CVE-2014-3581
UnknownEPSS 13.21%
Last modified
CVE-2014-3581 is a vulnerability of currently unknown severity. The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.. EPSS estimates a 13.21% chance of exploitation in the next 30 days.
Description
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | 2.4.1 |
| Apache | Http Server | 2.4.2 |
| Apache | Http Server | 2.4.3 |
| Apache | Http Server | 2.4.4 |
| Apache | Http Server | 2.4.6 |
| Apache | Http Server | 2.4.7 |
| Apache | Http Server | 2.4.9 |
| Apache | Http Server | 2.4.10 |
| Canonical | Ubuntu Linux | 10.04 |
| Canonical | Ubuntu Linux | 12.04 |
| Canonical | Ubuntu Linux | 14.04 |
| Canonical | Ubuntu Linux | 14.10 |
| Redhat | Enterprise Linux Desktop | 7.0 |
| Redhat | Enterprise Linux Eus | 7.3 |
| Redhat | Enterprise Linux Eus | 7.4 |
| Redhat | Enterprise Linux Eus | 7.5 |
| Redhat | Enterprise Linux Eus | 7.6 |
| Redhat | Enterprise Linux Eus | 7.7 |
| Redhat | Enterprise Linux Server | 7.0 |
| Redhat | Enterprise Linux Server Aus | 7.3 |
| Redhat | Enterprise Linux Server Aus | 7.4 |
| Redhat | Enterprise Linux Server Aus | 7.6 |
| Redhat | Enterprise Linux Server Aus | 7.7 |
| Redhat | Enterprise Linux Server Tus | 7.3 |
| Redhat | Enterprise Linux Server Tus | 7.6 |
| Redhat | Enterprise Linux Server Tus | 7.7 |
| Oracle | Enterprise Manager Ops Center | < 12.1.4 |
| Oracle | Enterprise Manager Ops Center | 12.2.0 |
| Oracle | Enterprise Manager Ops Center | 12.2.1 |
| Oracle | Enterprise Manager Ops Center | 12.3.0 |
| Oracle | Linux | 6 |
References
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlBroken Link, Mailing List
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.htmlBroken Link, Mailing List
- http://rhn.redhat.com/errata/RHSA-2015-0325.htmlThird Party Advisory
- http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1627749Release Notes, Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=1624234Patch, Vendor Advisory
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlThird Party Advisory
- http://www.securityfocus.com/bid/71656Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1031005Broken Link, Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-2523-1Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1149709Issue Tracking, Patch, Third Party Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/97027Third Party Advisory, VDB Entry
- https://security.gentoo.org/glsa/201610-02Third Party Advisory
- https://support.apple.com/HT205219Third Party Advisory
- https://support.apple.com/kb/HT205031Third Party Advisory
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlBroken Link, Mailing List
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.htmlBroken Link, Mailing List
- http://rhn.redhat.com/errata/RHSA-2015-0325.htmlThird Party Advisory
- http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1627749Release Notes, Vendor Advisory
- http://svn.apache.org/viewvc?view=revision&revision=1624234Patch, Vendor Advisory
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlThird Party Advisory
- http://www.securityfocus.com/bid/71656Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1031005Broken Link, Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-2523-1Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1149709Issue Tracking, Patch, Third Party Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/97027Third Party Advisory, VDB Entry
- https://security.gentoo.org/glsa/201610-02Third Party Advisory
- https://support.apple.com/HT205219Third Party Advisory
- https://support.apple.com/kb/HT205031Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2014-3581?
The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.
How severe is CVE-2014-3581?
Severity scoring for CVE-2014-3581 is pending analysis. The EPSS model estimates a 13.21% probability of exploitation in the next 30 days.
How do I fix CVE-2014-3581?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2014-3581?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST