A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue.

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0017 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2019-0190:
    A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully     crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be     only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an     interaction in changes to handling of renegotiation attempts.

    CVE-2019-0196:
    A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2     request handling could be made to access freed memory in string comparison when determining the method of     a request and thus process the request incorrectly.

    CVE-2019-0197:
    A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host     or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not     the first request on a connection could lead to a misconfiguration and crash. Server that never enabled     the h2 protocol or that only enabled it for https: and did not set H2Upgrade on are unaffected by this     issue.

    CVE-2019-0211:
    In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in     less-privileged child processes or threads (including scripts executed by an in-process scripting     interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by     manipulating the scoreboard. Non-Unix systems are not affected.

    CVE-2019-0215:
    In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client     certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

    CVE-2019-0217:
    In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a     threaded server could allow a user with valid credentials to authenticate using another username,     bypassing configured access control restrictions.

    CVE-2019-0220:
    A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL     contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account     for duplicates in regular expressions while other aspects of the servers processing will implicitly     collapse them.

    CVE-2019-10082:
    In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made     to read memory after being freed, during connection shutdown.

    CVE-2019-10092:
    In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the     mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point     to a page of their choice. This would only be exploitable where a server was set up with proxying enabled     but was misconfigured in such a way that the Proxy Error page was displayed.

    CVE-2019-10097:
    In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy     server using the PROXY protocol, a specially crafted PROXY header could trigger a stack buffer overflow     or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by     untrusted HTTP clients.

    CVE-2019-10098:
    In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the     request URL.

    CVE-2019-9511:
    Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization     manipulation, potentially leading to a denial of service. The attacker requests a large amount of data     from a specified resource over multiple streams. They manipulate window size and stream priority to force     the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can     consume excess CPU, memory, or both.

    CVE-2019-9516:
    Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.
    The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally     Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and     keep the allocation alive until the session dies. This can consume excess memory.

    CVE-2019-9517:
    Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to     a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint;
    however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the     wire. The attacker then sends a stream of requests for a large response object. Depending on how the     servers queue the responses, this can consume excess memory, CPU, or both.

    CVE-2020-11984:
    Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

    CVE-2020-11993:
    Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on     certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent     use of memory pools. Configuring the LogLevel of mod_http2 above info will mitigate this vulnerability     for unpatched servers.

    CVE-2020-1927:
    In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within     the request URL.

    CVE-2020-1934:
    In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a     malicious FTP server.

    CVE-2020-9490:
    Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a     HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource     afterwards. Configuring the HTTP/2 feature via H2Push off will mitigate this vulnerability for unpatched     servers.

    CVE-2021-26690:
    Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

    CVE-2021-30641:
    Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

    CVE-2021-34798:
    Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier.

    CVE-2021-39275:
    ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier.

    CVE-2021-44790:
    A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser     (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the     vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and     earlier.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2020:4751 advisory.

  - In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain     resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming     data. This affects only HTTP/2 (mod_http2) connections. (CVE-2018-17189)

  - A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2     request handling could be made to access freed memory in string comparison when determining the method of     a request and thus process the request incorrectly. (CVE-2019-0196)

  - A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host     or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not     the first request on a connection could lead to a misconfiguration and crash. Server that never enabled     the h2 protocol or that only enabled it for https: and did not set H2Upgrade on are unaffected by this     issue. (CVE-2019-0197)

  - HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with H2PushResource, could lead     to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of     the configured push link header values, not data supplied by the client. (CVE-2019-10081)

  - In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made     to read memory after being freed, during connection shutdown. (CVE-2019-10082)

  - In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the     mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point     to a page of their choice. This would only be exploitable where a server was set up with proxying enabled     but was misconfigured in such a way that the Proxy Error page was displayed. (CVE-2019-10092)

  - In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy     server using the PROXY protocol, a specially crafted PROXY header could trigger a stack buffer overflow     or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by     untrusted HTTP clients. (CVE-2019-10097)

  - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the     request URL. (CVE-2019-10098)

  - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within     the request URL. (CVE-2020-1927)

  - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a     malicious FTP server. (CVE-2020-1934)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 6.06, has httpd packages installed that are affected by multiple vulnerabilities:

  - In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain     resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming     data. This affects only HTTP/2 (mod_http2) connections. (CVE-2018-17189)

  - In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before     decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since     the expiry time is loaded when the session is decoded. (CVE-2018-17199)

  - A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2     request handling could be made to access freed memory in string comparison when determining the method of     a request and thus process the request incorrectly. (CVE-2019-0196)

  - A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host     or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not     the first request on a connection could lead to a misconfiguration and crash. Server that never enabled     the h2 protocol or that only enabled it for https: and did not set H2Upgrade on are unaffected by this     issue. (CVE-2019-0197)

  - HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with H2PushResource, could lead     to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of     the configured push link header values, not data supplied by the client. (CVE-2019-10081)

  - In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made     to read memory after being freed, during connection shutdown. (CVE-2019-10082)

  - In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the     mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point     to a page of their choice. This would only be exploitable where a server was set up with proxying enabled     but was misconfigured in such a way that the Proxy Error page was displayed. (CVE-2019-10092)

  - Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on     certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent     use of memory pools. Configuring the LogLevel of mod_http2 above info will mitigate this vulnerability     for unpatched servers. (CVE-2020-11993)

  - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within     the request URL. (CVE-2020-1927)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

  - A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser     (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the     vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and     earlier. (CVE-2021-44790)

  - Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered     discarding the request body, exposing the server to HTTP Request Smuggling (CVE-2022-22720)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:4751 advisory.

  - httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)

  - httpd: mod_http2: read-after-free on a string compare (CVE-2019-0196)

  - httpd: mod_http2: possible crash on late upgrade (CVE-2019-0197)

  - httpd: memory corruption on early pushes (CVE-2019-10081)

  - httpd: read-after-free in h2 connection shutdown (CVE-2019-10082)

  - httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)

  - httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)

  - httpd: mod_rewrite potential open redirect (CVE-2019-10098)

  - httpd: mod_rewrite configurations vulnerable to open redirect (CVE-2020-1927)

  - httpd: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-4751 advisory.

    - Resolves: #1823263 (CVE-2020-1934) - CVE-2020-1934 httpd: mod_proxy_ftp use of       uninitialized value
    - Resolves: #1823259 - CVE-2020-1927 httpd:2.4/httpd: mod_rewrite configurations       vulnerable to open redirect
    - Resolves: #1747284 - CVE-2019-10098 httpd:2.4/httpd: mod_rewrite potential       open redirect
    - Resolves: #1747281 - CVE-2019-10092 httpd:2.4/httpd: limited cross-site       scripting in mod_proxy error page
    - Resolves: #1747291 - CVE-2019-10097 httpd:2.4/httpd: null-pointer dereference       in mod_remoteip
    - Resolves: #1869073 - CVE-2020-9490 httpd:2.4/mod_http2: httpd:
      Push diary crash on specifically crafted HTTP/2 header
    - Resolves: #1747289 - CVE-2019-10082 httpd:2.4/mod_http2: httpd:
      read-after-free in h2 connection shutdown
    - Resolves: #1696099 - CVE-2019-0197 httpd:2.4/mod_http2: httpd:
      mod_http2: possible crash on late upgrade
    - Resolves: #1696094 - CVE-2019-0196 httpd:2.4/mod_http2: httpd:
      mod_http2: read-after-free on a string compare
    - Resolves: #1677591 - CVE-2018-17189 httpd:2.4/mod_http2: httpd:
      mod_http2: DoS via slow, unneeded request bodies

    mod_md

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4751 advisory.

    The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

    The following packages have been upgraded to a later upstream version: mod_http2 (1.15.7). (BZ#1814236)

    Security Fix(es):

    * httpd: memory corruption on early pushes (CVE-2019-10081)

    * httpd: read-after-free in h2 connection shutdown (CVE-2019-10082)

    * httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097)

    * httpd: mod_rewrite configurations vulnerable to open redirect (CVE-2020-1927)

    * httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)

    * httpd: mod_http2: read-after-free on a string compare (CVE-2019-0196)

    * httpd: mod_http2: possible crash on late upgrade (CVE-2019-0197)

    * httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092)

    * httpd: mod_rewrite potential open redirect (CVE-2019-10098)

    * httpd: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2644 advisory.

    This release adds the new Apache HTTP Server 2.4.37 Service Pack 3 packages that are part of the JBoss     Core Services offering.

    This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service     Pack 2 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most     significant bug fixes and enhancements included in this release.

    Security fix(es):

    * httpd: mod_http2: read-after-free on a string compare (CVE-2019-0196)
    * httpd: mod_http2: possible crash on late upgrade (CVE-2019-0197)
    * httpd: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)
    * nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)
    * libxml2: There's a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c that could result in a     crash (CVE-2019-19956)
    * libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c (CVE-2019-20388)
    * libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations (CVE-2020-7595)
    * expat: large number of colons in input makes parser consume high amount of resources, leading to DoS     (CVE-2018-20843)
    * expat: heap-based buffer over-read via crafted XML input (CVE-2019-15903)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In Apache HTTP Server 2.4.0-2.4.39, a limited     cross-site scripting issue was reported affecting the     mod_proxy error page. An attacker could cause the link     on the error page to be malformed and instead point to     a page of their choice. This would only be exploitable     where a server was set up with proxying enabled but was     misconfigured in such a way that the Proxy Error page     was displayed.(CVE-2019-10092)

  - In Apache HTTP server 2.4.0 to 2.4.39, Redirects     configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines     and redirect instead to an unexpected URL within the     request URL.(CVE-2019-10098)

  - A vulnerability was found in Apache HTTP Server 2.4.34     to 2.4.38. When HTTP/2 was enabled for a http: host or     H2Upgrade was enabled for h2 on a https: host, an     Upgrade request from http/1.1 to http/2 that was not     the first request on a connection could lead to a     misconfiguration and crash. Server that never enabled     the h2 protocol or that only enabled it for https: and     did not set 'H2Upgrade on' are unaffected by this     issue.(CVE-2019-0197)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3933 advisory.

    This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services     offering.

    This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.29 and     includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant     bug fixes and enhancements included in this release.

    Security Fix(es):

    * openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to     recover private keys (CVE-2018-0737)
    * openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)
    * mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)
    * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407)
    * mod_session_cookie does not respect expiry time (CVE-2018-17199)
    * mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)
    * mod_http2: possible crash on late upgrade (CVE-2019-0197)
    * mod_http2: read-after-free on a string compare (CVE-2019-0196)
    * nghttp2: HTTP/2: large amount of data request leads to denial of service (CVE-2019-9511)
    * nghttp2: HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513)
    * mod_http2: HTTP/2: 0-length headers leads to denial of service (CVE-2019-9516)
    * mod_http2: HTTP/2: request for large response leads to denial of service (CVE-2019-9517)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3932 advisory.

    This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services     offering.

    This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.29 and     includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant     bug fixes and enhancements included in this release.

    Security Fix(es):

    * openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to     recover private keys (CVE-2018-0737) * openssl: timing side channel attack in the DSA signature algorithm     (CVE-2018-0734) * mod_auth_digest: access control bypass due to race condition (CVE-2019-0217) * openssl:
    Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407) *     mod_session_cookie does not respect expiry time (CVE-2018-17199) * mod_http2: DoS via slow, unneeded     request bodies (CVE-2018-17189) * mod_http2: possible crash on late upgrade (CVE-2019-0197) * mod_http2:
    read-after-free on a string compare (CVE-2019-0196) * nghttp2: HTTP/2: large amount of data request leads     to denial of service (CVE-2019-9511) * nghttp2: HTTP/2: flood using PRIORITY frames resulting in excessive     resource consumption (CVE-2019-9513) * mod_http2: HTTP/2: 0-length headers leads to denial of service     (CVE-2019-9516) * mod_http2: HTTP/2: request for large response leads to denial of service (CVE-2019-9517)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4113-1 advisory.

    Stefan Eissing discovered that the HTTP/2 implementation in Apache did not properly handle upgrade     requests from HTTP/1.1 to HTTP/2 in some situations. A remote attacker could use this to cause a denial of     service (daemon crash). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-0197)

    Craig Young discovered that a memory overwrite error existed in Apache when performing HTTP/2 very early     pushes in some situations. A remote attacker could use this to cause a denial of service (daemon crash).
    This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-10081)

    Craig Young discovered that a read-after-free error existed in the HTTP/2 implementation in Apache during     connection shutdown. A remote attacker could use this to possibly cause a denial of service (daemon crash)     or possibly expose sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04.
    (CVE-2019-10082)

    Matei Badanoiu discovered that the mod_proxy component of Apache did not properly filter URLs when     reporting errors in some configurations. A remote attacker could possibly use this issue to conduct cross-     site scripting (XSS) attacks. (CVE-2019-10092)

    Daniel McCarney discovered that mod_remoteip component of Apache contained a stack buffer overflow when     parsing headers from a trusted intermediary proxy in some situations. A remote attacker controlling a     trusted proxy could use this to cause a denial of service or possibly execute arbitrary code. This issue     only affected Ubuntu 19.04. (CVE-2019-10097)

    Yukitsugu Sasaki discovered that the mod_rewrite component in Apache was vulnerable to open redirects in     some situations. A remote attacker could use this to possibly expose sensitive information or bypass     intended restrictions. (CVE-2019-10098)

    Jonathan Looney discovered that the HTTP/2 implementation in Apache did not properly limit the amount of     buffering for client connections in some situations. A remote attacker could use this to cause a denial of     service (unresponsive daemon). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-9517)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:

  - An unspecified vulnerability in Networking (cURL) subcomponent     of Oracle Enterprise Manager Ops Center, which could allow     an unauthenticated attacker with network access to     compromise Enterprise Manager Ops Center. (CVE-2019-3822)

  - An unspecified vulnerability in Networking (OpenSSL) subcomponent     of Oracle Enterprise Manager Ops Center, which could allow     an unauthenticated attacker with network access to     compromise Enterprise Manager Ops Center. (CVE-2019-1559)

  - An unspecified vulnerability in Networking (OpenSSL) subcomponent     of Oracle Enterprise Manager Ops Center, which could allow     a low privileged attacker with network access to     compromise Enterprise Manager Ops Center. (CVE-2019-2728)

Resolves: #1695046 CVE-2019-0196 CVE-2019-0197 CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 httpd: various flaws Resolves: #1694510 httpd-2.4.39 is available Resolves: #1694986 - CVE-2019-0211 httpd:
privilege escalation from modules scripts

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for apache2 fixes the following issues :

  - CVE-2019-0220: The Apache HTTP server did not use a     consistent strategy for URL normalization throughout all     of its components. In particular, consecutive slashes     were not always collapsed. Attackers could potentially     abuse these inconsistencies to by-pass access control     mechanisms and thus gain unauthorized access to     protected parts of the service. [bsc#1131241]

  - CVE-2019-0217: A race condition in Apache's     'mod_auth_digest' when running in a threaded server     could have allowed users with valid credentials to     authenticate using another username, bypassing     configured access control restrictions. [bsc#1131239]

  - CVE-2019-0211: A flaw in the Apache HTTP Server allowed     less-privileged child processes or threads to execute     arbitrary code with the privileges of the parent     process. Attackers with control over CGI scripts or     extension modules run by the server could have abused     this issue to potentially gain super user privileges.
    [bsc#1131233]

  - CVE-2019-0197: When HTTP/2 support was enabled in the     Apache server for a 'http' host or H2Upgrade was enabled     for h2 on a 'https' host, an Upgrade request from     http/1.1 to http/2 that was not the first request on a     connection could lead to a misconfiguration and crash.
    This issue could have been abused to mount a     denial-of-service attack. Servers that never enabled the     h2 protocol or that only enabled it for https: and did     not configure the 'H2Upgrade on' are unaffected.
    [bsc#1131245]

  - CVE-2019-0196: Through specially crafted network input     the Apache's http/2 request handler could be lead to     access previously freed memory while determining the     method of a request. This resulted in the request being     misclassified and thus being processed incorrectly.
    [bsc#1131237]

This update was imported from the SUSE:SLE-12-SP2:Update update project.

In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. (CVE-2019-0211)

mod_http2: read-after-free on a string compare (CVE-2019-0196)

mod_http2: possible crash on late upgrade (CVE-2019-0197)

httpd: URL normalization inconsistency (CVE-2019-0220)

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.(CVE-2019-0215)

A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.(CVE-2019-0217)

This update for apache2 fixes the following issues :

  - CVE-2019-0211: A flaw in the Apache HTTP Server allowed     less-privileged child processes or threads to execute     arbitrary code with the privileges of the parent     process. Attackers with control over CGI scripts or     extension modules run by the server could have abused     this issue to potentially gain super user privileges.
    [bsc#1131233]

  - CVE-2019-0220: The Apache HTTP server did not use a     consistent strategy for URL normalization throughout all     of its components. In particular, consecutive slashes     were not always collapsed. Attackers could potentially     abuse these inconsistencies to by-pass access control     mechanisms and thus gain unauthorized access to     protected parts of the service. [bsc#1131241]

  - CVE-2019-0217: A race condition in Apache's     'mod_auth_digest' when running in a threaded server     could have allowed users with valid credentials to     authenticate using another username, bypassing     configured access control restrictions. [bsc#1131239]

  - CVE-2019-0197: When HTTP/2 support was enabled in the     Apache server for a 'http' host or H2Upgrade was enabled     for h2 on a 'https' host, an Upgrade request from     http/1.1 to http/2 that was not the first request on a     connection could lead to a misconfiguration and crash.
    This issue could have been abused to mount a     denial-of-service attack. Servers that never enabled the     h2 protocol or that only enabled it for https: and did     not configure the 'H2Upgrade on' are unaffected.
    [bsc#1131245]

  - CVE-2019-0196: Through specially crafted network input     the Apache's http/2 request handler could be lead to     access previously freed memory while determining the     method of a request. This resulted in the request being     misclassified and thus being processed incorrectly.
    [bsc#1131237]

This update was imported from the SUSE:SLE-15:Update update project.

In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. (CVE-2019-0211)

A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.(CVE-2019-0220)

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.(CVE-2019-0215)

A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38.
Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.(CVE-2019-0196)

A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set 'H2Upgrade on' are unaffected by this issue.(CVE-2019-0197)

A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.(CVE-2019-0217)

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.39. It is, therefore, affected by multiple vulnerabilities:

 - A privilege escalation vulnerability exists in module scripts due to an ability to execute arbitrary code as the parent process by manipulating the scoreboard. (CVE-2019-0211)

 - An access control bypass vulnerability exists in mod_auth_digest due to a race condition when running in a threaded server. An attacker with valid credentials could authenticate using another username. (CVE-2019-0217)

 - An access control bypass vulnerability exists in mod_ssl when using per-location client certificate verification with TLSv1.3. (CVE-2019-0215)

In addition, Apache httpd is also affected by several additional vulnerabilities including a denial of service, read-after-free and URL path normalization inconsistencies.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Versions of Apache HTTP server prior to 2.4.39 are unpatched, and therefore affected by multiple vulnerabilities :

 - Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. (CVE-2019-0196)
 - When HTTP/2 was enabled for a 'http: host' or H2Upgrade was enabled for h2 on a 'https: host', an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for HTTPS and did not configure the "H2Upgrade on" is unaffected by this. (CVE-2019-0197)
 - With MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process by manipulating the scoreboard. (CVE-2019-0211)
 - A bug in 'mod_ssl' when using per-location client certificate verification with TLSv1.3 allows a client supporting Post-Handshake Authentication to bypass configured access control restrictions. (CVE-2019-0215)
 - A race condition in 'mod_auth_digest' when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. (CVE-2019-0217)
 - When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as 'LocationMatch' and 'RewriteRule' must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. (CVE-2019-0220)

This update for apache2 fixes the following issues :

CVE-2019-0220: The Apache HTTP server did not use a consistent strategy for URL normalization throughout all of its components. In particular, consecutive slashes were not always collapsed. Attackers could potentially abuse these inconsistencies to by-pass access control mechanisms and thus gain unauthorized access to protected parts of the service. [bsc#1131241]

CVE-2019-0217: A race condition in Apache's 'mod_auth_digest' when running in a threaded server could have allowed users with valid credentials to authenticate using another username, bypassing configured access control restrictions. [bsc#1131239]

CVE-2019-0211: A flaw in the Apache HTTP Server allowed less-privileged child processes or threads to execute arbitrary code with the privileges of the parent process. Attackers with control over CGI scripts or extension modules run by the server could have abused this issue to potentially gain super user privileges. [bsc#1131233]

CVE-2019-0197: When HTTP/2 support was enabled in the Apache server for a 'http' host or H2Upgrade was enabled for h2 on a 'https' host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash.
This issue could have been abused to mount a denial-of-service attack.
Servers that never enabled the h2 protocol or that only enabled it for https: and did not configure the 'H2Upgrade on' are unaffected.
[bsc#1131245]

CVE-2019-0196: Through specially crafted network input the Apache's http/2 request handler could be lead to access previously freed memory while determining the method of a request. This resulted in the request being misclassified and thus being processed incorrectly.
[bsc#1131237]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for apache2 fixes the following issues :

CVE-2019-0211: A flaw in the Apache HTTP Server allowed less-privileged child processes or threads to execute arbitrary code with the privileges of the parent process. Attackers with control over CGI scripts or extension modules run by the server could have abused this issue to potentially gain super user privileges. [bsc#1131233]

CVE-2019-0220: The Apache HTTP server did not use a consistent strategy for URL normalization throughout all of its components. In particular, consecutive slashes were not always collapsed. Attackers could potentially abuse these inconsistencies to by-pass access control mechanisms and thus gain unauthorized access to protected parts of the service. [bsc#1131241]

CVE-2019-0217: A race condition in Apache's 'mod_auth_digest' when running in a threaded server could have allowed users with valid credentials to authenticate using another username, bypassing configured access control restrictions. [bsc#1131239]

CVE-2019-0197: When HTTP/2 support was enabled in the Apache server for a 'http' host or H2Upgrade was enabled for h2 on a 'https' host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash.
This issue could have been abused to mount a denial-of-service attack.
Servers that never enabled the h2 protocol or that only enabled it for https: and did not configure the 'H2Upgrade on' are unaffected.
[bsc#1131245]

CVE-2019-0196: Through specially crafted network input the Apache's http/2 request handler could be lead to access previously freed memory while determining the method of a request. This resulted in the request being misclassified and thus being processed incorrectly.
[bsc#1131237]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.39. It is, therefore, affected by multiple vulnerabilities:

  - A privilege escalation vulnerability exists in     module scripts due to an ability to execute arbitrary     code as the parent process by manipulating the     scoreboard. (CVE-2019-0211)

  - An access control bypass vulnerability exists in     mod_auth_digest due to a race condition when running     in a threaded server. An attacker with valid credentials     could authenticate using another username. (CVE-2019-0217)

  - An access control bypass vulnerability exists in     mod_ssl when using per-location client certificate     verification with TLSv1.3. (CVE-2019-0215)

In addition, Apache httpd is also affected by several additional vulnerabilities including a denial of service, read-after-free and URL path normalization inconsistencies. 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
236421	Alibaba Cloud Linux 3 : 0017: httpd:2.4 (ALINUX3-SA-2022:0017)	Nessus	Alibaba Cloud Linux Local Security Checks	critical
184538	Rocky Linux 8 : httpd:2.4 (RLSA-2020:4751)	Nessus	Rocky Linux Local Security Checks	critical
174760	NewStart CGSL MAIN 6.06 : httpd Multiple Vulnerabilities (NS-SA-2023-1001)	Nessus	NewStart CGSL Local Security Checks	critical
145821	CentOS 8 : httpd:2.4 (CESA-2020:4751)	Nessus	CentOS Local Security Checks	critical
142762	Oracle Linux 8 : httpd:2.4 (ELSA-2020-4751)	Nessus	Oracle Linux Local Security Checks	critical
142397	RHEL 8 : httpd:2.4 (RHSA-2020:4751)	Nessus	Red Hat Local Security Checks	critical
137705	RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP3 (RHSA-2020:2644)	Nessus	Red Hat Local Security Checks	medium
134781	EulerOS 2.0 SP8 : httpd (EulerOS-SA-2020-1289)	Nessus	Huawei Local Security Checks	medium
131216	RHEL 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 7 (Important) (RHSA-2019:3933)	Nessus	Red Hat Local Security Checks	high
131215	RHEL 6 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 6 (Important) (RHSA-2019:3932)	Nessus	Red Hat Local Security Checks	high
128412	Ubuntu 16.04 LTS / 18.04 LTS : Apache HTTP Server vulnerabilities (USN-4113-1)	Nessus	Ubuntu Local Security Checks	critical
126777	Oracle Enterprise Manager Ops Center (Jul 2019 CPU)	Nessus	Misc.	critical
124541	Fedora 30 : httpd (2019-cf7695b470)	Nessus	Fedora Local Security Checks	high
124264	openSUSE Security Update : apache2 (openSUSE-2019-1258)	Nessus	SuSE Local Security Checks	high
124125	Amazon Linux 2 : httpd (ALAS-2019-1189)	Nessus	Amazon Linux Local Security Checks	high
124102	openSUSE Security Update : apache2 (openSUSE-2019-1209)	Nessus	SuSE Local Security Checks	high
124017	openSUSE Security Update : apache2 (openSUSE-2019-1190)	Nessus	SuSE Local Security Checks	high
123958	Amazon Linux AMI : httpd24 (ALAS-2019-1189)	Nessus	Amazon Linux Local Security Checks	high
98530	Apache 2.4.x < 2.4.39 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
700509	Apache HTTP Server < 2.4.39 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
123785	SUSE SLES12 Security Update : apache2 (SUSE-SU-2019:0878-1)	Nessus	SuSE Local Security Checks	high
123782	SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2019:0873-1)	Nessus	SuSE Local Security Checks	high
123642	Apache 2.4.x < 2.4.39 Multiple Vulnerabilities	Nessus	Web Servers	high

Detections

Analytics

CVE-2019-0197

medium

Tenable Plugins

critical

critical

critical

critical

critical

critical

medium

medium

high

high

critical

critical

high

high

high

high

high

high

high

high

high

high

high