Apache mod_ssl ssl_hook_Access Error Handling DoS
Medium Nessus Plugin ID 20386
SynopsisThe remote web server is affected by a denial of service vulnerability.
DescriptionThe version of Apache running on the remote host is affected by a denial of service vulnerability due to a flaw in mod_ssl that occurs when it is configured with an SSL vhost with access control and a custom 400 error page. A remote attacker can exploit this, via a non-SSL request to an SSL port, to cause a NULL pointer to be dereferenced, resulting in crashing individual child processes or even the entire server.
SolutionUpgrade to Apache version 2.0.58 or later. Alternatively, update the Apache configuration to use 'SSLRequire' whenever 'SSLCipherSuite' is used.