CVE-2014-0226

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions prior to 2.4.10

Description A race condition in the mod status module allows remote attackers to cause a denial of service, obtain sensitive credential information, or execute arbitrary code via a crafted request that triggers improper scoreboard handling within the status handler function in modules/generators/mod status.c and the lua ap scoreboard worker function in modules/lua/lua request.c. This issue can be exploited by sending a carefully crafted request to a public server status page on a server using a threaded MPM.

Recommendations For Apache HTTP Server versions prior to 2.4.10, update to version 2.4.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the server status page to minimize the risk of exploitation. Additionally, disabling the mod status module can prevent the issue until a patch is applied.