CVE-2015-0228 in Enterprise Manager Ops Center
Summary
by MITRE
The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/07/2022
The vulnerability identified as CVE-2015-0228 represents a critical denial of service flaw within the Apache HTTP Server's mod_lua module, specifically affecting versions through 2.4.12. This issue manifests through the lua_websocket_read function in the lua_request.c file, which processes WebSocket communication within the server's Lua scripting environment. The vulnerability arises from improper handling of WebSocket Ping frames when a Lua script has already invoked the wsupgrade function, creating a scenario where malicious actors can trigger child process crashes through carefully crafted network traffic.
The technical exploitation of this vulnerability leverages the interaction between Apache's WebSocket implementation and Lua script execution context. When a Lua script calls the wsupgrade function, it establishes a WebSocket connection within the HTTP server's process space. Subsequently, if an attacker sends a malformed or specially crafted WebSocket Ping frame to this upgraded connection, the lua_websocket_read function fails to properly validate or handle the incoming frame, leading to a memory corruption condition that ultimately causes the child process to terminate abruptly. This behavior constitutes a classic buffer overflow scenario where the function does not adequately check frame boundaries or validate payload contents before processing.
From an operational impact perspective, this vulnerability enables remote attackers to perform denial of service attacks against Apache HTTP Server instances running mod_lua with minimal privileges required. The attack can be executed from any network location capable of establishing WebSocket connections to the vulnerable server, making it particularly dangerous in production environments where continuous availability is critical. The child process crashes can occur repeatedly, potentially leading to resource exhaustion and complete service unavailability, especially when the server has limited child process capacity or when multiple concurrent attacks are launched against different connections.
The vulnerability aligns with CWE-121, which describes heap-based buffer overflow conditions, and represents a specific implementation flaw in the WebSocket handling code path. From an ATT&CK framework perspective, this vulnerability maps to T1499.004, specifically targeting application availability through denial of service techniques. The flaw demonstrates poor input validation practices in network protocol handling, where the WebSocket Ping frame processing does not account for all possible valid frame states after connection upgrade. Organizations running Apache servers with mod_lua enabled should consider this vulnerability as a high-priority remediation target, particularly in environments where WebSocket functionality is actively used.
Mitigation strategies should primarily focus on upgrading to Apache HTTP Server version 2.4.13 or later, where the vulnerability has been addressed through improved input validation and frame processing logic. Additionally, administrators should implement network-level filtering to restrict WebSocket traffic where possible, and consider disabling mod_lua entirely if WebSocket functionality is not required. Regular security assessments should verify that all Apache installations are running patched versions, as this vulnerability could be exploited in conjunction with other attack vectors to compromise server availability. The fix typically involves strengthening the validation of WebSocket frames within the Lua context and ensuring proper error handling when processing upgraded connections, preventing the crash condition that previously occurred during malformed frame processing.