ID

VAR-200802-0064


CVE

CVE-2007-6258


TITLE

Apache mod_jk2 host header buffer overflow

Trust: 0.8

sources: CERT/CC: VU#771937

DESCRIPTION

Multiple stack-based buffer overflows in the legacy mod_jk2 2.0.3-DEV and earlier Apache module allow remote attackers to execute arbitrary code via a long (1) Host header, or (2) Hostname within a Host header. A vulnerability exists in the legacy version of the mod_jk2 Apache module. If successfully exploited, the vulnerability may allow an attacker to run arbitrary code on affected system. Interstage Application Server Contains a buffer overflow vulnerability.A third party may execute arbitrary code. Apache mod_jk2 is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers. Successful exploits may allow attackers to execute arbitrary code in the context of a vulnerable application; failed attempts will likely cause denial-of-service conditions. Versions prior to mod_jk2 2.0.4 are vulnerable. NOTE: mod_jk2 is a legacy branch of mod_jk that is now deprecated; mod_jk is a currently supported module and is reportedly unaffected by these issues

Trust: 2.7

sources: NVD: CVE-2007-6258 // CERT/CC: VU#771937 // JVNDB: JVNDB-2008-002490 // BID: 27752 // VULHUB: VHN-29620

AFFECTED PRODUCTS

vendor:f5model:big-ipscope:eqversion:9.2.3.30

Trust: 1.6

vendor:apachemodel:mod jkscope:eqversion:2.0

Trust: 1.0

vendor:apachemodel:mod jkscope:eqversion:2.0.3_dev

Trust: 1.0

vendor:apachemodel:mod jkscope:eqversion:2.0.1

Trust: 1.0

vendor:apachemodel:mod jkscope:eqversion:2.0.2

Trust: 1.0

vendor:apache http servermodel: - scope: - version: -

Trust: 0.8

vendor:f5model: - scope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application framework suitescope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage apworksscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage business application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage job workload serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage studioscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage web serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage studio standard-j editionscope:eqversion:9.0

Trust: 0.3

vendor:fujitsumodel:interstage studio standard-j editionscope:eqversion:8.0.1

Trust: 0.3

vendor:fujitsumodel:interstage studio enterprise editionscope:eqversion:9.0

Trust: 0.3

vendor:fujitsumodel:interstage studio enterprise editionscope:eqversion:8.0.1

Trust: 0.3

vendor:fujitsumodel:interstage job workload serverscope:eqversion:8.1

Trust: 0.3

vendor:fujitsumodel:interstage business application server enterprise editionscope:eqversion:8.0

Trust: 0.3

vendor:fujitsumodel:interstage apworks modelers-j editionscope:eqversion:7.0

Trust: 0.3

vendor:fujitsumodel:interstage apworks modelers-j edition 6.0ascope: - version: -

Trust: 0.3

vendor:fujitsumodel:interstage apworks modelers-j editionscope:eqversion:6.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard-j edition ascope:eqversion:9.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard-j editionscope:eqversion:9.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard-j editionscope:eqversion:8.0.2

Trust: 0.3

vendor:fujitsumodel:interstage application server standard-j editionscope:eqversion:8.0.1

Trust: 0.3

vendor:fujitsumodel:interstage application server standard-j editionscope:eqversion:8.0

Trust: 0.3

vendor:fujitsumodel:interstage application server plus developerscope:eqversion:7.0

Trust: 0.3

vendor:fujitsumodel:interstage application server plus developerscope:eqversion:6.0

Trust: 0.3

vendor:fujitsumodel:interstage application server plusscope:eqversion:7.0.1

Trust: 0.3

vendor:fujitsumodel:interstage application server plusscope:eqversion:7.0

Trust: 0.3

vendor:fujitsumodel:interstage application server plusscope:eqversion:6.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise edition ascope:eqversion:9.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:9.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:8.0.2

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:8.0.1

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:8.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:7.0.1

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:7.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:6.0

Trust: 0.3

vendor:f5model:bigipscope:eqversion:9.2.3.30

Trust: 0.3

vendor:apachemodel:software foundation mod jk2scope:eqversion:2.0.2

Trust: 0.3

vendor:apachemodel:software foundation mod jk2scope:eqversion:2.0.1

Trust: 0.3

vendor:apachemodel:software foundation mod jk2scope:eqversion:2.0

Trust: 0.3

vendor:apachemodel:software foundation mod jk2 2.0.3-devscope: - version: -

Trust: 0.3

vendor:apachemodel:software foundation mod jk2scope:neversion:2.0.4

Trust: 0.3

sources: CERT/CC: VU#771937 // BID: 27752 // JVNDB: JVNDB-2008-002490 // CNNVD: CNNVD-200802-324 // NVD: CVE-2007-6258

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-6258
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#771937
value: 4.80

Trust: 0.8

NVD: CVE-2007-6258
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200802-324
value: HIGH

Trust: 0.6

VULHUB: VHN-29620
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2007-6258
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-29620
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#771937 // VULHUB: VHN-29620 // JVNDB: JVNDB-2008-002490 // CNNVD: CNNVD-200802-324 // NVD: CVE-2007-6258

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-29620 // JVNDB: JVNDB-2008-002490 // NVD: CVE-2007-6258

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200802-324

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-200802-324

CONFIGURATIONS

sources: JVNDB: JVNDB-2008-002490

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-29620

PATCH

title:interstage_as_201004url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_201004.html

Trust: 0.8

sources: JVNDB: JVNDB-2008-002490

EXTERNAL IDS

db:CERT/CCid:VU#771937

Trust: 3.3

db:NVDid:CVE-2007-6258

Trust: 2.8

db:BIDid:27752

Trust: 2.8

db:VUPENid:ADV-2008-0572

Trust: 2.5

db:EXPLOIT-DBid:5330

Trust: 1.7

db:EXPLOIT-DBid:5386

Trust: 1.7

db:SREASONid:3661

Trust: 1.7

db:JVNDBid:JVNDB-2008-002490

Trust: 0.8

db:CNNVDid:CNNVD-200802-324

Trust: 0.6

db:VULHUBid:VHN-29620

Trust: 0.1

sources: CERT/CC: VU#771937 // VULHUB: VHN-29620 // BID: 27752 // JVNDB: JVNDB-2008-002490 // CNNVD: CNNVD-200802-324 // NVD: CVE-2007-6258

REFERENCES

url:http://www.ioactive.com/vulnerabilities/mod_jk2legacybufferoverflowadvisory.pdf

Trust: 2.5

url:http://www.securityfocus.com/bid/27752

Trust: 2.5

url:http://www.kb.cert.org/vuls/id/771937

Trust: 2.5

url:http://www.vupen.com/english/advisories/2008/0572

Trust: 2.5

url:http://www.securityfocus.com/archive/1/487983/100/100/threaded

Trust: 1.7

url:https://www.exploit-db.com/exploits/5330

Trust: 1.7

url:https://www.exploit-db.com/exploits/5386

Trust: 1.7

url:http://www.ioactive.com/pdfs/mod_jk2.pdf

Trust: 1.7

url:http://securityreason.com/securityalert/3661

Trust: 1.7

url:http://today.java.net/pub/n/mod_jk22.0.4

Trust: 0.8

url:http://www.w3.org/protocols/rfc2616/rfc2616.html

Trust: 0.8

url:http://www.jmarshall.com/easy/http/#http1.1c1

Trust: 0.8

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-6258

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-6258

Trust: 0.8

url:http://www.fujitsu.com/global/support/software/security/products-f/interstage-201004e.html

Trust: 0.3

url:http://tomcat.apache.org/download-connectors.cgi

Trust: 0.3

url:/archive/1/487983

Trust: 0.3

sources: CERT/CC: VU#771937 // VULHUB: VHN-29620 // BID: 27752 // JVNDB: JVNDB-2008-002490 // CNNVD: CNNVD-200802-324 // NVD: CVE-2007-6258

CREDITS

IOActive Security discovered these issues.

Trust: 0.9

sources: BID: 27752 // CNNVD: CNNVD-200802-324

SOURCES

db:CERT/CCid:VU#771937
db:VULHUBid:VHN-29620
db:BIDid:27752
db:JVNDBid:JVNDB-2008-002490
db:CNNVDid:CNNVD-200802-324
db:NVDid:CVE-2007-6258

LAST UPDATE DATE

2024-08-14T14:35:11.020000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#771937date:2008-04-29T00:00:00
db:VULHUBid:VHN-29620date:2018-10-15T00:00:00
db:BIDid:27752date:2010-10-27T11:38:00
db:JVNDBid:JVNDB-2008-002490date:2010-11-16T00:00:00
db:CNNVDid:CNNVD-200802-324date:2022-02-10T00:00:00
db:NVDid:CVE-2007-6258date:2022-02-03T19:43:57.970

SOURCES RELEASE DATE

db:CERT/CCid:VU#771937date:2008-02-14T00:00:00
db:VULHUBid:VHN-29620date:2008-02-19T00:00:00
db:BIDid:27752date:2008-02-12T00:00:00
db:JVNDBid:JVNDB-2008-002490date:2010-11-16T00:00:00
db:CNNVDid:CNNVD-200802-324date:2008-02-18T00:00:00
db:NVDid:CVE-2007-6258date:2008-02-19T00:00:00