When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.

According to the version of the mod_http2 package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :

  - When an HTTP/2 stream was destroyed after being     handled, the Apache HTTP Server prior to version 2.4.30     could have written a NULL pointer potentially to an     already freed memory. The memory pools maintained by     the server make this vulnerability hard to trigger in     usual configurations, the reporter and the team could     not reproduce it outside debug builds, so it is     classified as low risk.(CVE-2018-1302)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update is now available for JBoss Core Services on RHEL 6 and RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.

This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Service Pack 1 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.29, and includes bug fixes for CVEs which are linked to in the References section.

Security Fixes :

* httpd: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)

* httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)

* httpd: Out of bound access after failure in reading the HTTP request (CVE-2018-1301)

* httpd: Use-after-free on HTTP/2 stream shutdown (CVE-2018-1302)

* httpd: bypass with a trailing newline in the file name (CVE-2017-15715)

* httpd: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)

* httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause a denial of service (CVE-2018-1303)

* httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications (CVE-2018-1283)

* httpd: mod_http2: too much time allocated to workers, possibly leading to DoS (CVE-2018-1333)

* mod_jk: connector path traversal due to mishandled HTTP requests in httpd (CVE-2018-11759)

* nghttp2: NULL pointer dereference when too large ALTSVC frame is received (CVE-2018-1000168)

* openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service (CVE-2018-0739)

Details around each issue, including information about the CVE, severity of the issue, and the CVSS score, can be found on the CVE pages listed in the Reference section below.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.33. It is, therefore, affected by multiple vulnerabilities:

  - An out of bounds write vulnerability exists in mod_authnz_ldap     with AuthLDAPCharsetConfig enabled. An unauthenticated, remote     attacker can exploit this, via the Accept-Language header value,     to cause the application to stop responding. (CVE-2017-15710)  
  - An arbitrary file upload vulnerability exists in the FilesMatch     component where a malicious filename can be crafted to match the     expression check for a newline character. An unauthenticated,     remote attacker can exploit this, via newline character, to     upload arbitrary files on the remote host subject to the     privileges of the user. (CVE-2017-15715)

  - A session management vulnerability exists in the     mod_session component due to SessionEnv being enabled and     forwarding it's session data to the CGI Application. An     unauthenticated, remote attacker can exploit this, via     tampering the HTTP_SESSION and using a session header, to     influence content. (CVE-2018-1283)

  - An out of bounds access vulnerability exists when the size limit     is reached. An unauthenticated, remote attacker can exploit this,     to cause the Apache HTTP Server to crash. (CVE-2018-1301)

  - A write after free vulnerability exists in HTTP/2 stream due to     a NULL pointer being written to an area of freed memory. An     unauthenticated, remote attacker can exploit this to execute     arbitrary code. (CVE-2018-1302)   
  - An out of bounds read vulnerability exists in mod_cache_socache.
    An unauthenticated, remote attacker can exploit this, via a     specially crafted HTTP request header to cause the application     to stop responding. (CVE-2018-1303)

  - A weak digest vulnerability exists in the HTTP digest     authentication challenge.  An unauthenticated, remote attacker     can exploit this in a cluster of servers configured to use a     common digest authentication, to replay HTTP requests across     servers without being detected. (CVE-2018-1312)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the httpd package has been released.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.33. It is, therefore, affected by the following vulnerabilities:

 - An out-of-bounds write flaw exists within the derive_codepage_from_lang() function of the modules/aaa/mod_authnz_ldap.c script due to improper handling of 'Accept-Language' header values that are less than two-bytes. A remote attacker, with a specially crafted request, could potentially crash the process. (CVE-2017-15710)

 - A ACL bypass flaw exists within the ap_rgetline_core() function of the server/protocol.c script due to improper handling of <FilesMatch> expressions. A remote attacker could potentially bypass restrictions an upload a file. (CVE-2017-15715)

 - A data tampering flaw exists in the session_fixups() function of the modules/session/mod_session.c script when forwarding mod_session data to CGI applications. A remote attacker, with a specially crafted request, could potentially tamper with the mod_session data of the CGI application. (CVE-2018-1283)

 - An out-of-bound read flaw exists when hitting a size limit while handling HTTP headers. A remote attacker, with a specially crafted request, could crash the process. (CVE-2018-1301)

 - A use-after-free flaw exists when handling the HTTP/2 stream shutdown. A remote attacker could potentially write to already freed memory and crash the process. (CVE-2018-1302)

 - An out-of-bounds read flaw exists in the read_table() function of the modules/cache/mod_cache_socache.c script when handling empty headers. A remote attacker, with a specially crafted request, could potentially crash the process. (CVE-2018-1303)

 - A flaw exists within the modules/aaa/mod_auth_digest.c script due to improperly generating nonce when sending HTTP Digest Authentication challenges. A remote attacker could potentially conduct replay attacks against the server. (CVE-2018-1312)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This update includes the latest upstream release of mod_http2, version 1.10.16. This includes a security fix (CVE-2018-1302) :

When an HTTP/2 stream was destroyed after being handled, mod_http2 could have written a NULL pointer potentially to an already freed memory.

The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for apache2 fixes the following issues :

  - CVE-2018-1283: when mod_session is configured to forward     its session data to CGI applications (SessionEnv on, not     the default), a remote user may influence their content     by using a \'Session\' header leading to unexpected     behavior [bsc#1086814].

  - CVE-2018-1301: due to an out of bound access after a     size limit being reached by reading the HTTP header, a     specially crafted request could lead to remote denial of     service. [bsc#1086817]

  - CVE-2018-1303: a specially crafted HTTP request header     could lead to crash due to an out of bound read while     preparing data to be cached in shared     memory.[bsc#1086813]

  - CVE-2017-15715: a regular expression could match '$' to     a newline character in a malicious filename, rather than     matching only the end of the filename. leading to     corruption of uploaded files.[bsc#1086774]

  - CVE-2018-1312: when generating an HTTP Digest     authentication challenge, the nonce sent to prevent     reply attacks was not correctly generated using a     pseudo-random seed. In a cluster of servers using a     common Digest authentication configuration, HTTP     requests could be replayed across servers by an attacker     without detection. [bsc#1086775]

  - CVE-2017-15710: mod_authnz_ldap, if configured with     AuthLDAPCharsetConfig, uses the Accept-Language header     value to lookup the right charset encoding when     verifying the user's credentials. If the header value is     not present in the charset conversion table, a fallback     mechanism is used to truncate it to a two characters     value to allow a quick retry (for example, 'en-US' is     truncated to 'en'). A header value of less than two     characters forces an out of bound write of one NUL byte     to a memory location that is not part of the string. In     the worst case, quite unlikely, the process would crash     which could be used as a Denial of Service attack. In     the more likely case, this memory is already reserved     for future use and the issue has no effect at all.
    [bsc#1086820]

  - CVE-2018-1302: when an HTTP/2 stream was destroyed after     being handled, it could have written a NULL pointer     potentially to an already freed memory. The memory pools     maintained by the server make this vulnerability hard to     trigger in usual configurations, the reporter and the     team could not reproduce it outside debug builds, so it     is classified as low risk. [bsc#1086820]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Robert Swiecki discovered that the Apache HTTP Server HTTP/2 module incorrectly destroyed certain streams. A remote attacker could possibly use this issue to cause the server to crash, leading to a denial of service. (CVE-2018-1302)

Craig Young discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain requests. A remote attacker could possibly use this issue to cause the server to consume resources, leading to a denial of service. (CVE-2018-1333)

Gal Goldshtein discovered that the Apache HTTP Server HTTP/2 module incorrectly handled large SETTINGS frames. A remote attacker could possibly use this issue to cause the server to consume resources, leading to a denial of service. (CVE-2018-11763).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for apache2 fixes the following issues :

  - CVE-2018-1283: when mod_session is configured to forward     its session data to CGI applications (SessionEnv on, not     the default), a remote user may influence their content     by using a \'Session\' header leading to unexpected     behavior [bsc#1086814].

  - CVE-2018-1301: due to an out of bound access after a     size limit being reached by reading the HTTP header, a     specially crafted request could lead to remote denial of     service. [bsc#1086817]

  - CVE-2018-1303: a specially crafted HTTP request header     could lead to crash due to an out of bound read while     preparing data to be cached in shared     memory.[bsc#1086813]

  - CVE-2017-15715: a regular expression could match '$' to     a newline character in a malicious filename, rather than     matching only the end of the filename. leading to     corruption of uploaded files.[bsc#1086774]

  - CVE-2018-1312: when generating an HTTP Digest     authentication challenge, the nonce sent to prevent     reply attacks was not correctly generated using a     pseudo-random seed. In a cluster of servers using a     common Digest authentication configuration, HTTP     requests could be replayed across servers by an attacker     without detection. [bsc#1086775]

  - CVE-2017-15710: mod_authnz_ldap, if configured with     AuthLDAPCharsetConfig, uses the Accept-Language header     value to lookup the right charset encoding when     verifying the user's credentials. If the header value is     not present in the charset conversion table, a fallback     mechanism is used to truncate it to a two characters     value to allow a quick retry (for example, 'en-US' is     truncated to 'en'). A header value of less than two     characters forces an out of bound write of one NUL byte     to a memory location that is not part of the string. In     the worst case, quite unlikely, the process would crash     which could be used as a Denial of Service attack. In     the more likely case, this memory is already reserved     for future use and the issue has no effect at all.
    [bsc#1086820]

  - CVE-2018-1302: when an HTTP/2 stream was destroyed after     being handled, it could have written a NULL pointer     potentially to an already freed memory. The memory pools     maintained by the server make this vulnerability hard to     trigger in usual configurations, the reporter and the     team could not reproduce it outside debug builds, so it     is classified as low risk. [bsc#1086820]

This update was imported from the SUSE:SLE-12-SP2:Update update project.

Use-after-free on HTTP/2 stream shutdown

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk. (CVE-2018-1302)

Bypass with a trailing newline in the file name

In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. (CVE-2017-15715)

Out of bounds read in mod_cache_socache can allow a remote attacker to cause a denial of service

A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.
(CVE-2018-1303)

Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications

It has been discovered that the mod_session module of Apache HTTP Server (httpd), through version 2.4.29, has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a 'Session' header. (CVE-2018-1283)

Out of bound write in mod_authnz_ldap when using too small Accept-Language values

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.
(CVE-2017-15710)

Out of bound access after failure in reading the HTTP request

A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. (CVE-2018-1301)

Weak Digest auth nonce generation in mod_auth_digest

In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. (CVE-2018-1312)

This release includes the latest stable upstream release of mod_http2.
The changes since the last update are :

  - fixes a race condition where aborting streams triggers     an unnecessary timeout.

  - accurate reporting of h2 data input/output per request     via mod_logio. Fixes an issue where output sizes where     counted n-times on reused slave connections. See [issue     #158](https://github.com/icing/mod_h2/issues/158).

  - normalized connection prefix logging when trace2 is     enabled for direct h2 connection detection.

----

This update includes the latest upstream release of mod_http2, version 1.10.16. This includes a security fix (CVE-2018-1302) :

When an HTTP/2 stream was destroyed after being handled, mod_http2 could have written a NULL pointer potentially to an already freed memory.

The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Apache httpd reports :

Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled (CVE-2017-15710)

mod_session: CGI-like applications that intend to read from mod_session's 'SessionEnv ON' could be fooled into reading user-supplied data instead. (CVE-2018-1283)

mod_cache_socache: Fix request headers parsing to avoid a possible crash with specially crafted input data. (CVE-2018-1303)

core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel. (CVE-2018-1301)

core: Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of any embedded newline characters. Behavior can be changed with new directive 'RegexDefaultOptions'. (CVE-2017-15715)

mod_auth_digest: Fix generation of nonce values to prevent replay attacks across servers using a common Digest domain. This change may cause problems if used with round robin load balancers.
(CVE-2018-1312)

mod_http2: Potential crash w/ mod_http2. (CVE-2018-1302)

ID	Name	Product	Family	Severity
140964	EulerOS Virtualization for ARM 64 3.0.6.0 : mod_http2 (EulerOS-SA-2020-2016)	Nessus	Huawei Local Security Checks	medium
122292	RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 (RHSA-2019:0367)	Nessus	Red Hat Local Security Checks	critical
122060	Apache 2.4.x < 2.4.33 Multiple Vulnerabilities	Nessus	Web Servers	critical
121822	Photon OS 1.0: Httpd PHSA-2018-1.0-0126	Nessus	PhotonOS Local Security Checks	high
98914	Apache 2.4.x < 2.4.33 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
120888	Fedora 28 : mod_http2 (2018-eec13e2e8d)	Nessus	Fedora Local Security Checks	medium
118251	SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:1161-2)	Nessus	SuSE Local Security Checks	critical
117916	Ubuntu 18.04 LTS : Apache HTTP Server vulnerabilities (USN-3783-1)	Nessus	Ubuntu Local Security Checks	high
109664	openSUSE Security Update : apache2 (openSUSE-2018-438)	Nessus	SuSE Local Security Checks	critical
109598	SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:1161-1)	Nessus	SuSE Local Security Checks	critical
109555	Amazon Linux AMI : httpd24 (ALAS-2018-1004)	Nessus	Amazon Linux Local Security Checks	critical
109417	Fedora 26 : mod_http2 (2018-63de5f3f6b)	Nessus	Fedora Local Security Checks	medium
108855	Fedora 27 : mod_http2 (2018-0a95bff197)	Nessus	Fedora Local Security Checks	medium
108626	FreeBSD : apache -- multiple vulnerabilities (f38187e7-2f6e-11e8-8f07-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	critical

Detections

Analytics

CVE-2018-1302

medium

Tenable Plugins

medium

critical

critical

high

critical

medium

critical

high

critical

critical

critical

medium

medium

critical