Vulnerability Name:

CVE-2007-3303 (CCN-34963)

Assigned:2007-06-20
Published:2007-06-20
Updated:2018-10-16
Summary:Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes.
Note: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.
CVSS v3 Severity:5.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:4.9 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C)
3.9 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C)
3.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-94
Vulnerability Consequences:Denial of Service
References:Source: CCN
Type: Full-Disclosure Mailing List, Tue Jun 19 2007 - 18:50:36 CDT
Apache Prefork MPM vulnerabilities - Report

Source: MITRE
Type: CNA
CVE-2007-3303

Source: OSVDB
Type: UNKNOWN
37050

Source: CCN
Type: PSNC Security Team Web site
Apache Prefork MPM vulnerabilities

Source: MISC
Type: UNKNOWN
http://security.psnc.pl/files/apache_report.pdf

Source: SREASON
Type: UNKNOWN
2814

Source: CCN
Type: Apache HTTP Server Web site
Welcome! - The Apache Software Foundation

Source: CCN
Type: OSVDB ID: 37050
Apache HTTP Server Prefork MPM Module Crafted Code Sequence Local DoS

Source: BUGTRAQ
Type: UNKNOWN
20070529 Apache httpd vulenrabilities

Source: BUGTRAQ
Type: UNKNOWN
20070619 Apache Prefork MPM vulnerabilities - Report

Source: BID
Type: UNKNOWN
24215

Source: CCN
Type: BID-24215
Apache HTTP Server Worker Process Multiple Denial of Service Vulnerabilities

Source: XF
Type: UNKNOWN
apache-mpm-multiple-dos(34963)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:http_server:2.0.59:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.4:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:apache:http_server:2.0.28:beta:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.38:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.39:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.42:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.47:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.60:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.49:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.48:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.51:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.33:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.52:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.40:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.37:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.59:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.46:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.55:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.39:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.36:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.35:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.34:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.32:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.31:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.28:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.32:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.35:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.36:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.37:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.41:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.30:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.38:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.32:beta:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.34:beta:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.43:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.44:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.45:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.50:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.53:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.54:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.56:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.57:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.58:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.60:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.61:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.3.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    apache http server 2.0.59
    apache http server 2.2.4
    apache http server 2.0.28 beta
    apache http server 2.0
    apache http server 1.3.6
    apache http server 1.3.9
    apache http server 2.0.38
    apache http server 2.0.39
    apache http server 2.0.42
    apache http server 2.0.47
    apache http server 2.0.60
    apache http server 2.0.49
    apache http server 2.0.48
    apache http server 2.0.51
    apache http server 1.3.33
    apache http server 2.0.52
    apache http server 2.0.40
    apache http server 1.3.37
    apache http server 2.0.59
    apache http server 2.2.4
    apache http server 2.0.46
    apache http server 2.0.55
    apache http server 2.2.3
    apache http server 2.2.0
    apache http server 2.2.2
    apache http server 2.2.6
    apache http server 1.3.39
    apache http server 1.3.3
    apache http server 1.3.36
    apache http server 1.3.35
    apache http server 1.3.34
    apache http server 1.3.32
    apache http server 1.3.31
    apache http server 1.3.4
    apache http server 2.0.28
    apache http server 2.0.32
    apache http server 2.0.35
    apache http server 2.0.36
    apache http server 2.0.37
    apache http server 2.0.41
    apache http server 1.3.30
    apache http server 1.3.38
    apache http server 1.3.5
    apache http server 1.3.7
    apache http server 1.3.8
    apache http server 2.0.32 beta
    apache http server 2.0.34 beta
    apache http server 2.0.43
    apache http server 2.0.44
    apache http server 2.0.45
    apache http server 2.0.50
    apache http server 2.0.53
    apache http server 2.0.54
    apache http server 2.0.56
    apache http server 2.0.57
    apache http server 2.0.58
    apache http server 2.0.60
    apache http server 2.0.61
    apache http server 2.0.9
    apache http server 2.1
    apache http server 2.1.1
    apache http server 2.1.2
    apache http server 2.1.3
    apache http server 2.1.4
    apache http server 2.1.5
    apache http server 2.1.6
    apache http server 2.1.7
    apache http server 2.1.8
    apache http server 2.2
    apache http server 2.2.1
    apache http server 2.3.0
    redhat enterprise linux desktop 5.0
    redhat enterprise linux 5
    redhat enterprise linux 5