The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header.

According to the versions of the httpd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The log_cookie function in mod_log_config.c in the     mod_log_config module in the Apache HTTP Server before     2.4.8 allows remote attackers to cause a denial of     service (segmentation fault and daemon crash) via a     crafted cookie that is not properly handled during     truncation.(CVE-2014-0098)

  - A race condition flaw, leading to heap-based buffer     overflows, was found in the mod_status httpd module. A     remote attacker able to access a status page served by     mod_status on a server using a threaded     Multi-Processing Module (MPM) could send a specially     crafted request that would cause the httpd child     process to crash or, possibly, allow the attacker to     execute arbitrary code with the privileges of the     'apache' user.(CVE-2014-0226)

  - It was discovered that the HTTP parser in httpd     incorrectly allowed certain characters not permitted by     the HTTP protocol specification to appear unencoded in     HTTP request headers. If httpd was used in conjunction     with a proxy or backend server that interpreted those     characters differently, a remote attacker could     possibly use this flaw to inject data into HTTP     responses, resulting in proxy cache     poisoning.(CVE-2016-8743)

  - A NULL pointer dereference flaw was found in the way     the mod_cache httpd module handled Content-Type     headers. A malicious HTTP server could cause the httpd     child process to crash when the Apache HTTP server was     configured to proxy to a server with caching     enabled.(CVE-2014-3581)

  - Multiple flaws were found in the way httpd parsed HTTP     requests and responses using chunked transfer encoding.
    A remote attacker could use these flaws to create a     specially crafted request, which httpd would decode     differently from an HTTP proxy software in front of it,     possibly leading to HTTP request smuggling     attacks.(CVE-2015-3183)

  - In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and     2.4.0 to 2.4.29, mod_authnz_ldap, if configured with     AuthLDAPCharsetConfig, uses the Accept-Language header     value to lookup the right charset encoding when     verifying the user's credentials. If the header value     is not present in the charset conversion table, a     fallback mechanism is used to truncate it to a two     characters value to allow a quick retry (for example,     'en-US' is truncated to 'en'). A header value of less     than two characters forces an out of bound write of one     NUL byte to a memory location that is not part of the     string. In the worst case, quite unlikely, the process     would crash which could be used as a Denial of Service     attack. In the more likely case, this memory is already     reserved for future use and the issue has no effect at     all.(CVE-2017-15710)

  - A NULL pointer dereference flaw was found in the     httpd's mod_ssl module. A remote attacker could use     this flaw to cause an httpd child process to crash if     another module used by httpd called a certain API     function during the processing of an HTTPS     request.(CVE-2017-3169)

  - It was discovered that httpd used the value of the     Proxy header from HTTP requests to initialize the     HTTP_PROXY environment variable for CGI scripts, which     in turn was incorrectly used by certain HTTP client     implementations to configure the proxy for outgoing     HTTP requests. A remote attacker could possibly use     this flaw to redirect HTTP requests performed by a CGI     script to an attacker-controlled proxy via a malicious     HTTP request.(CVE-2016-5387)

  - A buffer over-read flaw was found in the httpd's     mod_mime module. A user permitted to modify httpd's     MIME configuration could use this flaw to cause httpd     child process to crash.(CVE-2017-7679)

  - A specially crafted HTTP request header could have     crashed the Apache HTTP Server prior to version 2.4.30     due to an out of bound read while preparing data to be     cached in shared memory. It could be used as a Denial     of Service attack against users of mod_cache_socache.
    The vulnerability is considered as low risk since     mod_cache_socache is not widely used, mod_cache_disk is     not concerned by this vulnerability.(CVE-2018-1303)

  - It was discovered that the httpd's mod_auth_digest     module did not properly initialize memory before using     it when processing certain headers related to digest     authentication. A remote attacker could possibly use     this flaw to disclose potentially sensitive information     or cause httpd child process to crash by sending     specially crafted requests to a server.(CVE-2017-9788)

  - A flaw was found in the way httpd handled HTTP Trailer     headers when processing requests using chunked     encoding. A malicious client could use Trailer headers     to set additional HTTP headers after header processing     was performed by other modules. This could, for     example, lead to a bypass of header restrictions     defined with mod_headers.(CVE-2013-5704)

  - A buffer over-read flaw was found in the httpd's     ap_find_token() function. A remote attacker could use     this flaw to cause httpd child process to crash via a     specially crafted HTTP request.(CVE-2017-7668)

  - A race condition was found in mod_auth_digest when the     web server was running in a threaded MPM configuration.
    It could allow a user with valid credentials to     authenticate using another username, bypassing     configured access control restrictions.(CVE-2019-0217)

  - A NULL pointer dereference flaw was found in the     mod_cache httpd module. A malicious HTTP server could     cause the httpd child process to crash when the Apache     HTTP Server was used as a forward proxy with caching.
    (CVE-2013-4352)

  - he dav_xml_get_cdata function in main/util.c in the     mod_dav module in the Apache HTTP Server before 2.4.8     does not properly remove whitespace characters from     CDATA sections, which allows remote attackers to cause     a denial of service (daemon crash) via a crafted DAV     WRITE request. (CVE-2013-6438)

  - A denial of service flaw was found in the mod_proxy     httpd module. A remote attacker could send a specially     crafted request to a server configured as a reverse     proxy using a threaded Multi-Processing Modules (MPM)     that would cause the httpd child process to crash.
    (CVE-2014-0117)

  - A denial of service flaw was found in the way httpd's     mod_deflate module handled request body decompression     (configured via the 'DEFLATE' input filter). A remote     attacker able to send a request whose body would be     decompressed could use this flaw to consume an     excessive amount of system memory and CPU on the target     system.(CVE-2014-0118)

  - A denial of service flaw was found in the way httpd's     mod_cgid module executed CGI scripts that did not read     data from the standard input. A remote attacker could     submit a specially crafted request that would cause the     httpd child process to hang     indefinitely.(CVE-2014-0231)

  - It was discovered that in httpd 2.4, the internal API     function ap_some_auth_required() could incorrectly     indicate that a request was authenticated even when no     authentication was used. An httpd module using this API     function could consequently allow access that should     have been denied. (CVE-2015-3185)

  - It was discovered that the mod_session_crypto module of     httpd did not use any mechanisms to verify integrity of     the encrypted session data stored in the user's     browser. A remote attacker could use this flaw to     decrypt and modify session data using a padding oracle     attack. (CVE-2016-0736)

  - It was discovered that the mod_auth_digest module of     httpd did not properly check for memory allocation     failures. A remote attacker could use this flaw to     cause httpd child processes to repeatedly crash if the     server used HTTP digest authentication.(CVE-2016-2161)

  - It was discovered that the use of httpd's     ap_get_basic_auth_pw() API function outside of the     authentication phase could lead to authentication     bypass. A remote attacker could possibly use this flaw     to bypass required authentication if the API was used     incorrectly by one of the modules used by     httpd.(CVE-2017-3167)

  - A use-after-free flaw was found in the way httpd     handled invalid and previously unregistered HTTP     methods specified in the Limit directive used in an     .htaccess file. A remote attacker could possibly use     this flaw to disclose portions of the server memory, or     cause httpd child process to crash. (CVE-2017-9798)

  - In Apache httpd 2.2.0 to 2.4.29, when generating an     HTTP Digest authentication challenge, the nonce sent to     prevent reply attacks was not correctly generated using     a pseudo-random seed. In a cluster of servers using a     common Digest authentication configuration, HTTP     requests could be replayed across servers by an     attacker without detection. (CVE-2018-1312)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.3. It is, therefore, affected by multiple vulnerabilities in the following components :

 - Admin Framework
 - Apache
 - ATS
 - Certificate Trust Policy
 - CFNetwork HTTPProtocol
 - CFNetwork Session
 - CFURL
 - CoreAnimation
 - FontParser
 - Graphics Driver
 - Hypervisor
 - ImageIO
 - IOHIDFamily
 - Kernel
 - LaunchServices
 - libnetcore
 - ntp
 - Open Directory Client
 - OpenLDAP
 - OpenSSL
 - PHP
 - QuickLook
 - SceneKit
 - ScreenSharing
 - Security - Code SIgning
 - UniformTypeIdentifiers
 - WebKit

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.10. It is, therefore, affected by the following vulnerabilities :

 - A flaw exists in the 'mod_proxy' module that may allow an attacker to send a specially crafted request to a server configured as a reverse proxy that may cause the child process to crash. This could potentially lead to a denial of service attack. (CVE-2014-0117)

 - A flaw exists in the 'mod_deflate' module when request body decompression is configured. This could allow a remote attacker to cause the server to consume significant resources. (CVE-2014-0118)

 - A flaw exists in the 'mod_status' module when a publicly accessible server status page is in place. This could allow an attacker to send a specially crafted request designed to cause a heap buffer overflow. (CVE-2014-0226)

 - A flaw exists in the 'mod_cgid' module in which CGI scripts that did not consume standard input may be manipulated in order to cause child processes to hang. A remote attacker may be able to abuse this in order to cause a denial of service. (CVE-2014-0231)

 - A flaw exists in WinNT MPM versions 2.4.1 to 2.4.9 when using the default AcceptFilter. An attacker may be able to specially craft requests that create a memory leak in the application and may eventually lead to a denial of service attack. (CVE-2014-3523)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-004. It is, therefore, affected multiple vulnerabilities in the following components :

  - Apache
  - ATS
  - Certificate Trust Policy
  - CoreAnimation
  - FontParser
  - Graphics Driver
  - ImageIO
  - IOHIDFamily
  - Kernel
  - LaunchServices
  - Open Directory Client
  - OpenLDAP
  - OpenSSL
  - PHP
  - QuickLook
  - SceneKit
  - Security - Code SIgning
  - UniformTypeIdentifiers

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.3. It is, therefore, affected multiple vulnerabilities in the following components :

  - Admin Framework
  - Apache
  - ATS
  - Certificate Trust Policy
  - CFNetwork HTTPProtocol
  - CFNetwork Session
  - CFURL
  - CoreAnimation
  - FontParser
  - Graphics Driver
  - Hypervisor
  - ImageIO
  - IOHIDFamily
  - Kernel
  - LaunchServices
  - libnetcore
  - ntp
  - Open Directory Client
  - OpenLDAP
  - OpenSSL
  - PHP
  - QuickLook
  - SceneKit
  - ScreenSharing
  - Security - Code SIgning
  - UniformTypeIdentifiers
  - WebKit

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Updated apache packages fix security vulnerabilities :

Apache HTTPD before 2.4.9 was vulnerable to a denial of service in mod_dav when handling DAV_WRITE requests (CVE-2013-6438).

Apache HTTPD before 2.4.9 was vulnerable to a denial of service when logging cookies (CVE-2014-0098).

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the apache user (CVE-2014-0226).

A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash (CVE-2014-0117).

A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the DEFLATE input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system (CVE-2014-0118).

A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely (CVE-2014-0231).

A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled (CVE-2014-3581).

mod_lua.c in the mod_lua module in the Apache HTTP Server through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory (CVE-2014-8109).

In the mod_lua module in the Apache HTTP Server through 2.4.10, a maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash (CVE-2015-0228).

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers (CVE-2013-5704).

Note: With this update, httpd has been modified to not merge HTTP Trailer headers with other HTTP request headers. A newly introduced configuration directive MergeTrailers can be used to re-enable the old method of processing Trailer headers, which also re-introduces the aforementioned flaw.

This update also fixes the following bug :

Prior to this update, the mod_proxy_wstunnel module failed to set up an SSL connection when configured to use a back end server using the wss: URL scheme, causing proxied connections to fail. In these updated packages, SSL is used when proxying to wss: back end servers (rhbz#1141950).

The remote Solaris system is missing necessary patches to address security updates :

  - The cache_invalidate function in     modules/cache/cache_storage.c in the mod_cache module in     the Apache HTTP Server 2.4.6, when a caching forward     proxy is enabled, allows remote HTTP servers to cause a     denial of service (NULL pointer dereference and daemon     crash) via vectors that trigger a missing hostname     value. (CVE-2013-4352)

  - The mod_proxy module in the Apache HTTP Server 2.4.x     before 2.4.10, when a reverse proxy is enabled, allows     remote attackers to cause a denial of service     (child-process crash) via a crafted HTTP Connection     header. (CVE-2014-0117)

  - The deflate_in_filter function in mod_deflate.c in the     mod_deflate module in the Apache HTTP Server before     2.4.10, when request body decompression is enabled,     allows remote attackers to cause a denial of service     (resource consumption) via crafted request data that     decompresses to a much larger size. (CVE-2014-0118)

  - Race condition in the mod_status module in the Apache     HTTP Server before 2.4.10 allows remote attackers to     cause a denial of service (heap-based buffer overflow),     or possibly obtain sensitive credential information or     execute arbitrary code, via a crafted request that     triggers improper scoreboard handling within the     status_handler function in     modules/generators/mod_status.c and the     lua_ap_scoreboard_worker function in     modules/lua/lua_request.c. (CVE-2014-0226)

  - The mod_cgid module in the Apache HTTP Server before     2.4.10 does not have a timeout mechanism, which allows     remote attackers to cause a denial of service (process     hang) via a request to a CGI script that does not read     from its stdin file descriptor. (CVE-2014-0231)

This apache2 update fixes the following security issues :

  - fix for crash in mod_proxy processing specially crafted     requests with reverse proxy configurations that results     in a crash and a DoS condition for the server.
    CVE-2014-0117

  - new config option CGIDScriptTimeout set to 60s in new     file conf.d/cgid-timeout.conf, preventing worker     processes hanging forever if a cgi launched from them     has stopped reading input from the server (DoS).
    CVE-2014-0231

  - Fix for a NULL pointer dereference in mod_cache that     causes a crash in caching forwarding configurations,     resulting in a DoS condition. CVE-2013-4352

  - fix for crash in parsing cookie content, resulting in a     DoS against the server CVE-2014-0098

  - fix for mod_status race condition in scoreboard handling     and consecutive heap overflow and information disclosure     if access to mod_status is granted to a potential     attacker. CVE-2014-0226

  - fix for improper handling of whitespace characters from     CDATA sections to mod_dav, leading to a crash and a DoS     condition of the apache server process CVE-2013-6438

This update includes the latest stable release of the Apache HTTP Server, httpd 2.4.10, fixing a number of security issues.

http://www.apache.org/dist/httpd/Announcement2.4.html

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)

A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching. (CVE-2013-4352)

A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash.
(CVE-2014-0117)

A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.
(CVE-2014-0118)

A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)

All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.

Versions of Apache HTTP server 2.4.6, 2.4.7, and 2.4.9 are unpatched for the following vulnerability:

  - A crash in Connection header handling, which can lead to denial of service against a reverse proxy (CVE-2014-0117)

This update includes the latest stable release of the Apache HTTP Server, httpd 2.4.10.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Marek Kroemeke discovered that the mod_proxy module incorrectly handled certain requests. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service.
This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0117)

Giancarlo Pellegrino and Davide Balzarotti discovered that the mod_deflate module incorrectly handled body decompression. A remote attacker could use this issue to cause resource consumption, leading to a denial of service. (CVE-2014-0118)

Marek Kroemeke and others discovered that the mod_status module incorrectly handled certain requests. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service, or possibly execute arbitrary code. (CVE-2014-0226)

Rainer Jung discovered that the mod_cgid module incorrectly handled certain scripts. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service.
(CVE-2014-0231).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

From Red Hat Security Advisory 2014:0921 :

Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)

A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching. (CVE-2013-4352)

A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash.
(CVE-2014-0117)

A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.
(CVE-2014-0118)

A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)

All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.

New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.10. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in the 'mod_proxy' module that may allow     an attacker to send a specially crafted request to a     server configured as a reverse proxy that may cause     the child process to crash. This could potentially     lead to a denial of service attack. (CVE-2014-0117)

  - A flaw exists in  the 'mod_deflate' module when request     body decompression is configured. This could allow a     remote attacker to cause the server to consume     significant resources. (CVE-2014-0118)

  - A flaw exists in the 'mod_status' module when a     publicly accessible server status page is in place.
    This could allow an attacker to send a specially     crafted request designed to cause a heap buffer     overflow. (CVE-2014-0226)

  - A flaw exists in the 'mod_cgid' module in which CGI     scripts that did not consume standard input may be     manipulated in order to cause child processes to     hang. A remote attacker may be able to abuse this     in order to cause a denial of service.
    (CVE-2014-0231)

  - A flaw exists in WinNT MPM versions 2.4.1 to 2.4.9 when     using the default AcceptFilter. An attacker may be able     to specially craft requests that create a memory leak in     the application and may eventually lead to a denial of     service attack. (CVE-2014-3523)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Apache HTTP SERVER PROJECT reports : mod_proxy: Fix crash in Connection header handling which allowed a denial of service attack against a reverse proxy with a threaded MPM.

Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow.

mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of sevice via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst.

mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. By default, the client I/O timeout (Timeout directive) now applies to communication with scripts. The CGIDScriptTimeout directive can be used to set a different timeout for communication with scripts.

ID	Name	Product	Family	Severity
124922	EulerOS Virtualization 3.0.1.0 : httpd (EulerOS-SA-2019-1419)	Nessus	Huawei Local Security Checks	critical
700510	Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
98906	Apache 2.4.x < 2.4.10 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
82700	Mac OS X Multiple Vulnerabilities (Security Update 2015-004) (FREAK)	Nessus	MacOS X Local Security Checks	critical
82699	Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities (FREAK)	Nessus	MacOS X Local Security Checks	critical
82346	Mandriva Linux Security Advisory : apache (MDVSA-2015:093)	Nessus	Mandriva Local Security Checks	medium
80589	Oracle Solaris Third-Party Patch Update : apache (multiple_denial_of_service_dos5)	Nessus	Solaris Local Security Checks	medium
77292	openSUSE Security Update : apache2 (openSUSE-SU-2014:1044-1)	Nessus	SuSE Local Security Checks	medium
77207	Fedora 19 : httpd-2.4.10-1.fc19 (2014-9057)	Nessus	Fedora Local Security Checks	medium
76905	RHEL 7 : httpd (RHSA-2014:0921)	Nessus	Red Hat Local Security Checks	medium
700213	Apache HTTP Server 2.4.6, 2.4.7, 2.4.9 Vulnerability	Nessus Network Monitor	Web Servers	medium
76852	Fedora 20 : httpd-2.4.10-1.fc20 (2014-8742)	Nessus	Fedora Local Security Checks	medium
76757	Ubuntu 14.04 LTS : Apache HTTP Server vulnerabilities (USN-2299-1)	Nessus	Ubuntu Local Security Checks	high
76745	Oracle Linux 7 : httpd (ELSA-2014-0921)	Nessus	Oracle Linux Local Security Checks	medium
76716	CentOS 7 : httpd (CESA-2014:0921)	Nessus	CentOS Local Security Checks	medium
76712	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : httpd (SSA:2014-204-01)	Nessus	Slackware Local Security Checks	medium
76622	Apache 2.4.x < 2.4.10 Multiple Vulnerabilities	Nessus	Web Servers	high
76614	FreeBSD : apache24 -- several vulnerabilities (4364e1f1-0f44-11e4-b090-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2014-0117

high

Tenable Plugins

critical

critical

high

critical

critical

medium

medium

medium

medium

medium

medium

medium

high

medium

medium

medium

high

medium