The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request.

Updated httpd packages that fix multiple security issues and one bug are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Apache HTTP Server ('httpd') is the namesake project of The Apache Software Foundation.

It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368)

It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2011-3348)

The httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.
(CVE-2012-0053)

An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.
An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)

A NULL pointer dereference flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled, a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed Cookie header. (CVE-2012-0021)

A flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.
(CVE-2012-0031)

Red Hat would like to thank Context Information Security for reporting the CVE-2011-3368 issue.

This update also fixes the following bug :

* The fix for CVE-2011-3192 provided by the RHSA-2011:1329 update introduced a regression in the way httpd handled certain Range HTTP header values. This update corrects this regression. (BZ#749071)

All users of JBoss Enterprise Web Server 1.0.2 should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, users must restart the httpd service for the update to take effect.

It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368)

It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2011-3348)

This update fixes several security issues in the Apache webserver.

The patch for the ByteRange remote denial of service attack (CVE-2011-3192) was refined and the configuration options used by upstream were added. Introduce new config option: Allow MaxRanges Number of ranges requested, if exceeded, the complete content is served. default: 200 0|unlimited: unlimited none: Range headers are ignored. This option is a backport from 2.2.21.

Also fixed: CVE-2011-3348: Denial of service in proxy_ajp when using a undefined method.

CVE-2011-3368: Exposure of internal servers via reverse proxy methods with mod_proxy enabled and incorrect Rewrite or Proxy Rules.

The MITRE CVE database describes these CVEs as :

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. 

The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary 'error state' in the backend server) via a malformed HTTP request.

It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker.

It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed.

According to its banner, the version of Oracle HTTP Server installed on the remote host is potentially affected by multiple vulnerabilities. 

Note that Nessus did not verify if patches or workarounds have been applied.

From Red Hat Security Advisory 2011:1391 :

Updated httpd packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Apache HTTP Server is a popular web server.

It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368)

It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2011-3348)

Red Hat would like to thank Context Information Security for reporting the CVE-2011-3368 issue.

This update also fixes the following bug :

* The fix for CVE-2011-3192 provided by the RHSA-2011:1245 update introduced regressions in the way httpd handled certain Range HTTP header values. This update corrects those regressions. (BZ#736592)

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

The Apache HTTP Server is a popular web server.

It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368)

It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2011-3348)

This update also fixes the following bug :

  - The fix for CVE-2011-3192 provided by a previous update     introduced regressions in the way httpd handled certain     Range HTTP header values. This update corrects those     regressions.

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

The remote host is affected by the vulnerability described in GLSA-201206-25 (Apache HTTP Server: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache HTTP Server.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker might obtain sensitive information, gain privileges,       send requests to unintended servers behind proxies, bypass certain       security restrictions, obtain the values of HTTPOnly cookies, or cause a       Denial of Service in various ways.
    A local attacker could gain escalated privileges.
  Workaround :

    There is no known workaround at this time.

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.0.  As such, it is reportedly affected by the following vulnerabilities :

 - An error exists in the 'generate-id' function in the    bundled libxslt library that can allow disclosure of    heap memory addresses. (CVE-2011-0195)

 - An unspecified input validation error exists and can    allow cross-site request forgery attacks. (CVE-2011-3846)

 - Unspecified errors can allow attackers to carry out    denial of service attacks via unspecified vectors.
   (CVE-2012-0135, CVE-2012-1993)

 - The bundled version of PHP contains multiple    vulnerabilities. (CVE-2010-3436, CVE-2010-4409,    CVE-2010-4645, CVE-2011-1148, CVE-2011-1153,    CVE-2011-1464, CVE-2011-1467, CVE-2011-1468,    CVE-2011-1470, CVE-2011-1471, CVE-2011-1938,    CVE-2011-2202, CVE-2011-2483, CVE-2011-3182,    CVE-2011-3189, CVE-2011-3267, CVE-2011-3268)

 - The bundled version of Apache contains multiple    vulnerabilities. (CVE-2010-1452, CVE-2010-1623,    CVE-2010-2068,  CVE-2010-2791, CVE-2011-0419,    CVE-2011-1928, CVE-2011-3192, CVE-2011-3348,    CVE-2011-3368, CVE-2011-3639)

 - OpenSSL libraries are contained in several of the    bundled components and contain multiple vulnerabilities.
   (CVE-2011-0014, CVE-2011-1468, CVE-2011-1945,    CVE-2011-3207,CVE-2011-3210)

 - Curl libraries are contained in several of the bundled    components and contain multiple vulnerabilities.
   (CVE-2009-0037, CVE-2010-0734, CVE-2011-2192)

The remote host is running a version of Mac OS X 10.7 that is older than version 10.7.3.  The newer version contains numerous security-related fixes for the following components :

  - Address Book
  - Apache
  - ATS
  - CFNetwork
 - CoreMedia
 - CoreText
 - CoreUI
 - curl
 - Data Security
 - dovecot
 - filecmds
 - ImageIO
 - Internet Sharing
 - Libinfo
 - libresolv
 - libsecurity
 - OpenGL
 - PHP
 - QuickTime
 - Subversion
 - Time Machine
 - WebDAV Sharing
 - Webmail
 - X11

The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2012-001 applied. This update contains multiple security-related fixes for the following components :

  - Apache
  - ATS
  - ColorSync
  - CoreAudio
  - CoreMedia
  - CoreText
  - curl
  - Data Security
  - dovecot
  - filecmds
  - libresolv
  - libsecurity
  - OpenGL
  - PHP
  - QuickTime
  - SquirrelMail
  - Subversion
  - Tomcat
  - X11

The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.3. The newer version contains multiple security-related fixes for the following components :

  - Address Book
  - Apache
  - ATS
  - CFNetwork
  - CoreMedia
  - CoreText
  - CoreUI
  - curl
  - Data Security
  - dovecot
  - filecmds
  - ImageIO
  - Internet Sharing
  - Libinfo
  - libresolv
  - libsecurity
  - OpenGL
  - PHP
  - QuickTime
  - Subversion
  - Time Machine
  - WebDAV Sharing
  - Webmail
  - X11

This update brings Apache to version 2.2.12.

The main reason is the enablement of the Server Name Indication (SNI) that allows several SSL-enabled domains on one IP address (FATE#311973). See the SSLStrictSNIVHostCheck directive as documented in /usr/share/apache2/manual/mod/mod_ssl.html.en

Also the patch for the ByteRange remote denial of service attack (CVE-2011-3192) was refined and the configuration options used by upstream were added.

Introduce new config option: Allow MaxRanges Number of ranges requested, if exceeded, the complete content is served. default: 200 0|unlimited: unlimited none: Range headers are ignored. This option is a backport from 2.2.21.

Also fixed were

  - Denial of service in proxy_ajp when using a undefined     method. (CVE-2011-3348)

  - Exposure of internal servers via reverse proxy methods     with mod_proxy enabled and incorrect Rewrite or Proxy     Rules. This update also includes a newer     apache2-vhost-ssl.template, which disables SSLv2, and     allows SSLv3 and strong ciphers only. Please note that     existing vhosts will not be converted. (CVE-2011-3368)

It was discovered that the mod_proxy module in Apache did not properly interact with the RewriteRule and ProxyPassMatch pattern matches in the configuration of a reverse proxy. This could allow remote attackers to contact internal webservers behind the proxy that were not intended for external exposure. (CVE-2011-3368)

Stefano Nichele discovered that the mod_proxy_ajp module in Apache when used with mod_proxy_balancer in certain configurations could allow remote attackers to cause a denial of service via a malformed HTTP request. (CVE-2011-3348)

Samuel Montosa discovered that the ITK Multi-Processing Module for Apache did not properly handle certain configuration sections that specify NiceValue but not AssignUserID, preventing Apache from dropping privileges correctly. This issue only affected Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1176)

USN 1199-1 fixed a vulnerability in the byterange filter of Apache.
The upstream patch introduced a regression in Apache when handling specific byte range requests. This update fixes the issue.

A flaw was discovered in the byterange filter in Apache. A remote attacker could exploit this to cause a denial of service via resource exhaustion.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been discovered and corrected in apache :

The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary error state in the backend server) via a malformed HTTP request (CVE-2011-3348).

The fix for CVE-2011-3192 provided by the MDVSA-2011:130 advisory introduced regressions in the way httpd handled certain Range HTTP header values.

The updated packages have been patched to correct these issues.

Versions of Apache 2.2 earlier than 2.2.21 are potentially affected by a denial of service vulnerability.  An error exists in the mod_proxy_ajp module that can allow specially crafted HTTP requests to cause a backend server to temporarily enter an error state.  This vulnerability only occurs when mod_proxy_ajp is used along with mod_proxy_balancer.

Updated httpd packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Apache HTTP Server is a popular web server.

It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368)

It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2011-3348)

Red Hat would like to thank Context Information Security for reporting the CVE-2011-3368 issue.

This update also fixes the following bug :

* The fix for CVE-2011-3192 provided by the RHSA-2011:1245 update introduced regressions in the way httpd handled certain Range HTTP header values. This update corrects those regressions. (BZ#736592)

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix security issues.

According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.21. It is, therefore, potentially affected by a denial of service vulnerability. An error exists in the 'mod_proxy_ajp' module that can allow specially crafted HTTP requests to cause a backend server to temporarily enter an error state. This vulnerability only occurs when 'mod_proxy_ajp' is used along with 'mod_proxy_balancer'.

Note that Nessus did not actually test for the flaws but instead has relied on the version in the server's banner.

Multiple vulnerabilities has been discovered and corrected in apache :

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086 (CVE-2011-3192).

The updated packages have been patched to correct this issue.

ID	Name	Product	Family	Severity
78923	RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0542)	Nessus	Red Hat Local Security Checks	medium
78270	Amazon Linux AMI : httpd (ALAS-2011-9)	Nessus	Amazon Linux Local Security Checks	medium
75787	openSUSE Security Update : apache2 (openSUSE-SU-2011:1217-1)	Nessus	SuSE Local Security Checks	high
75426	openSUSE Security Update : apache2 (openSUSE-SU-2011:1217-1)	Nessus	SuSE Local Security Checks	high
69568	Amazon Linux AMI : httpd (ALAS-2011-09)	Nessus	Amazon Linux Local Security Checks	medium
69301	Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities	Nessus	Web Servers	critical
68376	Oracle Linux 6 : httpd (ELSA-2011-1391)	Nessus	Oracle Linux Local Security Checks	medium
61161	Scientific Linux Security Update : httpd on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
59678	GLSA-201206-25 : Apache HTTP Server: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
58811	HP System Management Homepage < 7.0 Multiple Vulnerabilities	Nessus	Web Servers	critical
6303	Mac OS X 10.7 < 10.7.3 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
57798	Mac OS X Multiple Vulnerabilities (Security Update 2012-001) (BEAST)	Nessus	MacOS X Local Security Checks	critical
57797	Mac OS X 10.7.x < 10.7.3 Multiple Vulnerabilities (BEAST)	Nessus	MacOS X Local Security Checks	critical
57089	SuSE 11.1 Security Update : Apache2 (SAT Patch Number 5344)	Nessus	SuSE Local Security Checks	high
56778	Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : apache2, apache2-mpm-itk vulnerabilities (USN-1259-1)	Nessus	Ubuntu Local Security Checks	medium
56764	Mandriva Linux Security Advisory : apache (MDVSA-2011:168)	Nessus	Mandriva Local Security Checks	medium
800559	Apache 2.2 < 2.2.21 mod_proxy_ajp DoS	Log Correlation Engine	Web Servers	high
6062	Apache 2.2 < 2.2.21 mod_proxy_ajp DoS	Nessus Network Monitor	Web Servers	low
56578	RHEL 6 : httpd (RHSA-2011:1391)	Nessus	Red Hat Local Security Checks	medium
56513	Slackware 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / current : httpd (SSA:2011-284-01)	Nessus	Slackware Local Security Checks	medium
56216	Apache 2.2.x < 2.2.21 mod_proxy_ajp DoS	Nessus	Web Servers	medium
56084	Mandriva Linux Security Advisory : apache (MDVSA-2011:130-1)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2011-3348

high

Tenable Plugins

medium

medium

high

high

medium

critical

medium

medium

high

critical

critical

critical

critical

high

medium

medium

high

low

medium

medium

medium

high