In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request     (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could     be used by an external attacker to cause denial of service condition. (CVE-2022-37797)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of lighttpd installed on the remote host is prior to 1.4.53-1.37. It is, therefore, affected by a vulnerability as referenced in the ALAS-2023-1705 advisory.

    In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request     (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could     be used by an external attacker to cause denial of service condition. (CVE-2022-37797)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This Solaris system is missing necessary patches to address critical security updates :

  - Vulnerability in the Oracle Communications Session     Border Controller product of Oracle Communications     (component: Routing (glibc)). Supported versions that     are affected are 8.4, 9.0 and 9.1. Difficult to exploit     vulnerability allows unauthenticated attacker with     network access via HTTP to compromise Oracle     Communications Session Border Controller. Successful     attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Communications Session Border     Controller as well as unauthorized update, insert or     delete access to some of Oracle Communications Session     Border Controller accessible data and unauthorized read     access to a subset of Oracle Communications Session     Border Controller accessible data. CVSS 3.1 Base Score     7.0 (Confidentiality, Integrity and Availability     impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H).
    (CVE-2022-23219)

  - Vulnerability in the Oracle Communications Cloud Native     Core Unified Data Repository product of Oracle     Communications (component: Signaling (glibc)). The     supported version that is affected is 22.1.1. Easily     exploitable vulnerability allows unauthenticated     attacker with network access via HTTP to compromise     Oracle Communications Cloud Native Core Unified Data     Repository. Successful attacks of this vulnerability can     result in takeover of Oracle Communications Cloud Native     Core Unified Data Repository. CVSS 3.1 Base Score 9.8     (Confidentiality, Integrity and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
    (CVE-2022-23218)

  - Vulnerability in the Oracle Communications Cloud Native     Core Policy product of Oracle Communications (component:
    Policy (GNU Libtasn1)). Supported versions that are     affected are 22.4.0-22.4.4 and 23.1.0-23.1.1. Easily     exploitable vulnerability allows unauthenticated     attacker with network access via HTTPS to compromise     Oracle Communications Cloud Native Core Policy.
    Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access     to all Oracle Communications Cloud Native Core Policy     accessible data and unauthorized ability to cause a hang     or frequently repeatable crash (complete DOS) of Oracle     Communications Cloud Native Core Policy. CVSS 3.1 Base     Score 9.1 (Confidentiality and Availability impacts).
    CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
    (CVE-2021-46848)

  - Vulnerability in the Oracle Text (LibExpat) component of     Oracle Database Server. Supported versions that are     affected are 19.3-19.19 and 21.3-21.10. Easily     exploitable vulnerability allows low privileged attacker     having Create Session, Create Index privilege with     network access via Oracle Net to compromise Oracle Text     (LibExpat). Successful attacks of this vulnerability can     result in unauthorized ability to cause a hang or     frequently repeatable crash (complete DOS) of Oracle     Text (LibExpat). CVSS 3.1 Base Score 6.5 (Availability     impacts). CVSS Vector:
    (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
    (CVE-2022-43680)

  - Vulnerability in the PeopleSoft Enterprise PeopleTools     product of Oracle PeopleSoft (component: Porting     (Python)). Supported versions that are affected are 8.59     and 8.60. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to     compromise PeopleSoft Enterprise PeopleTools. Successful     attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash     (complete DOS) of PeopleSoft Enterprise PeopleTools.
    CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS     Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
    (CVE-2022-45061)

  - Vulnerability in the Oracle Solaris product of Oracle     Systems (component: NSSwitch). Supported versions that     are affected are 10 and 11. Difficult to exploit     vulnerability allows high privileged attacker with     network access via multiple protocols to compromise     Oracle Solaris. Successful attacks require human     interaction from a person other than the attacker and     while the vulnerability is in Oracle Solaris, attacks     may significantly impact additional products (scope     change). Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access     to some of Oracle Solaris accessible data and     unauthorized ability to cause a partial denial of     service (partial DOS) of Oracle Solaris. CVSS 3.1 Base     Score 4.0 (Integrity and Availability impacts). CVSS     Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L).
    (CVE-2023-21900)

The remote host is affected by the vulnerability described in GLSA-202210-12 (Lighttpd: Denial of Service)

  - In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request     (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could     be used by an external attacker to cause denial of service condition. (CVE-2022-37797)

  - A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service     (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to     RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected.
    This is fixed in 1.4.67. (CVE-2022-41556)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3133 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3133-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                        Helmut Grohne     October 03, 2022                              https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : lighttpd     Version        : 1.4.53-4+deb10u3     CVE ID         : CVE-2022-37797

    An invalid HTTP request (websocket handshake) may cause a NULL     pointer dereference in the wstunnel module.

    For Debian 10 buster, this problem has been fixed in version     1.4.53-4+deb10u3.

    We recommend that you upgrade your lighttpd packages.

    For the detailed security status of lighttpd please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/lighttpd

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2022:10132-1 advisory.

  - In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request     (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could     be used by an external attacker to cause denial of service condition. (CVE-2022-37797)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5243 advisory.

    Several vulnerabilities were discovered in lighttpd, a fast webserver with minimal memory footprint.
    CVE-2022-37797 An invalid HTTP request (websocket handshake) may cause a NULL pointer dereference in the     wstunnel module. CVE-2022-41556 A resource leak in mod_fastcgi and mod_scgi could lead to a denial of     service after a large number of bad HTTP requests. For the stable distribution (bullseye), these problems     have been fixed in version 1.4.59-1+deb11u2. We recommend that you upgrade your lighttpd packages. For the     detailed security status of lighttpd please refer to its security tracker page at: https://security-     tracker.debian.org/tracker/lighttpd

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
259364	Linux Distros Unpatched Vulnerability : CVE-2022-37797	Nessus	Misc.	high
173282	Amazon Linux AMI : lighttpd (ALAS-2023-1705)	Nessus	Amazon Linux Local Security Checks	high
170171	Oracle Solaris Critical Patch Update : jan2023_SRU11_4_53_132_2	Nessus	Solaris Local Security Checks	critical
166723	GLSA-202210-12 : Lighttpd: Denial of Service	Nessus	Gentoo Local Security Checks	high
165654	Debian dla-3133 : lighttpd - security update	Nessus	Debian Local Security Checks	high
165586	openSUSE 15 Security Update : lighttpd (openSUSE-SU-2022:10132-1)	Nessus	SuSE Local Security Checks	high
165548	Debian DSA-5243-1 : lighttpd - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2022-37797

high

Tenable Plugins

high

high

critical

high

high

high

high