Apache 2.4.x < 2.4.10 Multiple Vulnerabilities
medium Web Application Scanning Plugin ID 98906
Synopsis
Apache 2.4.x < 2.4.10 Multiple VulnerabilitiesDescription
According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.10. It is, therefore, affected by the following vulnerabilities :- A flaw exists in the 'mod_proxy' module that may allow an attacker to send a specially crafted request to a server configured as a reverse proxy that may cause the child process to crash. This could potentially lead to a denial of service attack. (CVE-2014-0117)
- A flaw exists in the 'mod_deflate' module when request body decompression is configured. This could allow a remote attacker to cause the server to consume significant resources. (CVE-2014-0118)
- A flaw exists in the 'mod_status' module when a publicly accessible server status page is in place. This could allow an attacker to send a specially crafted request designed to cause a heap buffer overflow. (CVE-2014-0226)
- A flaw exists in the 'mod_cgid' module in which CGI scripts that did not consume standard input may be manipulated in order to cause child processes to hang. A remote attacker may be able to abuse this in order to cause a denial of service. (CVE-2014-0231)
- A flaw exists in WinNT MPM versions 2.4.1 to 2.4.9 when using the default AcceptFilter. An attacker may be able to specially craft requests that create a memory leak in the application and may eventually lead to a denial of service attack. (CVE-2014-3523)
Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Apache version 2.4.10 or later. Alternatively, ensure that the affected modules are not in use.See Also
https://archive.apache.org/dist/httpd/CHANGES_2.4.10
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.10
Plugin Details
Severity: Medium
ID: 98906
Type: remote
Family: Component Vulnerability
Published: 1/9/2019
Updated: 4/10/2019
Scan Template: api, scan, pci
Risk Information
Risk Factor: Medium
CVSS v2.0
Base Score: 6.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS v3.0
Base Score: 7.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Vulnerability Information
CPE: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Exploit Available: true
Patch Publication Date: 7/21/2014
Vulnerability Publication Date: 7/15/2014
Reference Information
CVE: CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-3523