Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2015 CPU)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by multiple vulnerabilities.

Description :

The version of Oracle HTTP Server installed on the remote host is
affected by multiple vulnerabilities in the Web Listener
subcomponent :

- An integer overflow condition exists in libxml2 within
file xpath.c, related to XPath expressions when adding a
new namespace note. An unauthenticated, remote attacker
can exploit this, via a crafted XML file, to cause a
denial of service condition or the execution of arbitary
code. (CVE-2011-1944)

- An integer overflow condition exists in the HTTP server,
specifically in the ap_pregsub() function within file
server/util.c, when the mod_setenvif module is enabled.
A local attacker can exploit this to gain elevated
privileges by using an .htaccess file with a crafted
combination of SetEnvIf directives and HTTP request
headers. (CVE-2011-3607)

- A flaw exists in libxml2, known as the 'internal entity
expansion' with linear complexity issue, that allows
specially crafted XML files to consume excessive CPU and
memory resources. An unauthenticated, remote attacker
can exploit this to cause a denial of service condition
by using a specially crafted XML file containing an
entity declaration with long replacement text and many
references to this entity. (CVE-2013-0338)

- An out-of-bounds read error exists in libxml2 within
file parser.c due to a failure to check for the
XML_PARSER_EOF state. An unauthenticated, remote
attacker can exploit this, via a specially crafted
document that ends abruptly, to cause a denial of
service condition. (CVE-2013-2877)

- A flaw exists within the mod_headers module in the
HTTP server which allows bypassing the 'RequestHeader
unset' directives. An unauthenticated, remote attacker
can exploit this to inject arbitrary headers. This is
done by placing a header in the trailer portion of data
being sent using chunked transfer encoding.
(CVE-2013-5704)

- A flaw exists in the dav_xml_get_cdata() function in
file main/util.c within the HTTP server mod_dav module
due to incorrect stripping of whitespace characters from
the CDATA sections. An unauthenticated, remote attacker
via a specially crafted DAV WRITE request, can exploit
this to cause a denial of service condition.
(CVE-2013-6438)

- A flaw exists in the log_cookie() function in file
mod_log_config.c within the HTTP server mod_log_config
module due to improper handling of specially crafted
cookies during truncation. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition via a segmentation fault. (CVE-2014-0098)

- A flaw exists in libxml2, specifically in the
xmlParserHandlePEReference() function in file parser.c,
due to loading external parameter entities even when
entity substitution is disabled. An unauthenticated,
remote attacker can exploit this issue, via a specially
crafted XML file, to conduct XML External Entity (XXE)
attacks that exhaust CPU and memory resources, resulting
in a denial of service condition. (CVE-2014-0191)

- A race condition exists in the HTTP server within the
mod_status module when using a threaded Multi-Processing
Module (MPM). If an unauthenticated, remote attacker is
able to access status pages served by mod_status, the
attacker can exploit this issue, by sending specially
crafted requests, to cause the httpd child process to
crash or possibly execute arbitrary code with the
privileges of the user running the web server.
(CVE-2014-0226)

- An unspecified flaw exists in the Web Listener
subcomponent that allows an unauthenticated, remote
attacker to impact confidentiality, integrity, and
availability. (CVE-2014-6571)

- An unspecified flaw exists in the J2EE subcomponent that
allows an unauthenticated, remote attacker to disclose
potentially sensitive information. (CVE-2015-0372)

- An unspecified flaw exists in the Web Listener
subcomponent that allows an unauthenticated, remote
attacker to cause a denial of service condition.
(CVE-2015-0386)

See also :

http://www.nessus.org/u?c02f1515

Solution :

Apply the appropriate patch according to the January 2015 Oracle
Critical Patch Update advisory.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now