The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.

According to its banner, the version of Apache running on the remote host is either 2.4.18 or 2.4.20. Additionally, HTTP/2 is enabled over TLS or SSL. It is, therefore, affected by the an authentication bypass vulnerability in the experimental module for the HTTP/2 protocol due to a failure to correctly validate X.509 certificates, allowing access to resources that otherwise would not be allowed. An unauthenticated, remote attacker can exploit this to disclose potentially sensitive information.

The remote host is affected by the vulnerability described in GLSA-201610-02 (Apache: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache HTTP Server.
      Please review the CVE identifiers referenced below for details.
  Impact :

    Remote attackers could bypass intended access restrictions, conduct HTTP       request smuggling attacks, or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Security fix for CVE-2016-4979

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Apache HTTP Server 2.4 installed on the remote host is prior to 2.4.23. It is, therefore, affected by the following vulnerabilities : 

 - A flaw exists within the 'read_request_line()' function located in 'server/protocol.c'. The issue is triggered when handling invalid 'CONNECT' requests with a custom status 'code 400 error' page using server side includes. With a specially crafted request, a remote attacker can cause a crash.
 - A flaw can be triggered when a stream's flow control windows are manipulated. This may allow an authenticated remote attacker to block server threads for an extended period of time, allowing them to exhaust worker threads and prevent the processing of streams. (CVE-2016-1546) - A flaw is triggered when an experimental module for the 'HTTP/2' protocol is used to access a resource. This may result in X.509 certificates not being properly validated, allowing an unauthorized user to disclose potentially sensitive information in resources that should require valid certificates. (CVE-2016-4979)

Apache Software Foundation reports :

The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509 client certificate correctly when experimental module for the HTTP/2 protocol is used to access a resource.

The net result is that a resource that should require a valid client certificate in order to get access can be accessed without that credential.

ID	Name	Product	Family	Severity
98909	Apache 2.4.18 / 2.4.20 X.509 Certificate Authentication Bypass	Web App Scanning	Component Vulnerability	high
93903	GLSA-201610-02 : Apache: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
92334	Fedora 23 : httpd (2016-e256a03791)	Nessus	Fedora Local Security Checks	high
9394	Apache HTTP Server 2.4.x < 2.4.23 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
92320	Apache 2.4.18 / 2.4.20 X.509 Certificate Authentication Bypass	Nessus	Web Servers	high
92289	Fedora 24 : httpd (2016-c7288a5b36)	Nessus	Fedora Local Security Checks	high
91949	FreeBSD : apache24 -- X509 Client certificate based authentication can be bypassed when HTTP/2 is used (e9d1e040-42c9-11e6-9608-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-4979

high

Tenable Plugins

high

high

high

medium

high

high

high