CVE-2015-0228

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.7 through 2.4.12

Description The issue is related to the lua websocket read function in the mod lua module, which allows remote attackers to cause a denial of service by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function. This is due to insufficient input validation. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. Technical details include the lua websocket read function and the wsupgrade function, which can be exploited by sending a specially crafted WebSocket Ping request to the / API endpoint, although the exact endpoint is not specified.

Recommendations For Apache HTTP Server versions 2.4.7 through 2.4.12, update to a version later than 2.4.12 to resolve the issue. As a temporary workaround, consider disabling the lua websocket read function or restricting the use of the wsupgrade function in Lua scripts until a patch is available.