Apache 2.x < 2.2.12 Multiple Vulnerabilities

This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

The remote web server may be affected by several issues.

Description :

According to its banner, the version of Apache 2.2 installed on the
remote host is older than 2.2.12. Such versions may be affected by
several issues, including :

- A heap-based buffer underwrite flaw exists in the
function 'apr_strmatch_precompile()' in the bundled copy
of the APR-util library, which could be triggered when
parsing configuration data to crash the daemon.
(CVE-2009-0023)

- A flaw in the mod_proxy_ajp module in version 2.2.11
only may allow a remote attacker to obtain sensitive
response data intended for a client that sent an
earlier POST request with no request body.
(CVE-2009-1191)

- The server does not limit the use of directives in a
.htaccess file as expected based on directives such
as 'AllowOverride' and 'Options' in the configuration
file, which could enable a local user to bypass
security restrictions. (CVE-2009-1195)

- Failure to properly handle an amount of streamed data
that exceeds the Content-Length value allows a remote
attacker to force a proxy process to consume CPU time
indefinitely when mod_proxy is used in a reverse proxy
configuration. (CVE-2009-1890)

- Failure of mod_deflate to stop compressing a file when
the associated network connection is closed may allow a
remote attacker to consume large amounts of CPU if
there is a large (>10 MB) file available that has
mod_deflate enabled. (CVE-2009-1891)

- Using a specially crafted XML document with a large
number of nested entities, a remote attacker may be
able to consume an excessive amount of memory due to
a flaw in the bundled expat XML parser used by the
mod_dav and mod_dav_svn modules. (CVE-2009-1955)

- There is an off-by-one overflow in the function
'apr_brigade_vprintf()' in the bundled copy of the
APR-util library in the way it handles a variable list
of arguments, which could be leveraged on big-endian
platforms to perform information disclosure or denial
of service attacks. (CVE-2009-1956)

Note that Nessus has relied solely on the version in the Server
response header and did not try to check for the issues themselves or
even whether the affected modules are in use.

See also :

http://httpd.apache.org/security/vulnerabilities_22.html

Solution :

Either ensure that the affected modules / directives are not in use
or upgrade to Apache version 2.2.12 or later.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 40467 (apache_2_2_12.nasl)

Bugtraq ID: 34663
35115
35221
35251
35253
35565
35623

CVE ID: CVE-2009-0023
CVE-2009-1191
CVE-2009-1195
CVE-2009-1890
CVE-2009-1891
CVE-2009-1955
CVE-2009-1956