Loren Anderson

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.2.9 through 2.2.15 Apache HTTP Server versions 2.3.4-alpha and 2.3.5-alpha **Description** The issue is related to the mod proxy http module in the Apache HTTP Server, which does not properly detect timeouts in certain configurations involving proxy worker pools. This can allow remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. The flaw is triggered under specific timeout conditions, causing the server to return a response intended for another user. The issue affects only Windows, NetWare, and OS/2 operating systems, and only those configurations that trigger the use of proxy worker pools. **Recommendations** For Apache HTTP Server versions 2.2.9 through 2.2.15, consider globally configuring the server with the directive: SetEnv proxy-nokeepalive 1 For Apache HTTP Server versions 2.3.4-alpha and 2.3.5-alpha, consider globally configuring the server with the directive: SetEnv proxy-nokeepalive 1 At the moment, there is no information about a newer version that contains a fix for this vulnerability.