CVE-2009-1890

httpd: mod_proxy reverse proxy DoS (infinite loop)

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.

La función stream_reqbody_cl de mod_proxy_http.c en el módulo mod_proxy del Servidor HTTP de Apache anterior a v2.3.3, cuando está configurado un proxy inverso, no maneja adecuadamente un flujo de datos que exceda el valor de Content-Length (Longitud del Contenido), esto permite a atacantes remotos provocar una denegación de servicio (consumo de la CPU) a través de una solicitud manipulada.

The previous update caused a regression for apache2 in Debian 4.0 "etch". Using mod_deflate together with mod_php could cause segfaults when a client aborts a connection. This update corrects this flaw. A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. This issue did not affect Debian 4.0 "etch". A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. A similar flaw related to HEAD requests for compressed content was also fixed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-06-02 CVE Reserved
2009-07-05 CVE Published
2024-08-07 CVE Updated
2025-07-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (50)

URL	Tag	Source
http://osvdb.org/55553	Broken Link
http://secunia.com/advisories/35721	Not Applicable
http://secunia.com/advisories/35793	Not Applicable
http://secunia.com/advisories/35865	Not Applicable
http://support.apple.com/kb/HT3937	Broken Link
http://wiki.rpath.com/Advisories:rPSA-2009-0142	Broken Link
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html	Third Party Advisory
http://www.securityfocus.com/archive/1/507852/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/507857/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/35565	Third Party Advisory
http://www.securitytracker.com/id?1022509	Broken Link
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb33be0aa9bd8cac9536293e3821dcd4cf8180ad95a8036eedd46365e%40%3Cusers.mina.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12330	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8616	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9403	Signature

URL	Date	SRC

URL	Date	SRC
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587	2023-02-13
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587	2023-02-13

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html	2023-02-13
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html	2023-02-13
http://marc.info/?l=bugtraq&m=129190899612998&w=2	2023-02-13
http://secunia.com/advisories/35691	2023-02-13
http://secunia.com/advisories/37152	2023-02-13
http://secunia.com/advisories/37221	2023-02-13
http://security.gentoo.org/glsa/glsa-200907-04.xml	2023-02-13
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?revision=790587	2023-02-13
http://svn.apache.org/viewvc?view=rev&revision=790587	2023-02-13
http://www-01.ibm.com/support/docview.wss?uid=swg1PK91259	2023-02-13
http://www-01.ibm.com/support/docview.wss?uid=swg1PK99480	2023-02-13
http://www.debian.org/security/2009/dsa-1834	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2009:149	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150	2023-02-13
http://www.redhat.com/support/errata/RHSA-2009-1156.html	2023-02-13
http://www.ubuntu.com/usn/USN-802-1	2023-02-13
https://rhn.redhat.com/errata/RHSA-2009-1148.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01363.html	2023-02-13
https://access.redhat.com/security/cve/CVE-2009-1890	2009-07-17
https://bugzilla.redhat.com/show_bug.cgi?id=509375	2009-07-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				>= 2.2.0 < 2.2.12 Search vendor "Apache" for product "Http Server" and version " >= 2.2.0 < 2.2.12"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				11 Search vendor "Fedoraproject" for product "Fedora" and version "11"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				4.0 Search vendor "Debian" for product "Debian Linux" and version "4.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				5.0 Search vendor "Debian" for product "Debian Linux" and version "5.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				6.0 Search vendor "Debian" for product "Debian Linux" and version "6.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				6.06 Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				8.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				8.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				9.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "9.04"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				5.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "5.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				5.3 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "5.3"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				5.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "5.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				5.3 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "5.3"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				5.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "5.0"		-		Affected