Oracle Solaris Third-Party Patch Update : apache (cve_2013_1896_denial_of)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Solaris system is missing a security patch for third-party
software.

Description :

The remote Solaris system is missing necessary patches to address
security updates :

- Multiple cross-site scripting (XSS) vulnerabilities in
the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x
before 2.4.4 allow remote attackers to inject arbitrary
web script or HTML via vectors involving hostnames and
URIs in the (1) mod_imagemap, (2) mod_info, (3)
mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.
(CVE-2012-3499)

- mod_rewrite.c in the mod_rewrite module in the Apache
HTTP Server 2.2.x before 2.2.25 writes data to a log
file without sanitizing non-printable characters, which
might allow remote attackers to execute arbitrary
commands via an HTTP request containing an escape
sequence for a terminal emulator. (CVE-2013-1862)

- mod_dav.c in the Apache HTTP Server before 2.2.25 does
not properly determine whether DAV is enabled for a URI,
which allows remote attackers to cause a denial of
service (segmentation fault) via a MERGE request in
which the URI is configured for handling by the
mod_dav_svn module, but a certain href attribute in XML
data refers to a non-DAV URI. (CVE-2013-1896)

See also :

http://www.nessus.org/u?b5f8def1
https://blogs.oracle.com/sunsecurity/entry/cve_2013_1896_denial_of
http://www.nessus.org/u?411a1e47

Solution :

Upgrade to Solaris 11.1.11.4.0.

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

Family: Solaris Local Security Checks

Nessus Plugin ID: 80585 ()

Bugtraq ID:

CVE ID: CVE-2012-3499
CVE-2013-1862
CVE-2013-1896

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now