製品・ソフトウェアに関する情報

JVN脆弱性詳細

Apache HTTP Server の mod_isapi における脆弱性

タイトル	Apache HTTP Server の mod_isapi における脆弱性
概要	Windows 上で稼働する Apache HTTP Server の mod_isapi の modules/arch/win32/mod_isapi.c には、リクエストの処理が完了する前に ISAPI .dll モジュールの isapi_unload を呼び出す可能性があるため、詳細不明な脆弱性が存在します。
想定される影響	この脆弱性による影響の詳細は不明です。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2010年3月5日0:00
登録日	2010年3月17日12:22
最終更新日	2013年7月18日19:23

CVSS2.0 : 危険
スコア	10
ベクター	AV:N/AC:L/Au:N/C:C/I:C/A:C

影響を受けるシステム

Apache Software Foundation

Apache HTTP Server 2.3.6 未満

オラクル

Oracle HTTP Server 10.1.3.5.0

IBM

IBM HTTP Server 2.0.47.x

IBM HTTP Server 6.0

IBM HTTP Server 6.1

ターボリナックス

Turbolinux Appliance Server 2.0

Turbolinux Appliance Server 3.0

Turbolinux Appliance Server 3.0 (x64)

Turbolinux Client 2008

Turbolinux FUJI (延長メンテナンス)

Turbolinux Server 10

Turbolinux Server 10 (x64)

Turbolinux Server 11

Turbolinux Server 11 (x64)

富士通

Interstage Application Server

Interstage Studio

Interstage Web Server

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2010-0425	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425
National Vulnerability Database (NVD)
2	CVE-2010-0425	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0425

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/CWE.html#CWEnoinfo

ベンダー情報

No	名前	URL
Apache httpd 2.0 vulnerabilities
1	Fixed in Apache httpd 2.0.64	http://httpd.apache.org/security/vulnerabilities_20.html#2.0.64
Apache httpd 2.2 vulnerabilities
2	Fixed in Apache httpd 2.2.15	http://httpd.apache.org/security/vulnerabilities_22.html#2.2.15
Apache Software Foundation
3	Changes with Apache 2.3.7	http://svn.apache.org/repos/asf/httpd/httpd/trunk/CHANGES
Apache-SVN
4	917870	http://svn.apache.org/viewvc?view=revision&revision=917870
IBM Support Document
5	7008517	http://www-01.ibm.com/support/docview.wss?uid=swg27008517#61031
6	PM09447	http://www-01.ibm.com/support/docview.wss?uid=swg1PM09447
7	PM10658	http://www-01.ibm.com/support/docview.wss?uid=swg1PM10658
Oracle Critical Patch Update
8	Oracle Critical Patch Update Advisory - July 2013	http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
9	Text Form of Oracle Critical Patch Update - July 2013 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujuly2013verbose-1899830.html
SECURITY BLOG
10	July 2013 Critical Patch Update Released	https://blogs.oracle.com/security/entry/july_2013_critical_patch_update
Turbolinux Security Advisory
11	TLSA-2010-30	http://www.turbolinux.co.jp/security/2010/TLSA-2010-30j.txt
富士通セキュリティ情報
12	interstage_as_201002	http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_201002.html

その他

No	名前	URL
ISS X-Force Database
1	56624	http://xforce.iss.net/xforce/xfdb/56624
Secunia Advisory
2	SA38776	http://secunia.com/advisories/38776/
3	SA38852	http://secunia.com/advisories/38852/
SecurityFocus
4	38494	http://www.securityfocus.com/bid/38494
US-CERT Vulnerability Note
5	VU#280613	http://www.kb.cert.org/vuls/id/280613
VUPEN Security
6	VUPEN/ADV-2010-0554	http://www.vupen.com/english/advisories/2010/0554

変更履歴

No	変更内容	変更日
0	[2010年03月17日] 掲載 [2010年04月28日] 影響を受けるシステム：IBM (PM10658) の情報を追加ベンダ情報：IBM (PM10658) を追加 [2010年05月27日] ベンダ情報：IBM (7008517) を追加 [2010年07月12日] 影響を受けるシステム：Apache Software Foundation (Changes with Apache 2.3.6) の情報を追加ベンダ情報：Apache Software Foundation (Changes with Apache 2.3.6) を追加 [2010年08月06日] 影響を受けるシステム：富士通 (interstage_as_201002) の情報を追加ベンダ情報：富士通 (interstage_as_201002) を追加 [2010年09月27日] 影響を受けるシステム：ターボリナックス (TLSA-2010-30) の情報を追加ベンダ情報：ターボリナックス (TLSA-2010-30) を追加 [2010年11月04日] ベンダ情報：Apache Software Foundation (Fixed in Apache httpd 2.0.64) を追加 [2013年07月18日] 影響を受けるシステム：オラクル (Oracle Critical Patch Update Advisory - July 2013) の情報を追加ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2013) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2013 Risk Matrices) を追加ベンダ情報：オラクル (July 2013 Critical Patch Update Released) を追加	2018年2月17日10:37

NVD脆弱性情報

CVE-2010-0425

概要	modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers."
公表日	2010年3月6日4:30
登録日	2021年1月29日10:56
最終更新日	2024年2月14日10:17

影響を受けるソフトウェアの構成

構成1		以上	以下	より上	未満
cpe:2.3:a:apache:http_server:2.3.0:::::::*
cpe:2.3:a:apache:http_server:2.3.1:::::::*
cpe:2.3:a:apache:http_server:2.3.2:::::::*
cpe:2.3:a:apache:http_server:2.3.3:::::::*
cpe:2.3:a:apache:http_server:2.3.4:::::::*
cpe:2.3:a:apache:http_server:2.3.5:::::::*
cpe:2.3:a:apache:http_server:2.3.6:::::::*
実行環境
1	cpe:2.3:o:microsoft:windows::::::::

構成2		以上	以下	より上	未満
cpe:2.3:a:apache:http_server:2.0.9:::::::*
cpe:2.3:a:apache:http_server:2.0.28:::::::*
cpe:2.3:a:apache:http_server:2.0.28:beta::::::
cpe:2.3:a:apache:http_server:2.0.32:beta::::::
cpe:2.3:a:apache:http_server:2.0.32:::::::*
cpe:2.3:a:apache:http_server:2.0.34:beta::::::
cpe:2.3:a:apache:http_server:2.0.35:::::::*
cpe:2.3:a:apache:http_server:2.0.36:::::::*
cpe:2.3:a:apache:http_server:2.0.37:::::::*
cpe:2.3:a:apache:http_server:2.0.38:::::::*
cpe:2.3:a:apache:http_server:2.0.39:::::::*
cpe:2.3:a:apache:http_server:2.0.40:::::::*
cpe:2.3:a:apache:http_server:2.0.41:::::::*
cpe:2.3:a:apache:http_server:2.0.42:::::::*
cpe:2.3:a:apache:http_server:2.0.43:::::::*
cpe:2.3:a:apache:http_server:2.0.44:::::::*
cpe:2.3:a:apache:http_server:2.0.45:::::::*
cpe:2.3:a:apache:http_server:2.0.46:::::::*
cpe:2.3:a:apache:http_server:2.0.47:::::::*
cpe:2.3:a:apache:http_server:2.0.48:::::::*
cpe:2.3:a:apache:http_server:2.0.49:::::::*
cpe:2.3:a:apache:http_server:2.0.50:::::::*
cpe:2.3:a:apache:http_server:2.0.51:::::::*
cpe:2.3:a:apache:http_server:2.0.52:::::::*
cpe:2.3:a:apache:http_server:2.0.53:::::::*
cpe:2.3:a:apache:http_server:2.0.54:::::::*
cpe:2.3:a:apache:http_server:2.0.55:::::::*
cpe:2.3:a:apache:http_server:2.0.56:::::::*
cpe:2.3:a:apache:http_server:2.0.57:::::::*
cpe:2.3:a:apache:http_server:2.0.58:::::::*
cpe:2.3:a:apache:http_server:2.0.59:::::::*
cpe:2.3:a:apache:http_server:2.0.60:::::::*
cpe:2.3:a:apache:http_server:2.0.61:::::::*
cpe:2.3:a:apache:http_server:2.0.63:::::::*
実行環境
1	cpe:2.3:o:microsoft:windows::::::::

構成3		以上	以下	より上	未満
cpe:2.3:a:apache:http_server:-:::::::*
cpe:2.3:a:apache:http_server:2.2.0:::::::*
cpe:2.3:a:apache:http_server:2.2.1:::::::*
cpe:2.3:a:apache:http_server:2.2.2:::::::*
cpe:2.3:a:apache:http_server:2.2.3:::::::*
cpe:2.3:a:apache:http_server:2.2.4:::::::*
cpe:2.3:a:apache:http_server:2.2.6:::::::*
cpe:2.3:a:apache:http_server:2.2.7:::::::*
cpe:2.3:a:apache:http_server:2.2.8:::::::*
cpe:2.3:a:apache:http_server:2.2.9:::::::*
cpe:2.3:a:apache:http_server:2.2.10:::::::*
cpe:2.3:a:apache:http_server:2.2.11:::::::*
cpe:2.3:a:apache:http_server:2.2.12:::::::*
cpe:2.3:a:apache:http_server:2.2.13:::::::*
cpe:2.3:a:apache:http_server:2.2.14:::::::*
実行環境
1	cpe:2.3:o:microsoft:windows::::::::

関連情報、対策とツール

No	URL	refsource	タグ
1	http://svn.apache.org/viewvc?view=revision&revision=917870	CONFIRM
2	http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=917870&r2=917869&pathrev=917870	CONFIRM
3	http://www.securityfocus.com/bid/38494	BID	Exploit
4	http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/win32/mod_isapi.c?r1=917870&r2=917869&pathrev=917870	CONFIRM
5	http://www.senseofsecurity.com.au/advisories/SOS-10-002	MISC	URL Repurposed
6	http://httpd.apache.org/security/vulnerabilities_22.html	CONFIRM
7	http://www.securitytracker.com/id?1023701	SECTRACK
8	http://www.vupen.com/english/advisories/2010/0634	VUPEN	Vendor Advisory
9	http://www-01.ibm.com/support/docview.wss?uid=swg1PM09447	AIXAPAR
10	http://www.kb.cert.org/vuls/id/280613	CERT-VN	US Government Resource
11	http://httpd.apache.org/security/vulnerabilities_20.html	CONFIRM
12	http://secunia.com/advisories/38978	SECUNIA	Vendor Advisory
13	http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247	AIXAPAR
14	http://secunia.com/advisories/39628	SECUNIA	Vendor Advisory
15	http://www.vupen.com/english/advisories/2010/0994	VUPEN	Vendor Advisory
16	http://lists.vmware.com/pipermail/security-announce/2010/000105.html	MLIST
17	http://www.vmware.com/security/advisories/VMSA-2010-0014.html	CONFIRM
18	http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html	CONFIRM
19	https://exchange.xforce.ibmcloud.com/vulnerabilities/56624	XF
20	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8439	OVAL
21	https://www.exploit-db.com/exploits/11650	MISC
22	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
23	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
24	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
25	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
26	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
27	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
28	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
29	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
30	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
31	https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7%40%3Ccvs.httpd.apache.org%3E
32	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
33	https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e%40%3Ccvs.httpd.apache.org%3E
34	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
35	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
36	https://lists.apache.org/thread.html/rad2acee3ab838b52c04a0698b1728a9a43467bf365bd481c993c535d%40%3Ccvs.httpd.apache.org%3E
37	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
38	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
39	https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E
40	https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4%40%3Ccvs.httpd.apache.org%3E
41	https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10%40%3Ccvs.httpd.apache.org%3E
42	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

共通脆弱性一覧

構成1		以上	以下	より上	未満
cpe:2.3:a:apache:http_server:2.3.0:::::::*
cpe:2.3:a:apache:http_server:2.3.1:::::::*
cpe:2.3:a:apache:http_server:2.3.2:::::::*
cpe:2.3:a:apache:http_server:2.3.3:::::::*
cpe:2.3:a:apache:http_server:2.3.4:::::::*
cpe:2.3:a:apache:http_server:2.3.5:::::::*
cpe:2.3:a:apache:http_server:2.3.6:::::::*
実行環境
1	cpe:2.3:o:microsoft:windows::::::::

構成2		以上	以下	より上	未満
cpe:2.3:a:apache:http_server:2.0.9:::::::*
cpe:2.3:a:apache:http_server:2.0.28:::::::*
cpe:2.3:a:apache:http_server:2.0.28:beta::::::
cpe:2.3:a:apache:http_server:2.0.32:beta::::::
cpe:2.3:a:apache:http_server:2.0.32:::::::*
cpe:2.3:a:apache:http_server:2.0.34:beta::::::
cpe:2.3:a:apache:http_server:2.0.35:::::::*
cpe:2.3:a:apache:http_server:2.0.36:::::::*
cpe:2.3:a:apache:http_server:2.0.37:::::::*
cpe:2.3:a:apache:http_server:2.0.38:::::::*
cpe:2.3:a:apache:http_server:2.0.39:::::::*
cpe:2.3:a:apache:http_server:2.0.40:::::::*
cpe:2.3:a:apache:http_server:2.0.41:::::::*
cpe:2.3:a:apache:http_server:2.0.42:::::::*
cpe:2.3:a:apache:http_server:2.0.43:::::::*
cpe:2.3:a:apache:http_server:2.0.44:::::::*
cpe:2.3:a:apache:http_server:2.0.45:::::::*
cpe:2.3:a:apache:http_server:2.0.46:::::::*
cpe:2.3:a:apache:http_server:2.0.47:::::::*
cpe:2.3:a:apache:http_server:2.0.48:::::::*
cpe:2.3:a:apache:http_server:2.0.49:::::::*
cpe:2.3:a:apache:http_server:2.0.50:::::::*
cpe:2.3:a:apache:http_server:2.0.51:::::::*
cpe:2.3:a:apache:http_server:2.0.52:::::::*
cpe:2.3:a:apache:http_server:2.0.53:::::::*
cpe:2.3:a:apache:http_server:2.0.54:::::::*
cpe:2.3:a:apache:http_server:2.0.55:::::::*
cpe:2.3:a:apache:http_server:2.0.56:::::::*
cpe:2.3:a:apache:http_server:2.0.57:::::::*
cpe:2.3:a:apache:http_server:2.0.58:::::::*
cpe:2.3:a:apache:http_server:2.0.59:::::::*
cpe:2.3:a:apache:http_server:2.0.60:::::::*
cpe:2.3:a:apache:http_server:2.0.61:::::::*
cpe:2.3:a:apache:http_server:2.0.63:::::::*
実行環境
1	cpe:2.3:o:microsoft:windows::::::::

構成3		以上	以下	より上	未満
cpe:2.3:a:apache:http_server:-:::::::*
cpe:2.3:a:apache:http_server:2.2.0:::::::*
cpe:2.3:a:apache:http_server:2.2.1:::::::*
cpe:2.3:a:apache:http_server:2.2.2:::::::*
cpe:2.3:a:apache:http_server:2.2.3:::::::*
cpe:2.3:a:apache:http_server:2.2.4:::::::*
cpe:2.3:a:apache:http_server:2.2.6:::::::*
cpe:2.3:a:apache:http_server:2.2.7:::::::*
cpe:2.3:a:apache:http_server:2.2.8:::::::*
cpe:2.3:a:apache:http_server:2.2.9:::::::*
cpe:2.3:a:apache:http_server:2.2.10:::::::*
cpe:2.3:a:apache:http_server:2.2.11:::::::*
cpe:2.3:a:apache:http_server:2.2.12:::::::*
cpe:2.3:a:apache:http_server:2.2.13:::::::*
cpe:2.3:a:apache:http_server:2.2.14:::::::*
実行環境
1	cpe:2.3:o:microsoft:windows::::::::