製品・ソフトウェアに関する情報

JVN脆弱性詳細

Apache HTTP Server の ap_proxy_send_fb 関数における整数オーバーフローの脆弱性

タイトル	Apache HTTP Server の ap_proxy_send_fb 関数における整数オーバーフローの脆弱性
概要	64-bit プラットフォーム上で稼動する Apache HTTP Server の mod_proxy の ap_proxy_send_fb 関数には、サービス運用妨害 (DoS) 状態となる、または任意のコードを実行される脆弱性が存在します。
想定される影響	リモートのオリジンサーバにより、ヒープベースのバッファオーバーフローを誘発する大きなチャンクサイズを介して、サービス運用妨害 (DoS) 状態にされる、または任意のコードを実行される可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2010年2月2日0:00
登録日	2010年2月24日12:25
最終更新日	2010年2月24日12:25

CVSS2.0 : 警告
スコア	6.8
ベクター	AV:N/AC:M/Au:N/C:P/I:P/A:P

影響を受けるシステム

Apache Software Foundation

Apache HTTP Server 1.3.42 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2010-0010	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0010
National Vulnerability Database (NVD)
2	CVE-2010-0010	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0010

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-189	https://jvndb.jvn.jp/ja/cwe/CWE-189.html

ベンダー情報

No	名前	URL
Apache httpd 1.3 vulnerabilities
1	Fixed in Apache httpd 1.3.42	http://httpd.apache.org/security/vulnerabilities_13.html#1.3.42
Apache Released
2	Apache HTTP Server 1.3.42 Released	http://www.apache.org/dist/httpd/Announcement1.3.html
Changes with Apache
3	CHANGES_1.3.42	http://httpd.apache.org/dev/dist/CHANGES_1.3.42

その他

No	名前	URL
ISS X-Force Database
1	55941	http://xforce.iss.net/xforce/xfdb/55941
Secunia Advisory
2	SA38319	http://secunia.com/advisories/38319/
SecurityFocus
3	37966	http://www.securityfocus.com/bid/37966
VUPEN Security
4	VUPEN/ADV-2010-0240	http://www.vupen.com/english/advisories/2010/0240

変更履歴

No	変更内容	変更日
0	[2010年02月24日] 掲載	2018年2月17日10:37

NVD脆弱性情報

CVE-2010-0010

概要	Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.
公表日	2010年2月3日1:30
登録日	2021年1月29日10:55
最終更新日	2023年11月7日11:04

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:http_server:1.3.38:::::::*
cpe:2.3:a:apache:http_server:1.3.23:::::::*
cpe:2.3:a:apache:http_server:1.3.27:::::::*
cpe:2.3:a:apache:http_server:1.3.10:::::::*
cpe:2.3:a:apache:http_server:1.0.5:::::::*
cpe:2.3:a:apache:http_server:0.8.11:::::::*
cpe:2.3:a:apache:http_server:1.3.33:::::::*
cpe:2.3:a:apache:http_server:1.3.36:::::::*
cpe:2.3:a:apache:http_server:1.3.1:::::::*
cpe:2.3:a:apache:http_server:1.3.25:::::::*
cpe:2.3:a:apache:http_server:1.3.28:::::::*
cpe:2.3:a:apache:http_server:1.3.19:::::::*
cpe:2.3:a:apache:http_server:1.3.40:::::::*
cpe:2.3:a:apache:http_server:1.3.31:::::::*
cpe:2.3:a:apache:http_server:1.3.24:::::::*
cpe:2.3:a:apache:http_server:1.3.20:::::::*
cpe:2.3:a:apache:http_server:1.3.35:::::::*
cpe:2.3:a:apache:http_server:1.1:::::::*
cpe:2.3:a:apache:http_server:1.3.2:::::::*
cpe:2.3:a:apache:http_server:1.3.34:::::::*
cpe:2.3:a:apache:http_server:1.3.4:::::::*
cpe:2.3:a:apache:http_server:1.2.5:::::::*
cpe:2.3:a:apache:http_server:1.3.13:::::::*
cpe:2.3:a:apache:http_server:1.0:::::::*
cpe:2.3:a:apache:http_server:1.2.4:::::::*
cpe:2.3:a:apache:http_server:1.3.39:::::::*
cpe:2.3:a:apache:http_server:1.3.30:::::::*
cpe:2.3:a:apache:http_server:1.3.18:::::::*
cpe:2.3:a:apache:http_server:1.0.3:::::::*
cpe:2.3:a:apache:http_server:1.3.0:::::::*
cpe:2.3:a:apache:http_server:1.3:::::::*
cpe:2.3:a:apache:http_server:1.3.12:::::::*
cpe:2.3:a:apache:http_server:1.3.3:::::::*
cpe:2.3:a:apache:http_server:1.3.17:::::::*
cpe:2.3:a:apache:http_server:0.8.14:::::::*
cpe:2.3:a:apache:http_server:1.3.26:::::::*
cpe:2.3:a:apache:http_server::::::::		1.3.41
cpe:2.3:a:apache:http_server:1.3.32:::::::*
cpe:2.3:a:apache:http_server:1.3.15:::::::*
cpe:2.3:a:apache:http_server:1.3.14:::::::*
cpe:2.3:a:apache:http_server:1.3.29:::::::*
cpe:2.3:a:apache:http_server:1.3.22:::::::*
cpe:2.3:a:apache:http_server:1.3.37:::::::*
cpe:2.3:a:apache:http_server:1.3.11:::::::*
cpe:2.3:a:apache:http_server:1.2.6:::::::*
cpe:2.3:a:apache:http_server:1.2:::::::*

関連情報、対策とツール

No	URL	refsource	タグ
1	http://site.pi3.com.pl/adv/mod_proxy.txt	MISC
2	http://blog.pi3.com.pl/?p=69	MISC
3	http://httpd.apache.org/dev/dist/CHANGES_1.3.42	CONFIRM
4	http://secunia.com/advisories/38319	SECUNIA	Vendor Advisory
5	http://www.vupen.com/english/advisories/2010/0240	VUPEN	Vendor Advisory
6	http://packetstormsecurity.org/1001-exploits/modproxy-overflow.txt	MISC	Exploit
7	http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0589.html	FULLDISC	Exploit
8	http://www.securityfocus.com/bid/37966	BID	Exploit
9	http://www.securitytracker.com/id?1023533	SECTRACK
10	http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.html	SUSE
11	http://secunia.com/advisories/39656	SECUNIA
12	http://www.vupen.com/english/advisories/2010/1001	VUPEN
13	http://marc.info/?l=bugtraq&m=130497311408250&w=2	HP
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/55941	XF
15	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7923	OVAL
16	http://www.securityfocus.com/archive/1/509185/100/0/threaded	BUGTRAQ
17	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
18	https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7%40%3Ccvs.httpd.apache.org%3E
19	https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
20	https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e%40%3Ccvs.httpd.apache.org%3E
21	https://lists.apache.org/thread.html/rad2acee3ab838b52c04a0698b1728a9a43467bf365bd481c993c535d%40%3Ccvs.httpd.apache.org%3E
22	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
23	https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-189	数値処理の問題	https://cwe.mitre.org/data/definitions/189.html

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:http_server:1.3.38:::::::*
cpe:2.3:a:apache:http_server:1.3.23:::::::*
cpe:2.3:a:apache:http_server:1.3.27:::::::*
cpe:2.3:a:apache:http_server:1.3.10:::::::*
cpe:2.3:a:apache:http_server:1.0.5:::::::*
cpe:2.3:a:apache:http_server:0.8.11:::::::*
cpe:2.3:a:apache:http_server:1.3.33:::::::*
cpe:2.3:a:apache:http_server:1.3.36:::::::*
cpe:2.3:a:apache:http_server:1.3.1:::::::*
cpe:2.3:a:apache:http_server:1.3.25:::::::*
cpe:2.3:a:apache:http_server:1.3.28:::::::*
cpe:2.3:a:apache:http_server:1.3.19:::::::*
cpe:2.3:a:apache:http_server:1.3.40:::::::*
cpe:2.3:a:apache:http_server:1.3.31:::::::*
cpe:2.3:a:apache:http_server:1.3.24:::::::*
cpe:2.3:a:apache:http_server:1.3.20:::::::*
cpe:2.3:a:apache:http_server:1.3.35:::::::*
cpe:2.3:a:apache:http_server:1.1:::::::*
cpe:2.3:a:apache:http_server:1.3.2:::::::*
cpe:2.3:a:apache:http_server:1.3.34:::::::*
cpe:2.3:a:apache:http_server:1.3.4:::::::*
cpe:2.3:a:apache:http_server:1.2.5:::::::*
cpe:2.3:a:apache:http_server:1.3.13:::::::*
cpe:2.3:a:apache:http_server:1.0:::::::*
cpe:2.3:a:apache:http_server:1.2.4:::::::*
cpe:2.3:a:apache:http_server:1.3.39:::::::*
cpe:2.3:a:apache:http_server:1.3.30:::::::*
cpe:2.3:a:apache:http_server:1.3.18:::::::*
cpe:2.3:a:apache:http_server:1.0.3:::::::*
cpe:2.3:a:apache:http_server:1.3.0:::::::*
cpe:2.3:a:apache:http_server:1.3:::::::*
cpe:2.3:a:apache:http_server:1.3.12:::::::*
cpe:2.3:a:apache:http_server:1.3.3:::::::*
cpe:2.3:a:apache:http_server:1.3.17:::::::*
cpe:2.3:a:apache:http_server:0.8.14:::::::*
cpe:2.3:a:apache:http_server:1.3.26:::::::*
cpe:2.3:a:apache:http_server::::::::		1.3.41
cpe:2.3:a:apache:http_server:1.3.32:::::::*
cpe:2.3:a:apache:http_server:1.3.15:::::::*
cpe:2.3:a:apache:http_server:1.3.14:::::::*
cpe:2.3:a:apache:http_server:1.3.29:::::::*
cpe:2.3:a:apache:http_server:1.3.22:::::::*
cpe:2.3:a:apache:http_server:1.3.37:::::::*
cpe:2.3:a:apache:http_server:1.3.11:::::::*
cpe:2.3:a:apache:http_server:1.2.6:::::::*
cpe:2.3:a:apache:http_server:1.2:::::::*