Apache HTTP Server 2.4.x < 2.4.16 Multiple Vulnerabilities
Medium Nessus Network Monitor Plugin ID 8970
SynopsisThe remote web server is missing an Apache HTTP Server patch update.
DescriptionThe version of Apache HTTP Server 2.4 installed on the remote host is prior to 2.4.13. It is, therefore, affected by the following vulnerabilities :
- A flaw exists in the lua_websocket_read() function in the 'mod_lua' module due to incorrect handling of WebSocket PING frames. A remote attacker can exploit this, by sending a crafted WebSocket PING frame after a Lua script has called the wsupgrade() function, to crash a child process, resulting in a denial of service condition. (CVE-2015-0228)
- A NULL pointer dereference flaw exists in the read_request_line() function due to a failure to initialize the protocol structure member. A remote attacker can exploit this flaw, on installations that enable the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI, by sending a request that lacks a method, to cause a denial of service condition. (CVE-2015-0253)
- A flaw exists in the chunked transfer coding implementation due to a failure to properly parse chunk headers. A remote attacker can exploit this to conduct HTTP request smuggling attacks. (CVE-2015-3183)
- A security bypass flaw affects mod_authz_svn related to a failure to properly restrict anonymous access. This may allow anonymous access in scenarios where it is intended to be restricted to authenticated users. (CVE-2015-3184)
- A flaw exists in the ap_some_auth_required() function due to a failure to consider that a Require directive may be associated with an authorization setting rather than an authentication setting. A remote attacker can exploit this, if a module that relies on the 2.2 API behavior exists, to bypass intended access restrictions. (CVE-2015-3185)
- A flaw exists in the RC4 algorithm due to an initial double-byte bias in the keystream generation. An attacker can exploit this, via Bayesian analysis that combines a priori plaintext distribution with keystream distribution statistics, to conduct a plaintext recovery of the ciphertext. Note that RC4 cipher suites are now prohibited per RFC 7465. This issue was fixed in Apache version 2.4.13; however, 2.4.13, 2.4.14, and 2.4.15 were never publicly released. (CVE-2015-2808)
SolutionUpgrade to Apache HTTP Server version 2.4.16 or later.