Apache 2.2.x < 2.2.12 Multiple Vulnerabilities

high Nessus Plugin ID 40467
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote web server may be affected by several issues.

Description

According to its banner, the version of Apache 2.2.x. running on the remote host is prior to 2.2.12. It is, therefore, affected by the following vulnerabilities :

- A heap-based buffer underwrite flaw exists in the function 'apr_strmatch_precompile()' in the bundled copy of the APR-util library, which could be triggered when parsing configuration data to crash the daemon.
(CVE-2009-0023)

- A flaw in the mod_proxy_ajp module in version 2.2.11 only may allow a remote attacker to obtain sensitive response data intended for a client that sent an earlier POST request with no request body.
(CVE-2009-1191)

- The server does not limit the use of directives in a .htaccess file as expected based on directives such as 'AllowOverride' and 'Options' in the configuration file, which could enable a local user to bypass security restrictions. (CVE-2009-1195)

- Failure to properly handle an amount of streamed data that exceeds the Content-Length value allows a remote attacker to force a proxy process to consume CPU time indefinitely when mod_proxy is used in a reverse proxy configuration. (CVE-2009-1890)

- Failure of mod_deflate to stop compressing a file when the associated network connection is closed may allow a remote attacker to consume large amounts of CPU if there is a large (>10 MB) file available that has mod_deflate enabled. (CVE-2009-1891)

- Using a specially crafted XML document with a large number of nested entities, a remote attacker may be able to consume an excessive amount of memory due to a flaw in the bundled expat XML parser used by the mod_dav and mod_dav_svn modules. (CVE-2009-1955)

- There is an off-by-one overflow in the function 'apr_brigade_vprintf()' in the bundled copy of the APR-util library in the way it handles a variable list of arguments, which could be leveraged on big-endian platforms to perform information disclosure or denial of service attacks. (CVE-2009-1956)

Note that Nessus has relied solely on the version in the Server response header and did not try to check for the issues themselves or even whether the affected modules are in use.

Solution

Upgrade to Apache version 2.2.12 or later. Alternatively, ensure that the affected modules / directives are not in use.

See Also

http://httpd.apache.org/security/vulnerabilities_22.html

Plugin Details

Severity: High

ID: 40467

File Name: apache_2_2_12.nasl

Version: 1.28

Type: remote

Family: Web Servers

Published: 8/2/2009

Updated: 4/27/2020

Dependencies: apache_http_version.nasl

Risk Information

CVSS Score Source: CVE-2009-1955

VPR

Risk Factor: Medium

Score: 6.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Required KB Items: installed_sw/Apache

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/27/2009

Vulnerability Publication Date: 4/22/2009

Reference Information

CVE: CVE-2009-1195, CVE-2009-0023, CVE-2009-1955, CVE-2009-1956, CVE-2009-1890, CVE-2009-1891, CVE-2009-1191

BID: 35221, 35251, 35253, 35565, 35623, 34663, 35115

CWE: 119, 20, 189, 399, 16