RHEL 6 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 6 (RHSA-2018:2186)

critical Nessus Plugin ID 111147
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

Red Hat JBoss Core Services Pack Apache Server 2.4.29 packages are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering.

This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements.
Refer to the Release Notes for information on the most significant bug fixes, enhancements and component upgrades included in this release.

This release upgrades OpenSSL to version 1.0.2.n

Security Fix(es) :

* openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182)

* openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302)

* openssl: certificate message OOB reads (CVE-2016-6306)

* openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055)

* openssl: Truncated packet could crash via OOB read (CVE-2017-3731)

* openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)

* openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)

* openssl: Read/write after SSL object in error state (CVE-2017-3737)

* openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306 and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6306.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?b2e43da2

https://access.redhat.com/errata/RHSA-2018:2186

https://access.redhat.com/security/cve/cve-2016-2182

https://access.redhat.com/security/cve/cve-2016-4975

https://access.redhat.com/security/cve/cve-2016-6302

https://access.redhat.com/security/cve/cve-2016-6306

https://access.redhat.com/security/cve/cve-2016-7055

https://access.redhat.com/security/cve/cve-2017-3731

https://access.redhat.com/security/cve/cve-2017-3732

https://access.redhat.com/security/cve/cve-2017-3736

https://access.redhat.com/security/cve/cve-2017-3737

https://access.redhat.com/security/cve/cve-2017-3738

Plugin Details

Severity: Critical

ID: 111147

File Name: redhat-RHSA-2018-2186.nasl

Version: 1.6

Type: local

Agent: unix

Published: 7/18/2018

Updated: 10/24/2019

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-ldap, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-mysql, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-nss, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-odbc, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-openssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-pgsql, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-sqlite, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-manual, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-selinux, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-tools, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_auth_kerb, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_auth_kerb-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_bmx, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_bmx-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_cluster-native, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_cluster-native-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-ap24, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-manual, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ldap, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_proxy_html, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_rt, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_rt-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_session, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-debuginfo, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-libs, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-perl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-static, cpe:/o:redhat:enterprise_linux:6

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 7/12/2018

Vulnerability Publication Date: 9/16/2016

Reference Information

CVE: CVE-2016-2182, CVE-2016-4975, CVE-2016-6302, CVE-2016-6306, CVE-2016-7055, CVE-2017-3731, CVE-2017-3732, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738

RHSA: 2018:2186