Detections
Analytics

Amazon Linux AMI : httpd24 (ALAS-2015-483)

medium Nessus Plugin ID 81329

Language:

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. (CVE-2014-8109)

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
(CVE-2013-5704)

A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled.
(CVE-2014-3581)

The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers. (CVE-2014-3583)

Solution

Run 'yum update httpd24' to update your system.

See Also

https://alas.aws.amazon.com/ALAS-2015-483.html

Plugin Details

Severity: Medium

ID: 81329

File Name: ala_ALAS-2015-483.nasl

Version: 1.5

Type: local

Agent: unix

Published: 2/13/2015

Updated: 4/18/2018

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:httpd24-devel, p-cpe:/a:amazon:linux:httpd24-manual, p-cpe:/a:amazon:linux:httpd24-tools, p-cpe:/a:amazon:linux:mod24_ldap, p-cpe:/a:amazon:linux:mod24_proxy_html, p-cpe:/a:amazon:linux:mod24_session, p-cpe:/a:amazon:linux:mod24_ssl, cpe:/o:amazon:linux, p-cpe:/a:amazon:linux:httpd24, p-cpe:/a:amazon:linux:httpd24-debuginfo

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 2/12/2015

Reference Information

CVE: CVE-2013-5704, CVE-2014-3581, CVE-2014-3583, CVE-2014-8109

ALAS: 2015-483