Oracle Solaris Third-Party Patch Update : apache (cve_2013_1896_denial_of)

medium Nessus Plugin ID 80585

Synopsis

The remote Solaris system is missing a security patch for third-party software.

Description

The remote Solaris system is missing necessary patches to address security updates :

- Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.
(CVE-2012-3499)

- mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. (CVE-2013-1862)

- mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI. (CVE-2013-1896)

Solution

Upgrade to Solaris 11.1.11.4.0.

See Also

http://www.nessus.org/u?4a913f44

https://blogs.oracle.com/sunsecurity/cve-2013-1896-denial-of-service-dos-vulnerability-in-apache-http-server

http://www.nessus.org/u?158e3c7f

Plugin Details

Severity: Medium

ID: 80585

File Name: solaris11_apache_20131015.nasl

Version: 1.4

Type: local

Published: 1/19/2015

Updated: 1/14/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:oracle:solaris:11.1, p-cpe:/a:oracle:solaris:apache

Required KB Items: Host/local_checks_enabled, Host/Solaris11/release, Host/Solaris11/pkg-list

Patch Publication Date: 10/15/2013

Reference Information

CVE: CVE-2012-3499, CVE-2013-1862, CVE-2013-1896