製品・ソフトウェアに関する情報

JVN脆弱性詳細

Hitachi Web Server のリバースプロキシにおけるサービス運用妨害 (DoS) の脆弱性

タイトル	Hitachi Web Server のリバースプロキシにおけるサービス運用妨害 (DoS) の脆弱性
概要	Hitachi Web Server には、リバースプロキシとして使用している場合に、メモリ使用量が増大し、サービス運用妨害 (DoS) 状態となる脆弱性が存在します。
想定される影響	バックエンドの Web サーバから、不正なレスポンスを受信し続けることにより、サービス運用妨害 (DoS) 状態にされる可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2009年6月4日0:00
登録日	2009年7月10日12:09
最終更新日	2014年5月21日18:24

CVSS2.0 : 注意
スコア	2.6
ベクター	AV:N/AC:H/Au:N/C:N/I:N/A:P

影響を受けるシステム

日立

Hitachi Web Server

uCosminexus Application Server Enterprise

uCosminexus Application Server Standard

uCosminexus Developer Professional

uCosminexus Developer Standard

uCosminexus Service Architect

uCosminexus Service Platform

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2008-2364	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364
National Vulnerability Database (NVD)
2	CVE-2008-2364	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2364

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	名前	URL
Hitachi Software Vulnerability Information
1	HS09-009	http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS09-009/index.html
ソフトウェア製品セキュリティ情報
2	HS09-009	http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS09-009/index.html

変更履歴

No	変更内容	変更日
0	[2009年07月10日] 掲載 [2014年05月21日] 参考情報：Common Vulnerabilities and Exposures (CVE) (CVE-2008-2364) を追加参考情報：National Vulnerability Database (NVD) (CVE-2008-2364) を追加	2018年2月17日10:37

NVD脆弱性情報

CVE-2008-2364

概要	The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.
公表日	2008年6月14日3:41
登録日	2021年1月29日13:36
最終更新日	2023年2月13日11:19

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:http_server::::::::	2.0.35			2.0.64
cpe:2.3:a:apache:http_server::::::::	2.2.0			2.2.9

構成2	以上	以下	より上	未満
cpe:2.3:o:canonical:ubuntu_linux:7.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:8.04::::-:::
cpe:2.3:o:canonical:ubuntu_linux:6.06:::::::*

構成3	以上	以下	より上	未満
cpe:2.3:o:fedoraproject:fedora:9:::::::*
cpe:2.3:o:fedoraproject:fedora:8:::::::*

構成4	以上	以下	より上	未満
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:4.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:5.2:::::::*

関連情報、対策とツール

No	URL	refsource	タグ
1	http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154	CONFIRM	Patch Vendor Advisory
2	http://www.securityfocus.com/bid/29653	BID	Patch Third Party Advisory VDB Entry
3	http://secunia.com/advisories/30621	SECUNIA	Not Applicable Vendor Advisory
4	https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00153.html	FEDORA	Mailing List Third Party Advisory
5	http://secunia.com/advisories/31416	SECUNIA	Not Applicable
6	http://secunia.com/advisories/31404	SECUNIA	Not Applicable
7	http://secunia.com/advisories/31026	SECUNIA	Not Applicable
8	https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00055.html	FEDORA	Mailing List Third Party Advisory
9	http://security.gentoo.org/glsa/glsa-200807-06.xml	GENTOO	Third Party Advisory
10	http://www.securitytracker.com/id?1020267	SECTRACK	Broken Link Third Party Advisory VDB Entry
11	http://secunia.com/advisories/31651	SECUNIA	Not Applicable
12	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539432	HP	Broken Link
13	http://www-01.ibm.com/support/docview.wss?uid=swg27008517	CONFIRM	Third Party Advisory
14	http://secunia.com/advisories/31904	SECUNIA	Not Applicable
15	http://www.mandriva.com/security/advisories?name=MDVSA-2008:195	MANDRIVA	Broken Link
16	http://www-1.ibm.com/support/docview.wss?uid=swg1PK67579	AIXAPAR	Third Party Advisory
17	http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html	APPLE	Broken Link Mailing List
18	http://www.securityfocus.com/bid/31681	BID	Third Party Advisory VDB Entry
19	http://support.apple.com/kb/HT3216	CONFIRM	Broken Link
20	http://secunia.com/advisories/32222	SECUNIA	Not Applicable
21	http://secunia.com/advisories/32685	SECUNIA	Not Applicable
22	http://rhn.redhat.com/errata/RHSA-2008-0967.html	REDHAT	Third Party Advisory
23	http://www.redhat.com/support/errata/RHSA-2008-0966.html	REDHAT	Third Party Advisory
24	http://www.mandriva.com/security/advisories?name=MDVSA-2008:237	MANDRIVA	Broken Link
25	http://marc.info/?l=bugtraq&m=123376588623823&w=2	HP	Issue Tracking Mailing List Third Party Advisory
26	http://secunia.com/advisories/33156	SECUNIA	Not Applicable
27	http://sunsolve.sun.com/search/document.do?assetkey=1-26-247666-1	SUNALERT	Broken Link
28	http://secunia.com/advisories/33797	SECUNIA	Not Applicable
29	http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328	CONFIRM	Broken Link
30	http://secunia.com/advisories/32838	SECUNIA	Not Applicable
31	http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html	SUSE	Mailing List Third Party Advisory
32	http://www.ubuntu.com/usn/USN-731-1	UBUNTU	Third Party Advisory
33	http://secunia.com/advisories/34259	SECUNIA	Not Applicable
34	http://secunia.com/advisories/34219	SECUNIA	Not Applicable
35	http://secunia.com/advisories/34418	SECUNIA	Not Applicable
36	http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html	SUSE	Mailing List Third Party Advisory
37	http://marc.info/?l=bugtraq&m=125631037611762&w=2	HP	Issue Tracking Mailing List Third Party Advisory
38	http://www.vupen.com/english/advisories/2008/2780	VUPEN	Permissions Required
39	http://www.vupen.com/english/advisories/2009/0320	VUPEN	Permissions Required
40	http://www.vupen.com/english/advisories/2008/1798	VUPEN	Permissions Required
41	http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html	CONFIRM	Third Party Advisory
42	https://exchange.xforce.ibmcloud.com/vulnerabilities/42987	XF	Third Party Advisory VDB Entry
43	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9577	OVAL	Third Party Advisory
44	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6084	OVAL	Third Party Advisory
45	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11713	OVAL	Third Party Advisory
46	http://www.securityfocus.com/archive/1/498567/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
47	http://www.securityfocus.com/archive/1/494858/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
48	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	MISC
49	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E	MISC
50	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E	MISC
51	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E	MISC
52	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E	MISC
53	https://lists.apache.org/thread.html/r8c9983f1172a3415f915ddb7e14de632d2d0c326eb1285755a024165%40%3Ccvs.httpd.apache.org%3E	MISC
54	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E	MISC
55	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E	MISC
56	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E	MISC
57	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E	MISC
58	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E	MISC
59	https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E	MISC
60	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	MISC
61	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E	MISC
62	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E	MISC
63	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E	MISC
64	https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E	MISC
65	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E	MISC
66	https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E	MISC

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-770	制限またはスロットリング無しのリソースの割り当て	https://cwe.mitre.org/data/definitions/770.html

構成4	以上	以下	より上	未満
cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:4.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:4.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:3.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:5.2:::::::*