RHSA-2019:4126

https://httpd.apache.org/security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1337 advisory.

  - httpd: memory corruption on early pushes     (CVE-2019-10081)

  - httpd: read-after-free in h2 connection shutdown     (CVE-2019-10082)

  - httpd: limited cross-site scripting in mod_proxy error     page (CVE-2019-10092)

  - httpd: null-pointer dereference in mod_remoteip     (CVE-2019-10097)

  - httpd: mod_rewrite potential open redirect     (CVE-2019-10098)

  - openssl: side-channel weak encryption vulnerability     (CVE-2019-1547)

  - openssl: information disclosure in fork()     (CVE-2019-1549)

  - openssl: information disclosure in PKCS7_dataDecode and     CMS_decrypt_set1_pkey (CVE-2019-1563)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

New httpd packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

According to the versions of the httpd packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In Apache HTTP Server 2.4 release 2.4.37 and prior,     mod_session checks the session expiry time before     decoding the session. This causes session expiry time     to be ignored for mod_session_cookie sessions since the     expiry time is loaded when the session is     decoded.(CVE-2018-17199)

  - In Apache HTTP Server 2.4.18-2.4.39, using fuzzed     network input, the http/2 session handling could be     made to read memory after being freed, during     connection shutdown.(CVE-2019-10082)

  - HTTP/2 (2.4.20 through 2.4.39) very early pushes, for     example configured with 'H2PushResource', could lead to     an overwrite of memory in the pushing request's pool,     leading to crashes. The memory copied is that of the     configured push link header values, not data supplied     by the client.(CVE-2019-10081)

  - Some HTTP/2 implementations are vulnerable to     unconstrained interal data buffering, potentially     leading to a denial of service. The attacker opens the     HTTP/2 window so the peer can send without constraint     however, they leave the TCP window closed so the peer     cannot actually write (many of) the bytes on the wire.
    The attacker then sends a stream of requests for a     large response object. Depending on how the servers     queue the responses, this can consume excess memory,     CPU, or both.(CVE-2019-9517)

  - In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip     was configured to use a trusted intermediary proxy     server using the 'PROXY' protocol, a specially crafted     PROXY header could trigger a stack buffer overflow or     NULL pointer deference. This vulnerability could only     be triggered by a trusted proxy and not by untrusted     HTTP clients.(CVE-2019-10097)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip     was configured to use a trusted intermediary proxy     server using the 'PROXY' protocol, a specially crafted     PROXY header could trigger a stack buffer overflow or     NULL pointer deference. This vulnerability could only     be triggered by a trusted proxy and not by untrusted     HTTP clients.(CVE-2019-10097)

  - Some HTTP/2 implementations are vulnerable to     unconstrained interal data buffering, potentially     leading to a denial of service. The attacker opens the     HTTP/2 window so the peer can send without constraint     however, they leave the TCP window closed so the peer     cannot actually write (many of) the bytes on the wire.
    The attacker then sends a stream of requests for a     large response object. Depending on how the servers     queue the responses, this can consume excess memory,     CPU, or both.(CVE-2019-9517)

  - HTTP/2 (2.4.20 through 2.4.39) very early pushes, for     example configured with 'H2PushResource', could lead to     an overwrite of memory in the pushing request's pool,     leading to crashes. The memory copied is that of the     configured push link header values, not data supplied     by the client.(CVE-2019-10081)

  - In Apache HTTP Server 2.4.18-2.4.39, using fuzzed     network input, the http/2 session handling could be     made to read memory after being freed, during     connection shutdown.(CVE-2019-10082)

  - In Apache HTTP Server 2.4 release 2.4.37 and prior,     mod_session checks the session expiry time before     decoding the session. This causes session expiry time     to be ignored for mod_session_cookie sessions since the     expiry time is loaded when the session is     decoded.(CVE-2018-17199)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A cross-site scripting vulnerability was found in Apache httpd, affecting the mod_proxy error page. Under certain circumstances, a crafted link could inject content into the HTML displayed in the error page, potentially leading to client-side exploitation.(CVE-2019-10092)

A vulnerability was discovered in Apache httpd, in mod_remoteip. A trusted proxy using the 'PROXY' protocol could send specially crafted headers that can cause httpd to experience a stack buffer overflow or NULL pointer dereference, leading to a crash or other potential consequences.\n\nThis issue could only be exploited by configured trusted intermediate proxy servers. HTTP clients such as browsers could not exploit the vulnerability.(CVE-2019-10097)

A vulnerability was discovered in Apache httpd, in mod_rewrite.
Certain self-referential mod_rewrite rules could be fooled by encoded newlines, causing them to redirect to an unexpected location. An attacker could abuse this flaw in a phishing attack or as part of a client-side attack on browsers.(CVE-2019-10098)

A vulnerability was found in Apache httpd, in mod_http2. Under certain circumstances, HTTP/2 early pushes could lead to memory corruption, causing a server to crash.(CVE-2019-10081)

A read-after-free vulnerability was discovered in Apache httpd, in mod_http2. A specially crafted http/2 client session could cause the server to read memory that was previously freed during connection shutdown, potentially leading to a crash.(CVE-2019-10082)

A cross-site scripting vulnerability was found in Apache httpd, affecting the mod_proxy error page. Under certain circumstances, a crafted link could inject content into the HTML displayed in the error page, potentially leading to client-side exploitation.(CVE-2019-10092)

A vulnerability was discovered in Apache httpd, in mod_remoteip. A trusted proxy using the 'PROXY' protocol could send specially crafted headers that can cause httpd to experience a stack buffer overflow or NULL pointer dereference, leading to a crash or other potential consequences.\n\nThis issue could only be exploited by configured trusted intermediate proxy servers. HTTP clients such as browsers could not exploit the vulnerability.(CVE-2019-10097)

A vulnerability was discovered in Apache httpd, in mod_rewrite.
Certain self-referential mod_rewrite rules could be fooled by encoded newlines, causing them to redirect to an unexpected location. An attacker could abuse this flaw in a phishing attack or as part of a client-side attack on browsers.(CVE-2019-10098)

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.(CVE-2019-9517)

USN-4113-1 fixed vulnerabilities in the Apache HTTP server.
Unfortunately, that update introduced a regression when proxying balancer manager connections in some configurations. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details :

Stefan Eissing discovered that the HTTP/2 implementation in Apache did not properly handle upgrade requests from HTTP/1.1 to HTTP/2 in some situations. A remote attacker could use this to cause a denial of service (daemon crash). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-0197)

Craig Young discovered that a memory overwrite error existed in Apache when performing HTTP/2 very early pushes in some situations. A remote attacker could use this to cause a denial of service (daemon crash). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-10081)

Craig Young discovered that a read-after-free error existed in the HTTP/2 implementation in Apache during connection shutdown. A remote attacker could use this to possibly cause a denial of service (daemon crash) or possibly expose sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-10082)

Matei Badanoiu discovered that the mod_proxy component of Apache did not properly filter URLs when reporting errors in some configurations. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks.
(CVE-2019-10092)

Daniel McCarney discovered that mod_remoteip component of Apache contained a stack buffer overflow when parsing headers from a trusted intermediary proxy in some situations. A remote attacker controlling a trusted proxy could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 19.04. (CVE-2019-10097)

Yukitsugu Sasaki discovered that the mod_rewrite component in Apache was vulnerable to open redirects in some situations. A remote attacker could use this to possibly expose sensitive information or bypass intended restrictions. (CVE-2019-10098)

Jonathan Looney discovered that the HTTP/2 implementation in Apache did not properly limit the amount of buffering for client connections in some situations. A remote attacker could use this to cause a denial of service (unresponsive daemon). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-9517).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201909-04 (Apache: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache. Please review       the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

This update for apache2 fixes the following issues :

Security issues fixed :

  - CVE-2019-9517: Fixed HTTP/2 implementations that are     vulnerable to unconstrained interal data buffering     (bsc#1145575).

  - CVE-2019-10081: Fixed mod_http2 that is vulnerable to     memory corruption on early pushes (bsc#1145742).

  - CVE-2019-10082: Fixed mod_http2 that is vulnerable to     read-after-free in h2 connection shutdown (bsc#1145741).

  - CVE-2019-10092: Fixed limited cross-site scripting in     mod_proxy (bsc#1145740).

  - CVE-2019-10097: Fixed mod_remoteip stack-based buffer     overflow and NULL pointer dereference (bsc#1145739).

  - CVE-2019-10098: Fixed mod_rewrite configuration     vulnerablility to open redirect (bsc#1145738).

This update was imported from the SUSE:SLE-15:Update update project.

Stefan Eissing discovered that the HTTP/2 implementation in Apache did not properly handle upgrade requests from HTTP/1.1 to HTTP/2 in some situations. A remote attacker could use this to cause a denial of service (daemon crash). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-0197)

Craig Young discovered that a memory overwrite error existed in Apache when performing HTTP/2 very early pushes in some situations. A remote attacker could use this to cause a denial of service (daemon crash).
This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04.
(CVE-2019-10081)

Craig Young discovered that a read-after-free error existed in the HTTP/2 implementation in Apache during connection shutdown. A remote attacker could use this to possibly cause a denial of service (daemon crash) or possibly expose sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-10082)

Matei Badanoiu discovered that the mod_proxy component of Apache did not properly filter URLs when reporting errors in some configurations.
A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks. (CVE-2019-10092)

Daniel McCarney discovered that mod_remoteip component of Apache contained a stack buffer overflow when parsing headers from a trusted intermediary proxy in some situations. A remote attacker controlling a trusted proxy could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 19.04.
(CVE-2019-10097)

Yukitsugu Sasaki discovered that the mod_rewrite component in Apache was vulnerable to open redirects in some situations. A remote attacker could use this to possibly expose sensitive information or bypass intended restrictions. (CVE-2019-10098)

Jonathan Looney discovered that the HTTP/2 implementation in Apache did not properly limit the amount of buffering for client connections in some situations. A remote attacker could use this to cause a denial of service (unresponsive daemon). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-9517).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for apache2 fixes the following issues :

Security issues fixed :

CVE-2019-9517: Fixed HTTP/2 implementations that are vulnerable to unconstrained interal data buffering (bsc#1145575).

CVE-2019-10081: Fixed mod_http2 that is vulnerable to memory corruption on early pushes (bsc#1145742).

CVE-2019-10082: Fixed mod_http2 that is vulnerable to read-after-free in h2 connection shutdown (bsc#1145741).

CVE-2019-10092: Fixed limited cross-site scripting in mod_proxy (bsc#1145740).

CVE-2019-10097: Fixed mod_remoteip stack-based buffer overflow and NULL pointer dereference (bsc#1145739).

CVE-2019-10098: Fixed mod_rewrite configuration vulnerablility to open redirect (bsc#1145738).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been found in the Apache HTTPD server.

  - CVE-2019-9517     Jonathan Looney reported that a malicious client could     perform a denial of service attack (exhausting h2     workers) by flooding a connection with requests and     basically never reading responses on the TCP connection.

  - CVE-2019-10081     Craig Young reported that HTTP/2 PUSHes could lead to an     overwrite of memory in the pushing request's pool,     leading to crashes.

  - CVE-2019-10082     Craig Young reported that the HTTP/2 session handling     could be made to read memory after being freed, during     connection shutdown.

  - CVE-2019-10092     Matei 'Mal' Badanoiu reported a limited cross-site     scripting vulnerability in the mod_proxy error page.

  - CVE-2019-10097     Daniel McCarney reported that when mod_remoteip was     configured to use a trusted intermediary proxy server     using the 'PROXY' protocol, a specially crafted PROXY     header could trigger a stack buffer overflow or NULL     pointer deference. This vulnerability could only be     triggered by a trusted proxy and not by untrusted HTTP     clients. The issue does not affect the stretch release.

  - CVE-2019-10098     Yukitsugu Sasaki reported a potential open redirect     vulnerability in the mod_rewrite module.

This update includes the latest release of the Apache HTTP Server, version `2.4.41`, fixing various security issues. Several major enhancements are also included in this update :

  - `mod_md` is now packaged from upstream *github*     releases, adding support for ACMEv2.

  - `mod_cgid` stderr handling has been improved

See http://www.apache.org/dist/httpd/CHANGES_2.4.41 for a full list of changes since the previous release of `httpd`.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Apache httpd installed on the remote host is prior to 2.4.41. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.41 advisory, including the following:

  - A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could     cause the link on the error page to be malformed and instead point to a page of their choice. This would     only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way     that the Proxy Error page was displayed. (CVE-2019-10092)

  - HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with H2PushResource, could lead     to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that     of the configured push link header values, not data supplied by the client. (CVE-2019-10081)

  - Some HTTP/2 implementations are vulnerable to unconstrained internal data buffering, potentially leading     to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint;
    however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the     wire. The attacker then sends a stream of requests for a large response object. Depending on how the     servers queue the responses, this can consume excess memory, CPU, or both. (CVE-2019-9517)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.41. It is, therefore, affected by multiple vulnerabilities:

 - A cross-site scripting (XSS) vulnerability exists in mod_proxy when proxying is enabled and Proxy Error page is displayed. (CVE-2019-10092)

 - An open redirect vulnerability exists in mod_rewrite when using self-referential redirects. (CVE-2019-10098)

 - A read-after-free vulnerability exists in mod_http2 during connection shutdown. (CVE-2019-10082)

 - A memory corruption vulnerability exists in mod_http2 on early pushes. (CVE-2019-10081)

 - A denial of service (DoS) vulnerability exists in mod_http2 by exhausting h2 workers. (CVE-2019-9517)

 - A stack buffer overflow and NULL pointer dereference vulnerabilities exist in mod_remoteip when using a specially crafted PROXY header. (CVE-2019-10097)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
135235	RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP2 (RHSA-2020:1337)	Nessus	Red Hat Local Security Checks	medium
135160	Slackware 14.0 / 14.1 / 14.2 / current : httpd (SSA:2020-091-02) (Internal Data Buffering)	Nessus	Slackware Local Security Checks	medium
135146	EulerOS Virtualization for ARM 64 3.0.6.0 : httpd (EulerOS-SA-2020-1359)	Nessus	Huawei Local Security Checks	medium
133989	EulerOS 2.0 SP8 : httpd (EulerOS-SA-2020-1155)	Nessus	Huawei Local Security Checks	medium
130400	Amazon Linux 2 : httpd (ALAS-2019-1341)	Nessus	Amazon Linux Local Security Checks	medium
130281	Amazon Linux AMI : httpd24 (ALAS-2019-1311) (Internal Data Buffering)	Nessus	Amazon Linux Local Security Checks	medium
128993	Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : apache2 regression (USN-4113-2) (Internal Data Buffering)	Nessus	Ubuntu Local Security Checks	medium
128593	GLSA-201909-04 : Apache: Multiple vulnerabilities (Internal Data Buffering)	Nessus	Gentoo Local Security Checks	medium
128460	openSUSE Security Update : apache2 (openSUSE-2019-2051) (Internal Data Buffering)	Nessus	SuSE Local Security Checks	medium
128412	Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : apache2 vulnerabilities (USN-4113-1) (Internal Data Buffering)	Nessus	Ubuntu Local Security Checks	medium
128316	SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2019:2237-1) (Internal Data Buffering)	Nessus	SuSE Local Security Checks	medium
128182	Debian DSA-4509-1 : apache2 - security update (Internal Data Buffering)	Nessus	Debian Local Security Checks	medium
128084	Fedora 30 : 1:mod_md / httpd (2019-099575a123)	Nessus	Fedora Local Security Checks	medium
128033	Apache 2.4.x < 2.4.41 Multiple Vulnerabilities	Nessus	Web Servers	medium
98669	Apache 2.4.x < 2.4.41 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high

CVE-2019-10097

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins