Apache 2.4.x < 2.4.16 Multiple Vulnerabilities
Medium Nessus Plugin ID 84959
SynopsisThe remote web server is affected by multiple vulnerabilities.
DescriptionAccording to its banner, the version of Apache 2.4.x installed on the remote host is prior to 2.4.16. It is, therefore, affected by the following vulnerabilities :
- A flaw exists in the lua_websocket_read() function in the 'mod_lua' module due to incorrect handling of WebSocket PING frames. A remote attacker can exploit this, by sending a crafted WebSocket PING frame after a Lua script has called the wsupgrade() function, to crash a child process, resulting in a denial of service condition. (CVE-2015-0228)
- A NULL pointer dereference flaw exists in the read_request_line() function due to a failure to initialize the protocol structure member. A remote attacker can exploit this flaw, on installations that enable the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI, by sending a request that lacks a method, to cause a denial of service condition. (CVE-2015-0253)
- A flaw exists in the chunked transfer coding implementation due to a failure to properly parse chunk headers. A remote attacker can exploit this to conduct HTTP request smuggling attacks. (CVE-2015-3183)
- A flaw exists in the ap_some_auth_required() function due to a failure to consider that a Require directive may be associated with an authorization setting rather than an authentication setting. A remote attacker can exploit this, if a module that relies on the 2.2 API behavior exists, to bypass intended access restrictions.
- A flaw exists in the RC4 algorithm due to an initial double-byte bias in the keystream generation. An attacker can exploit this, via Bayesian analysis that combines an a priori plaintext distribution with keystream distribution statistics, to conduct a plaintext recovery of the ciphertext. Note that RC4 cipher suites are prohibited per RFC 7465. This issue was fixed in Apache version 2.4.13; however, 2.4.13, 2.4.14, and 2.4.15 were never publicly released.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Apache version 2.4.16 or later. Alternatively, ensure that the affected modules are not in use.