the IBM HTTP Server (PK50467), which is affected by this vulnerability.
The fix is planned for inclusion in fix pack 6.1.0.13 and fix pack 6.0.2.23.
The IBM advisory is available at:
http://www-1.ibm.com/support/docview.wss?uid=swg1PK50467
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 10 Sep 2007 08:47:22 -0400
Subject: IBM HTTP Server (IHS)
|
http://www-1.ibm.com/support/docview.wss?uid=swg1PK50467
PK50467: CVE-2007-3304 MPM SIGNALLING VULNERABILITY
|
|
