Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.

The remote host is affected by the vulnerability described in GLSA-202107-38 (Apache: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache. Please review       the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2127-1 advisory.

  - Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer     dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers,     leading to a Denial of Service (CVE-2020-13950)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in     mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team     could create one, though some particular compiler and/or compilation option might make it possible, with     limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow     (CVE-2020-35452)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'     (CVE-2021-30641)

  - Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the     size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of     these restrictions and HTTP response is sent to the client with a status code indicating why the request     was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the     offending header was the very first one received or appeared in a a footer. This led to a NULL pointer     dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2     request is easy to craft and submit, this can be exploited to DoS the server. This issue affected     mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never     released. (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2706 advisory.

  - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within     the request URL. (CVE-2020-1927)

  - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a     malicious FTP server. (CVE-2020-1934)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in     mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team     could create one, though some particular compiler and/or compilation option might make it possible, with     limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow     (CVE-2020-35452)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'     (CVE-2021-30641)

  - Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the     size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of     these restrictions and HTTP response is sent to the client with a status code indicating why the request     was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the     offending header was the very first one received or appeared in a a footer. This led to a NULL pointer     dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2     request is easy to craft and submit, this can be exploited to DoS the server. This issue affected     mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never     released. (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4937 advisory.

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in     mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team     could create one, though some particular compiler and/or compilation option might make it possible, with     limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow     (CVE-2020-35452)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'     (CVE-2021-30641)

  - Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the     size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of     these restrictions and HTTP response is sent to the client with a status code indicating why the request     was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the     offending header was the very first one received or appeared in a a footer. This led to a NULL pointer     dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2     request is easy to craft and submit, this can be exploited to DoS the server. This issue affected     mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never     released. (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of mod_http2 installed on the remote host is prior to 1.15.19-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2021-1678 advisory.

  - Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the     size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of     these restrictions and HTTP response is sent to the client with a status code indicating why the request     was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the     offending header was the very first one received or appeared in a a footer. This led to a NULL pointer     dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2     request is easy to craft and submit, this can be exploited to DoS the server. This issue affected     mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never     released. (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2127-1 advisory.

  - Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer     dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers,     leading to a Denial of Service (CVE-2020-13950)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in     mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team     could create one, though some particular compiler and/or compilation option might make it possible, with     limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow     (CVE-2020-35452)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'     (CVE-2021-30641)

  - Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the     size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of     these restrictions and HTTP response is sent to the client with a status code indicating why the request     was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the     offending header was the very first one received or appeared in a a footer. This led to a NULL pointer     dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2     request is easy to craft and submit, this can be exploited to DoS the server. This issue affected     mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never     released. (CVE-2021-31618)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0908-1 advisory.

  - Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer     dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers,     leading to a Denial of Service (CVE-2020-13950)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in     mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team     could create one, though some particular compiler and/or compilation option might make it possible, with     limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow     (CVE-2020-35452)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'     (CVE-2021-30641)

  - Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the     size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of     these restrictions and HTTP response is sent to the client with a status code indicating why the request     was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the     offending header was the very first one received or appeared in a a footer. This led to a NULL pointer     dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2     request is easy to craft and submit, this can be exploited to DoS the server. This issue affected     mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never     released. (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Apache httpd reports :

- moderate: mod_proxy_wstunnel tunneling of non Upgraded connections (CVE-2019-17567)

- moderate: Improper Handling of Insufficient Privileges (CVE-2020-13938)

- low: mod_proxy_http NULL pointer dereference (CVE-2020-13950)

- low: mod_auth_digest possible stack overflow by one nul byte (CVE-2020-35452)

- low: mod_session NULL pointer dereference (CVE-2021-26690)

- low: mod_session response handling heap overflow (CVE-2021-26691)

- moderate: Unexpected URL matching with 'MergeSlashes OFF' (CVE-2021-30641)

- important: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618)

The version of httpd installed on the remote host is prior to 2.4.46-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2021-1672 advisory.

  - Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the     size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of     these restrictions and HTTP response is sent to the client with a status code indicating why the request     was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the     offending header was the very first one received or appeared in a a footer. This led to a NULL pointer     dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2     request is easy to craft and submit, this can be exploited to DoS the server. This issue affected     mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never     released. (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of httpd installed on the remote host is prior to 2.4.48-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1659 advisory.

  - Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not     necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for     subsequent requests on the same connection to pass through with no HTTP validation, authentication or     authorization possibly configured. (CVE-2019-17567)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows     (CVE-2020-13938)

  - Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer     dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers,     leading to a Denial of Service (CVE-2020-13950)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in     mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team     could create one, though some particular compiler and/or compilation option might make it possible, with     limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow     (CVE-2020-35452)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'     (CVE-2021-30641)

  - Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the     size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of     these restrictions and HTTP response is sent to the client with a status code indicating why the request     was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the     offending header was the very first one received or appeared in a a footer. This led to a NULL pointer     dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2     request is easy to craft and submit, this can be exploited to DoS the server. This issue affected     mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never     released. (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED12 / SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2006-1 advisory.

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in     mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team     could create one, though some particular compiler and/or compilation option might make it possible, with     limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow     (CVE-2020-35452)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'     (CVE-2021-30641)

  - Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the     size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of     these restrictions and HTTP response is sent to the client with a status code indicating why the request     was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the     offending header was the very first one received or appeared in a a footer. This led to a NULL pointer     dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2     request is easy to craft and submit, this can be exploited to DoS the server. This issue affected     mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never     released. (CVE-2021-31618)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2004-1 advisory.

  - In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the     mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point     to a page of their choice. This would only be exploitable where a server was set up with proxying enabled     but was misconfigured in such a way that the Proxy Error page was displayed. (CVE-2019-10092)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in     mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team     could create one, though some particular compiler and/or compilation option might make it possible, with     limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow     (CVE-2020-35452)

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)

  - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server     could cause a heap overflow (CVE-2021-26691)

  - Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'     (CVE-2021-30641)

  - Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the     size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of     these restrictions and HTTP response is sent to the client with a status code indicating why the request     was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the     offending header was the very first one received or appeared in a a footer. This led to a NULL pointer     dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2     request is easy to craft and submit, this can be exploited to DoS the server. This issue affected     mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never     released. (CVE-2021-31618)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.48. It is, therefore, affected by multiple vulnerabilities:

 - Unexpected <Location> section matching with 'MergeSlashes OFF'. (CVE-2021-30641)

 - mod_auth_digest: possible stack overflow by one nul byte while validating the Digest nonce. (CVE-2020-35452)

 - mod_session: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service with a malicious backend server and SessionHeader. (CVE-2021-26691)

 - mod_session: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service. (CVE-2021-26690)

 - mod_proxy_http: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service. (CVE-2020-13950)

 - Windows: Prevent local users from stopping the httpd process (CVE-2020-13938)

 - mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end negotiation. (CVE-2019-17567)

 - mod_http2: Fix a potential NULL pointer dereference. (CVE-2021-31618)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

New httpd packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

The version of Apache httpd installed on the remote host is prior to 2.4.48. It is, therefore, affected by a vulnerability as referenced in the 2.4.48 changelog.

  - mod_http2: Fix a potential NULL pointer dereference (CVE-2021-31618)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
156972	GLSA-202107-38 : Apache: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
151694	openSUSE 15 Security Update : apache2 (openSUSE-SU-2021:2127-1)	Nessus	SuSE Local Security Checks	critical
151486	Debian DLA-2706-1 : apache2 - LTS security update	Nessus	Debian Local Security Checks	critical
151485	Debian DSA-4937-1 : apache2 - security update	Nessus	Debian Local Security Checks	critical
151277	Amazon Linux 2 : mod_http2 (ALAS-2021-1678)	Nessus	Amazon Linux Local Security Checks	high
151095	SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2021:2127-1)	Nessus	SuSE Local Security Checks	critical
151068	openSUSE 15 Security Update : apache2 (openSUSE-SU-2021:0908-1)	Nessus	SuSE Local Security Checks	critical
151010	FreeBSD : Apache httpd -- Multiple vulnerabilities (cce76eca-ca16-11eb-9b84-d4c9ef517024)	Nessus	FreeBSD Local Security Checks	critical
150994	Amazon Linux 2 : httpd (ALAS-2021-1672)	Nessus	Amazon Linux Local Security Checks	high
150983	Amazon Linux 2 : httpd (ALAS-2021-1659)	Nessus	Amazon Linux Local Security Checks	critical
150877	SUSE SLED12 / SLES12 Security Update : apache2 (SUSE-SU-2021:2006-1)	Nessus	SuSE Local Security Checks	critical
150876	SUSE SLES15 Security Update : apache2 (SUSE-SU-2021:2004-1)	Nessus	SuSE Local Security Checks	critical
112806	Apache 2.4.x < 2.4.48 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
150334	Slackware 14.0 / 14.1 / 14.2 / current : httpd (SSA:2021-158-01)	Nessus	Slackware Local Security Checks	critical
150244	Apache 2.4.x < 2.4.48 Vulnerability	Nessus	Web Servers	high

Detections

Analytics

CVE-2021-31618

high

Tenable Plugins

critical

critical

critical

critical

high

critical

critical

critical

high

critical

critical

critical

critical

critical

high