Apache 2.4 < 2.4.5 Multiple Vulnerabilities

High Log Correlation Engine Plugin ID 801401

Synopsis

The remote web server is affected by multiple vulnerabilities

Description

The remote host is running a Apache HTTP server. Versions earlier than 2.4.5 are vulnerable to the following vulnerabilities :

- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests. (CVE-2013-1896)

- An error exists related to the 'mod_session_dbd' module, flags and session-saving having an unspecified impact.(CVE-2013-2249).

Solution

Either ensure that the affected modules are not in use or upgrade to Apache version 2.4.6 or later.

See Also

http://www.apache.org/dist/httpd/CHANGES_2.4.6

http://httpd.apache.org/security/vulnerabilities_24.html

Plugin Details

Severity: High

ID: 801401

File Name: 801401.prm

Family: Web Servers

Published: 2013/07/23

Nessus ID: 69014

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

Patch Publication Date: 2013/07/22

Vulnerability Publication Date: 2013/05/23

Reference Information

CVE: CVE-2013-1896, CVE-2013-2249

BID: 61129, 61379