http://httpd.apache.org/security/vulnerabilities_24.html

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/cache/cache_storage.c

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/cache/cache_storage.c?r1=1491564&r2=1523235&diff_format=h

https://bugzilla.redhat.com/show_bug.cgi?id=1120604

[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

According to the versions of the httpd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The log_cookie function in mod_log_config.c in the     mod_log_config module in the Apache HTTP Server before     2.4.8 allows remote attackers to cause a denial of     service (segmentation fault and daemon crash) via a     crafted cookie that is not properly handled during     truncation.(CVE-2014-0098)

  - A race condition flaw, leading to heap-based buffer     overflows, was found in the mod_status httpd module. A     remote attacker able to access a status page served by     mod_status on a server using a threaded     Multi-Processing Module (MPM) could send a specially     crafted request that would cause the httpd child     process to crash or, possibly, allow the attacker to     execute arbitrary code with the privileges of the     'apache' user.(CVE-2014-0226)

  - It was discovered that the HTTP parser in httpd     incorrectly allowed certain characters not permitted by     the HTTP protocol specification to appear unencoded in     HTTP request headers. If httpd was used in conjunction     with a proxy or backend server that interpreted those     characters differently, a remote attacker could     possibly use this flaw to inject data into HTTP     responses, resulting in proxy cache     poisoning.(CVE-2016-8743)

  - A NULL pointer dereference flaw was found in the way     the mod_cache httpd module handled Content-Type     headers. A malicious HTTP server could cause the httpd     child process to crash when the Apache HTTP server was     configured to proxy to a server with caching     enabled.(CVE-2014-3581)

  - Multiple flaws were found in the way httpd parsed HTTP     requests and responses using chunked transfer encoding.
    A remote attacker could use these flaws to create a     specially crafted request, which httpd would decode     differently from an HTTP proxy software in front of it,     possibly leading to HTTP request smuggling     attacks.(CVE-2015-3183)

  - In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and     2.4.0 to 2.4.29, mod_authnz_ldap, if configured with     AuthLDAPCharsetConfig, uses the Accept-Language header     value to lookup the right charset encoding when     verifying the user's credentials. If the header value     is not present in the charset conversion table, a     fallback mechanism is used to truncate it to a two     characters value to allow a quick retry (for example,     'en-US' is truncated to 'en'). A header value of less     than two characters forces an out of bound write of one     NUL byte to a memory location that is not part of the     string. In the worst case, quite unlikely, the process     would crash which could be used as a Denial of Service     attack. In the more likely case, this memory is already     reserved for future use and the issue has no effect at     all.(CVE-2017-15710)

  - A NULL pointer dereference flaw was found in the     httpd's mod_ssl module. A remote attacker could use     this flaw to cause an httpd child process to crash if     another module used by httpd called a certain API     function during the processing of an HTTPS     request.(CVE-2017-3169)

  - It was discovered that httpd used the value of the     Proxy header from HTTP requests to initialize the     HTTP_PROXY environment variable for CGI scripts, which     in turn was incorrectly used by certain HTTP client     implementations to configure the proxy for outgoing     HTTP requests. A remote attacker could possibly use     this flaw to redirect HTTP requests performed by a CGI     script to an attacker-controlled proxy via a malicious     HTTP request.(CVE-2016-5387)

  - A buffer over-read flaw was found in the httpd's     mod_mime module. A user permitted to modify httpd's     MIME configuration could use this flaw to cause httpd     child process to crash.(CVE-2017-7679)

  - A specially crafted HTTP request header could have     crashed the Apache HTTP Server prior to version 2.4.30     due to an out of bound read while preparing data to be     cached in shared memory. It could be used as a Denial     of Service attack against users of mod_cache_socache.
    The vulnerability is considered as low risk since     mod_cache_socache is not widely used, mod_cache_disk is     not concerned by this vulnerability.(CVE-2018-1303)

  - It was discovered that the httpd's mod_auth_digest     module did not properly initialize memory before using     it when processing certain headers related to digest     authentication. A remote attacker could possibly use     this flaw to disclose potentially sensitive information     or cause httpd child process to crash by sending     specially crafted requests to a server.(CVE-2017-9788)

  - A flaw was found in the way httpd handled HTTP Trailer     headers when processing requests using chunked     encoding. A malicious client could use Trailer headers     to set additional HTTP headers after header processing     was performed by other modules. This could, for     example, lead to a bypass of header restrictions     defined with mod_headers.(CVE-2013-5704)

  - A buffer over-read flaw was found in the httpd's     ap_find_token() function. A remote attacker could use     this flaw to cause httpd child process to crash via a     specially crafted HTTP request.(CVE-2017-7668)

  - A race condition was found in mod_auth_digest when the     web server was running in a threaded MPM configuration.
    It could allow a user with valid credentials to     authenticate using another username, bypassing     configured access control restrictions.(CVE-2019-0217)

  - A NULL pointer dereference flaw was found in the     mod_cache httpd module. A malicious HTTP server could     cause the httpd child process to crash when the Apache     HTTP Server was used as a forward proxy with caching.
    (CVE-2013-4352)

  - he dav_xml_get_cdata function in main/util.c in the     mod_dav module in the Apache HTTP Server before 2.4.8     does not properly remove whitespace characters from     CDATA sections, which allows remote attackers to cause     a denial of service (daemon crash) via a crafted DAV     WRITE request. (CVE-2013-6438)

  - A denial of service flaw was found in the mod_proxy     httpd module. A remote attacker could send a specially     crafted request to a server configured as a reverse     proxy using a threaded Multi-Processing Modules (MPM)     that would cause the httpd child process to crash.
    (CVE-2014-0117)

  - A denial of service flaw was found in the way httpd's     mod_deflate module handled request body decompression     (configured via the 'DEFLATE' input filter). A remote     attacker able to send a request whose body would be     decompressed could use this flaw to consume an     excessive amount of system memory and CPU on the target     system.(CVE-2014-0118)

  - A denial of service flaw was found in the way httpd's     mod_cgid module executed CGI scripts that did not read     data from the standard input. A remote attacker could     submit a specially crafted request that would cause the     httpd child process to hang     indefinitely.(CVE-2014-0231)

  - It was discovered that in httpd 2.4, the internal API     function ap_some_auth_required() could incorrectly     indicate that a request was authenticated even when no     authentication was used. An httpd module using this API     function could consequently allow access that should     have been denied. (CVE-2015-3185)

  - It was discovered that the mod_session_crypto module of     httpd did not use any mechanisms to verify integrity of     the encrypted session data stored in the user's     browser. A remote attacker could use this flaw to     decrypt and modify session data using a padding oracle     attack. (CVE-2016-0736)

  - It was discovered that the mod_auth_digest module of     httpd did not properly check for memory allocation     failures. A remote attacker could use this flaw to     cause httpd child processes to repeatedly crash if the     server used HTTP digest authentication.(CVE-2016-2161)

  - It was discovered that the use of httpd's     ap_get_basic_auth_pw() API function outside of the     authentication phase could lead to authentication     bypass. A remote attacker could possibly use this flaw     to bypass required authentication if the API was used     incorrectly by one of the modules used by     httpd.(CVE-2017-3167)

  - A use-after-free flaw was found in the way httpd     handled invalid and previously unregistered HTTP     methods specified in the Limit directive used in an     .htaccess file. A remote attacker could possibly use     this flaw to disclose portions of the server memory, or     cause httpd child process to crash. (CVE-2017-9798)

  - In Apache httpd 2.2.0 to 2.4.29, when generating an     HTTP Digest authentication challenge, the nonce sent to     prevent reply attacks was not correctly generated using     a pseudo-random seed. In a cluster of servers using a     common Digest authentication configuration, HTTP     requests could be replayed across servers by an     attacker without detection. (CVE-2018-1312)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Apache 2.4.x running on the remote host is version 2.4.6. It is, therefore, affected by a flaw in the mod_cache module involving a NULL pointer dereference. An attacker may be able to specially craft a request designed to cause a denial of service.

 Note that the scanner has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Solaris system is missing necessary patches to address security updates :

  - The cache_invalidate function in     modules/cache/cache_storage.c in the mod_cache module in     the Apache HTTP Server 2.4.6, when a caching forward     proxy is enabled, allows remote HTTP servers to cause a     denial of service (NULL pointer dereference and daemon     crash) via vectors that trigger a missing hostname     value. (CVE-2013-4352)

  - The mod_proxy module in the Apache HTTP Server 2.4.x     before 2.4.10, when a reverse proxy is enabled, allows     remote attackers to cause a denial of service     (child-process crash) via a crafted HTTP Connection     header. (CVE-2014-0117)

  - The deflate_in_filter function in mod_deflate.c in the     mod_deflate module in the Apache HTTP Server before     2.4.10, when request body decompression is enabled,     allows remote attackers to cause a denial of service     (resource consumption) via crafted request data that     decompresses to a much larger size. (CVE-2014-0118)

  - Race condition in the mod_status module in the Apache     HTTP Server before 2.4.10 allows remote attackers to     cause a denial of service (heap-based buffer overflow),     or possibly obtain sensitive credential information or     execute arbitrary code, via a crafted request that     triggers improper scoreboard handling within the     status_handler function in     modules/generators/mod_status.c and the     lua_ap_scoreboard_worker function in     modules/lua/lua_request.c. (CVE-2014-0226)

  - The mod_cgid module in the Apache HTTP Server before     2.4.10 does not have a timeout mechanism, which allows     remote attackers to cause a denial of service (process     hang) via a request to a CGI script that does not read     from its stdin file descriptor. (CVE-2014-0231)

This apache2 update fixes the following security issues :

  - fix for crash in mod_proxy processing specially crafted     requests with reverse proxy configurations that results     in a crash and a DoS condition for the server.
    CVE-2014-0117

  - new config option CGIDScriptTimeout set to 60s in new     file conf.d/cgid-timeout.conf, preventing worker     processes hanging forever if a cgi launched from them     has stopped reading input from the server (DoS).
    CVE-2014-0231

  - Fix for a NULL pointer dereference in mod_cache that     causes a crash in caching forwarding configurations,     resulting in a DoS condition. CVE-2013-4352

  - fix for crash in parsing cookie content, resulting in a     DoS against the server CVE-2014-0098

  - fix for mod_status race condition in scoreboard handling     and consecutive heap overflow and information disclosure     if access to mod_status is granted to a potential     attacker. CVE-2014-0226

  - fix for improper handling of whitespace characters from     CDATA sections to mod_dav, leading to a crash and a DoS     condition of the apache server process CVE-2013-6438

According to its banner, the version of Apache 2.4.x running on the remote host is version 2.4.6. It is, therefore, affected by a flaw in the mod_cache module involving a NULL pointer dereference. An attacker may be able to specially craft a request designed to cause a denial of service.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)

A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching. (CVE-2013-4352)

A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash.
(CVE-2014-0117)

A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.
(CVE-2014-0118)

A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)

All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.

Apache HTTP Server 2.4.6 contains a NULL pointer dereference vulnerability in the 'mod_cache' module, which can be used to induce a crash in a cache forwarding proxy configuration. This is fixed with the release of version 2.4.7.

From Red Hat Security Advisory 2014:0921 :

Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)

A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching. (CVE-2013-4352)

A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash.
(CVE-2014-0117)

A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.
(CVE-2014-0118)

A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)

All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.

ID	Name	Product	Family	Severity
124922	EulerOS Virtualization 3.0.1.0 : httpd (EulerOS-SA-2019-1419)	Nessus	Huawei Local Security Checks	high
98904	Apache 2.4.6 Remote DoS	Web Application Scanning	Component Vulnerability	medium
80589	Oracle Solaris Third-Party Patch Update : apache (multiple_denial_of_service_dos5)	Nessus	Solaris Local Security Checks	medium
77292	openSUSE Security Update : apache2 (openSUSE-SU-2014:1044-1)	Nessus	SuSE Local Security Checks	medium
76914	Apache 2.4.6 Remote DoS	Nessus	Web Servers	medium
76905	RHEL 7 : httpd (RHSA-2014:0921)	Nessus	Red Hat Local Security Checks	medium
8342	Apache HTTP Server 2.4.6 'mod_cache' NULL Pointer Dereference	Nessus Network Monitor	Web Servers	medium
76745	Oracle Linux 7 : httpd (ELSA-2014-0921)	Nessus	Oracle Linux Local Security Checks	medium
76716	CentOS 7 : httpd (CESA-2014:0921)	Nessus	CentOS Local Security Checks	medium

CVE-2013-4352

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins