Vigil@nce - Apache HttpComponents HttpClient: denial of service via Timeout
December 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker owning a malicious server can stop responding, to
block clients using Apache HttpComponents HttpClient, in order to
trigger a denial of service.
Impacted products: Apache HttpClient, Fedora, Ubuntu.
Severity: 2/4.
Creation date: 02/10/2015.
DESCRIPTION OF THE VULNERABILITY
The Apache HttpComponents HttpClient product implements a web
client
However, there is no timeout during the connection state to a
server.
An attacker owning a malicious server can therefore stop
responding, to block clients using Apache HttpComponents
HttpClient, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN