According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.27. It is, therefore, affected by the following vulnerabilities :

 - A denial of service vulnerability exists in httpd due to a failure to initialize or reset the value placeholder in [Proxy-]Authorization headers of type 'Digest' before or between successive key=value assignments by mod_auth_digest. An unauthenticated, remote attacker can exploit this, by providing an initial key with no '=' assignment, to disclose sensitive information or cause a denial of service condition. (CVE-2017-9788)

 - A read-after-free error exists in httpd that is triggered when closing a large number of connections. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2017-9789)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, 10.12.x prior to 10.12.6, or is not macOS 10.13. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - AppSandbox
  - AppleScript
  - Application Firewall
  - ATS
  - Audio
  - CFNetwork
  - CFNetwork Proxies
  - CFString
  - Captive Network Assistant
  - CoreAudio
  - CoreText
  - DesktopServices
  - Directory Utility
  - file
  - Fonts
  - fsck_msdos
  - HFS
  - Heimdal
  - HelpViewer
  - IOFireWireFamily
  - ImageIO
  - Installer
  - Kernel
  - kext tools
  - libarchive
  - libc
  - libexpat
  - Mail
  - Mail Drafts
  - ntp
  - Open Scripting Architecture
  - PCRE
  - Postfix
  - Quick Look
  - QuickTime
  - Remote Management
  - SQLite
  - Sandbox
  - Screen Lock
  - Security
  - Spotlight
  - WebKit
  - zlib

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components :

  - 802.1X
  - apache
  - AppleScript
  - ATS
  - Audio
  - CFString
  - CoreText
  - curl
  - Dictionary Widget
  - file
  - Fonts
  - fsck_msdos
  - HFS
  - Heimdal
  - HelpViewer
  - ImageIO
  - Kernel
  - libarchive
  - Open Scripting Architecture
  - PCRE
  - Postfix
  - Quick Look
  - QuickTime
  - Remote Management
  - Sandbox
  - StreamingZip
  - tcpdump
  - Wi-Fi

The Apache httpd project reports :

important: Read after free in mod_http2 (CVE-2017-9789) When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

important: Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788)The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault.

The remote host is affected by the vulnerability described in GLSA-201710-32 (Apache: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache. Please review       the referenced CVE identifiers for details.
  Impact :

    The Optionsbleed vulnerability can leak arbitrary memory from the server       process that may contain secrets.  Additionally attackers may cause a       Denial of Service condition, bypass authentication, or cause information       loss.
  Workaround :

    There is no known workaround at this time.

This update for apache2 fixes several issues. These security issues were fixed :

  - CVE-2017-9789: When under stress (closing many     connections) the HTTP/2 handling code would sometimes     access memory after it has been freed, resulting in     potentially erratic behaviour (bsc#1048575).

  - CVE-2017-7659: A maliciously constructed HTTP/2 request     could cause mod_http2 to dereference a NULL pointer and     crash the server process (bsc#1045160).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.27. It is, therefore, affected by the following vulnerabilities :

  - A denial of service vulnerability exists in httpd due to     a failure to initialize or reset the value placeholder     in [Proxy-]Authorization headers of type 'Digest' before     or between successive key=value assignments by     mod_auth_digest. An unauthenticated, remote attacker can     exploit this, by providing an initial key with no '='     assignment, to disclose sensitive information or cause a     denial of service condition. (CVE-2017-9788)

  - A read-after-free error exists in httpd that is     triggered when closing a large number of connections. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact. (CVE-2017-9789)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for apache2 fixes several issues.

These security issues were fixed :

  - CVE-2017-9789: When under stress (closing many     connections) the HTTP/2 handling code would sometimes     access memory after it has been freed, resulting in     potentially erratic behaviour (bsc#1048575).

  - CVE-2017-7659: A maliciously constructed HTTP/2 request     could cause mod_http2 to dereference a NULL pointer and     crash the server process (bsc#1045160).

These non-security issues were fixed :

  - Use the full path to a2enmod and a2dismod in the     apache-22-24-upgrade script (bsc#1042037)

  - Fall back to 'localhost' as hostname in gensslcert     (bsc#1057406)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

The remote host is running a version of macOS that is prior to 10.13. It is, therefore, affected by multiple vulnerabilities in the following components :

 - Apache
 - AppSandbox
 - AppleScript
 - Application Firewall
 - ATS
 - Audio
 - CFNetwork
 - CFNetwork Proxies
 - CFString
 - Captive Network Assistant
 - CoreAudio
 - CoreText
 - DesktopServices
 - Directory Utility
 - file
 - Fonts
 - fsck_msdos
 - HFS
 - Heimdal
 - HelpViewer
 - IOFireWireFamily
 - ImageIO
 - Installer
 - Kernel
 - kext tools
 - libarchive
 - libc
 - libexpat
 - Mail
 - Mail Drafts
 - ntp
 - Open Scripting Architecture
 - PCRE
 - Postfix
 - Quick Look
 - QuickTime
 - Remote Management
 - SQLite
 - Sandbox
 - Screen Lock
 - Security
 - Spotlight
 - WebKit
 - zlib

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

ID	Name	Product	Family	Published	Updated	Severity
98912	Apache 2.4.x < 2.4.27 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	1/9/2019	3/14/2023	critical
103598	macOS < 10.13 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	10/3/2017	7/14/2018	critical
104379	macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-001 and 2017-004)	Nessus	MacOS X Local Security Checks	11/3/2017	5/28/2024	critical
101540	FreeBSD : Apache httpd -- multiple vulnerabilities (457ce015-67fa-11e7-867f-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	7/14/2017	1/4/2021	critical
104233	GLSA-201710-32 : Apache: Multiple vulnerabilities (Optionsbleed)	Nessus	Gentoo Local Security Checks	10/30/2017	1/11/2021	critical
106471	SUSE SLES12 Security Update : Recommended update for apache2 (SUSE-SU-2018:0261-1)	Nessus	SuSE Local Security Checks	1/30/2018	10/30/2025	high
101532	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : httpd (SSA:2017-194-01)	Nessus	Slackware Local Security Checks	7/14/2017	1/14/2021	critical
101788	Apache 2.4.x < 2.4.27 Multiple Vulnerabilities	Nessus	Web Servers	7/18/2017	4/11/2022	critical
106523	openSUSE Security Update : apache2 (openSUSE-2018-104)	Nessus	SuSE Local Security Checks	1/31/2018	10/30/2025	high
700511	macOS < 10.13 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	4/10/2019	4/10/2019	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

high

critical

critical

high

critical