製品・ソフトウェアに関する情報

JVN脆弱性詳細

Apache HTTP Server の mod_cache モジュールにおけるサービス運用妨害 (DoS) の脆弱性

Title	Apache HTTP Server の mod_cache モジュールにおけるサービス運用妨害 (DoS) の脆弱性
Summary	Apache HTTP Server の mod_cache モジュールの modules/cache/cache_util.c 内の cache_merge_headers_out 関数には、サービス運用妨害 (NULL ポインタデリファレンスおよびアプリケーションクラッシュ) 状態にされる脆弱性が存在します。
Possible impacts	第三者により、空の HTTP Content-Type ヘッダを介して、サービス運用妨害 (NULL ポインタデリファレンスおよびアプリケーションクラッシュ) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 11, 2014, midnight
Registration Date	Oct. 20, 2014, 6:16 p.m.
Last Update	Jan. 29, 2016, 4:27 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

Apache Software Foundation

Apache HTTP Server 2.4.11 未満

オラクル

Oracle Enterprise Manager Ops Center 12.1.4 未満

Oracle Enterprise Manager Ops Center 12.2.0

Oracle Enterprise Manager Ops Center 12.2.1

Oracle Enterprise Manager Ops Center 12.3.0

Oracle Enterprise Manager Ops Center 12.1.4 未満

Oracle Enterprise Manager Ops Center 12.2.0

Oracle Enterprise Manager Ops Center 12.2.1

Oracle Enterprise Manager Ops Center 12.3.0

アップル

Apple Mac OS X 10.10 から 10.10.4

Apple Mac OS X 10.9.5

Apple Mac OS X 10.10 から 10.10.4

Apple Mac OS X 10.9.5

macOS Server (旧 OS X Server) 5.0.3 未満 (OS X Yosemite v10.10.5 以降)

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-3581	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581
2	CVE-2014-3581	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581
National Vulnerability Database (NVD)
3	CVE-2014-3581	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3581
4	CVE-2014-3581	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3581

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-399	https://jvndb.jvn.jp/ja/cwe/CWE-399.html
2	CWE-399	https://jvndb.jvn.jp/ja/cwe/CWE-399.html

ベンダー情報

No	Name	URL
Apache-SVN
1	Contents of /httpd/httpd/branches/2.4.x/CHANGES	http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1627749
2	Contents of /httpd/httpd/branches/2.4.x/CHANGES	http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1627749
3	Revision 1624234	http://svn.apache.org/viewvc?view=revision&revision=1624234
4	Revision 1624234	http://svn.apache.org/viewvc?view=revision&revision=1624234
Apple Mailing Lists
5	APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006	http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
6	APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006	http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
7	APPLE-SA-2015-09-16-4 OS X Server 5.0.3	http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
8	APPLE-SA-2015-09-16-4 OS X Server 5.0.3	http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
Apple Security Updates
9	HT205031	https://support.apple.com/en-us/HT205031
10	HT205031	https://support.apple.com/en-us/HT205031
11	HT205219	https://support.apple.com/en-us/HT205219
12	HT205219	https://support.apple.com/en-us/HT205219
Apple セキュリティアップデート
13	HT205031	https://support.apple.com/ja-jp/HT205031
14	HT205031	https://support.apple.com/ja-jp/HT205031
15	HT205219	http://support.apple.com/ja-jp/HT205219
16	HT205219	http://support.apple.com/ja-jp/HT205219
Oracle Critical Patch Update
17	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
18	Oracle Critical Patch Update Advisory - January 2016	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
19	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
20	Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
Red Hat Bugzilla
21	Bug 1149709	https://bugzilla.redhat.com/show_bug.cgi?id=1149709
22	Bug 1149709	https://bugzilla.redhat.com/show_bug.cgi?id=1149709
Red Hat Security Advisory
23	RHSA-2015:0325	https://rhn.redhat.com/errata/RHSA-2015-0325.html
24	RHSA-2015:0325	https://rhn.redhat.com/errata/RHSA-2015-0325.html
SECURITY BLOG
25	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update
26	January 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2016_critical_patch_update

その他

No	Name	URL
JVN
1	JVNVU#99970459	http://jvn.jp/vu/JVNVU99970459/index.html
2	JVNVU#99970459	http://jvn.jp/vu/JVNVU99970459/index.html

Change Log

No	Changed Details	Date of change
0	[2014年10月17日] 掲載 [2014年11月20日] ベンダ情報：レッドハット (Bug 1149709) を追加 [2015年06月22日] ベンダ情報：レッドハット (RHSA-2015:0325) を追加 [2015年08月31日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：アップル (HT205031) を追加ベンダ情報：アップル (APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006) を追加 [2015年10月05日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：アップル (APPLE-SA-2015-09-16-4 OS X Server 5.0.3) を追加ベンダ情報：アップル (HT205219) を追加参考情報：JVN (JVNVU#99970459) を追加 [2016年01月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices) を追加ベンダ情報：オラクル (January 2016 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-3581

Summary	The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.
Publication Date	Oct. 10, 2014, 7:55 p.m.
Registration Date	Jan. 26, 2021, 3:10 p.m.
Last Update	Nov. 21, 2024, 11:08 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:http_server:2.4.1:::::::*
cpe:2.3:a:apache:http_server:2.4.6:::::::*
cpe:2.3:a:apache:http_server:2.4.3:::::::*
cpe:2.3:a:apache:http_server:2.4.4:::::::*
cpe:2.3:a:apache:http_server:2.4.10:::::::*
cpe:2.3:a:apache:http_server:2.4.7:::::::*
cpe:2.3:a:apache:http_server:2.4.2:::::::*
cpe:2.3:a:apache:http_server:2.4.9:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:14.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
cpe:2.3:o:canonical:ubuntu_linux:10.04::::-:::
cpe:2.3:o:canonical:ubuntu_linux:12.04::::-:::

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.1:::::::*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.0:::::::*
cpe:2.3:o:oracle:linux:6:-::::::
cpe:2.3:a:oracle:enterprise_manager_ops_center::::::::				12.1.4

Related information, measures and tools

No	URL	タグ
1	http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html	Broken Link Mailing List
2	http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html	Broken Link Mailing List
3	http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html	Broken Link Mailing List
4	http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html	Broken Link Mailing List
5	http://rhn.redhat.com/errata/RHSA-2015-0325.html	Third Party Advisory
6	http://rhn.redhat.com/errata/RHSA-2015-0325.html	Third Party Advisory
7	http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1627749	Release Notes Vendor Advisory
8	http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1627749	Release Notes Vendor Advisory
9	http://svn.apache.org/viewvc?view=revision&revision=1624234	Patch Vendor Advisory
10	http://svn.apache.org/viewvc?view=revision&revision=1624234	Patch Vendor Advisory
11	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html	Third Party Advisory
12	http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html	Third Party Advisory
13	http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html	Third Party Advisory
14	http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html	Third Party Advisory
15	http://www.securityfocus.com/bid/71656	Third Party Advisory VDB Entry
16	http://www.securityfocus.com/bid/71656	Third Party Advisory VDB Entry
17	http://www.securitytracker.com/id/1031005	Broken Link Third Party Advisory VDB Entry
18	http://www.securitytracker.com/id/1031005	Broken Link Third Party Advisory VDB Entry
19	http://www.ubuntu.com/usn/USN-2523-1	Third Party Advisory
20	http://www.ubuntu.com/usn/USN-2523-1	Third Party Advisory
21	https://bugzilla.redhat.com/show_bug.cgi?id=1149709	Issue Tracking Patch Third Party Advisory
22	https://bugzilla.redhat.com/show_bug.cgi?id=1149709	Issue Tracking Patch Third Party Advisory
23	https://exchange.xforce.ibmcloud.com/vulnerabilities/97027	Third Party Advisory VDB Entry
24	https://exchange.xforce.ibmcloud.com/vulnerabilities/97027	Third Party Advisory VDB Entry
25	https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
26	https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
27	https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
28	https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
29	https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
30	https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
31	https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
32	https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
33	https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E
34	https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E
35	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
36	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
37	https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E
38	https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E
39	https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
40	https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E
41	https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
42	https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
43	https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
44	https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
45	https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
46	https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
47	https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
48	https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
49	https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
50	https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
51	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
52	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
53	https://security.gentoo.org/glsa/201610-02	Third Party Advisory
54	https://security.gentoo.org/glsa/201610-02	Third Party Advisory
55	https://support.apple.com/HT205219	Third Party Advisory
56	https://support.apple.com/HT205219	Third Party Advisory
57	https://support.apple.com/kb/HT205031	Third Party Advisory
58	https://support.apple.com/kb/HT205031	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-476	NULL ポインタデリファレンス	https://cwe.mitre.org/data/definitions/476.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:http_server:2.4.1:::::::*
cpe:2.3:a:apache:http_server:2.4.6:::::::*
cpe:2.3:a:apache:http_server:2.4.3:::::::*
cpe:2.3:a:apache:http_server:2.4.4:::::::*
cpe:2.3:a:apache:http_server:2.4.10:::::::*
cpe:2.3:a:apache:http_server:2.4.7:::::::*
cpe:2.3:a:apache:http_server:2.4.2:::::::*
cpe:2.3:a:apache:http_server:2.4.9:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*