CVE-2015-0228

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function.

References

https://github.com/apache/httpd/commit/643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES

http://www.ubuntu.com/usn/USN-2523-1

http://lists.opensuse.org/opensuse-updates/2015-03/msg00006.html

http://advisories.mageia.org/MGASA-2015-0099.html

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

https://support.apple.com/kb/HT205031

http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html

https://support.apple.com/HT205219

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

http://www.securityfocus.com/bid/91787

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

http://www.securityfocus.com/bid/73041

http://www.securitytracker.com/id/1032967

http://rhn.redhat.com/errata/RHSA-2015-1666.html

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://github.com/apache/httpd/commit/78eb3b9235515652ed141353d98c239237030410

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

Details

Source: MITRE

Published: 2015-03-08

Updated: 2021-06-06

Type: CWE-20

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Tenable Plugins

View all (16 total)

IDNameProductFamilySeverity
98908Apache 2.4.x < 2.4.16 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
8981Mac OS X < 10.10.5 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
high
8970Apache HTTP Server 2.4.x < 2.4.16 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
86066Mac OS X : OS X Server < 5.0.3 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
85452Amazon Linux AMI : httpd24 (ALAS-2015-579)NessusAmazon Linux Local Security Checks
medium
85409Mac OS X Multiple Vulnerabilities (Security Update 2015-006)NessusMacOS X Local Security Checks
high
85408Mac OS X 10.10.x < 10.10.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
85092Fedora 21 : httpd-2.4.16-1.fc21 (2015-11792)NessusFedora Local Security Checks
medium
84959Apache 2.4.x < 2.4.16 Multiple VulnerabilitiesNessusWeb Servers
medium
84906Fedora 22 : httpd-2.4.16-1.fc22 (2015-11689)NessusFedora Local Security Checks
medium
84829Slackware 14.0 / 14.1 / current : httpd (SSA:2015-198-01)NessusSlackware Local Security Checks
medium
84781FreeBSD : apache24 -- multiple vulnerabilities (a12494c1-2af4-11e5-86ff-14dae9d210b8)NessusFreeBSD Local Security Checks
medium
83945SUSE SLES12 Security Update : apache2 (SUSE-SU-2015:0974-1)NessusSuSE Local Security Checks
medium
82346Mandriva Linux Security Advisory : apache (MDVSA-2015:093)NessusMandriva Local Security Checks
medium
81755Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : apache2 vulnerabilities (USN-2523-1)NessusUbuntu Local Security Checks
medium
81622openSUSE Security Update : apache2 (openSUSE-2015-191)NessusSuSE Local Security Checks
medium