ID CVE-2015-3185
Summary The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
References
Vulnerable Configurations
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.04
    cpe:2.3:o:canonical:ubuntu_linux:15.04
  • Apache Software Foundation Apache HTTP Server 2.4.0
    cpe:2.3:a:apache:http_server:2.4.0
  • Apache Software Foundation Apache HTTP Server 2.4.1
    cpe:2.3:a:apache:http_server:2.4.1
  • Apache Software Foundation Apache HTTP Server 2.4.2
    cpe:2.3:a:apache:http_server:2.4.2
  • Apache Software Foundation Apache HTTP Server 2.4.3
    cpe:2.3:a:apache:http_server:2.4.3
  • Apache Software Foundation Apache HTTP Server 2.4.4
    cpe:2.3:a:apache:http_server:2.4.4
  • Apache Software Foundation Apache HTTP Server 2.4.6
    cpe:2.3:a:apache:http_server:2.4.6
  • Apache Software Foundation Apache HTTP Server 2.4.7
    cpe:2.3:a:apache:http_server:2.4.7
  • Apache Software Foundation Apache HTTP Server 2.4.8
    cpe:2.3:a:apache:http_server:2.4.8
  • Apache Software Foundation Apache HTTP Server 2.4.9
    cpe:2.3:a:apache:http_server:2.4.9
  • Apache Software Foundation Apache HTTP Server 2.4.10
    cpe:2.3:a:apache:http_server:2.4.10
  • Apache Software Foundation Apache HTTP Server 2.4.12
    cpe:2.3:a:apache:http_server:2.4.12
  • cpe:2.3:a:apache:http_server:2.4.13
    cpe:2.3:a:apache:http_server:2.4.13
  • Apple Xcode 7.0
    cpe:2.3:a:apple:xcode:7.0
  • Apple Mac OS X 10.10.4
    cpe:2.3:o:apple:mac_os_x:10.10.4
  • Apple Mac OS X Server 5.0.3
    cpe:2.3:o:apple:mac_os_x_server:5.0.3
CVSS
Base: 4.3 (as of 08-07-2016 - 12:38)
Impact:
Exploitability:
CWE CWE-264
CAPEC
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-11792.NASL
    description Update to new version 2.4.16. This update fixed various bugs as well as few security issues. For full changelog, see http://www.apache.org/dist/httpd/CHANGES_2.4.16 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-07-18
    plugin id 85092
    published 2015-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85092
    title Fedora 21 : httpd-2.4.16-1.fc21 (2015-11792)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2710.NASL
    description An update is now available for JBoss Core Services on Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788) * It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS /SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) Red Hat would like to thank OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Gaetan Leurent (Inria) as the original reporters of CVE-2016-2183.
    last seen 2018-09-01
    modified 2018-07-30
    plugin id 103241
    published 2017-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103241
    title RHEL 6 : JBoss Core Services (RHSA-2017:2710)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2686-1.NASL
    description It was discovered that the Apache HTTP Server incorrectly parsed chunk headers. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks. (CVE-2015-3183) It was discovered that the Apache HTTP Server incorrectly handled the ap_some_auth_required API. A remote attacker could possibly use this issue to bypass intended access restrictions. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-3185). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 85042
    published 2015-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85042
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : apache2 vulnerabilities (USN-2686-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A12494C12AF411E586FF14DAE9D210B8.NASL
    description Jim Jagielski reports : CVE-2015-3183 (cve.mitre.org) core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. CVE-2015-3185 (cve.mitre.org) Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook. CVE-2015-0253 (cve.mitre.org) core: Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. CVE-2015-0228 (cve.mitre.org) mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash.
    last seen 2018-09-01
    modified 2016-07-18
    plugin id 84781
    published 2015-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84781
    title FreeBSD : apache24 -- multiple vulnerabilities (a12494c1-2af4-11e5-86ff-14dae9d210b8)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-579.NASL
    description It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) A NULL pointer dereference flaw was found in the way httpd generated certain error responses. A remote attacker could possibly use this flaw crash the httpd child process using a request that triggers a certain HTTP error. (CVE-2015-0253) A denial of service flaw was found in the way the mod_lua httpd module processed certain WebSocket Ping requests. A remote attacker could send a specially crafted WebSocket Ping packet that would cause the httpd child process to crash. (CVE-2015-0228)
    last seen 2018-09-02
    modified 2018-04-18
    plugin id 85452
    published 2015-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85452
    title Amazon Linux AMI : httpd24 (ALAS-2015-579)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150824_HTTPD_ON_SL7_X.NASL
    description Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) After installing the updated packages, the httpd service will be restarted automatically.
    last seen 2018-09-01
    modified 2016-07-18
    plugin id 85621
    published 2015-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85621
    title Scientific Linux Security Update : httpd on SL7.x x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-11689.NASL
    description Update to new version 2.4.16. This update fixed various bugs as well as few security issues. For full changelog, see http://www.apache.org/dist/httpd/CHANGES_2.4.16 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-07-18
    plugin id 84906
    published 2015-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84906
    title Fedora 22 : httpd-2.4.16-1.fc22 (2015-11689)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SERVER_5_0_3.NASL
    description The remote Mac OS X host has a version of OS X Server installed that is prior to 5.0.3. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the mod_headers module that allows HTTP trailers to replace HTTP headers late during request processing. A remote attacker can exploit this to inject arbitrary headers. This can also cause some modules to function incorrectly or appear to function incorrectly. (CVE-2013-5704) - A privilege escalation vulnerability exists due to the 'make check' command not properly invoking initdb to specify authentication requirements for a database cluster to be used for tests. A local attacker can exploit this issue to gain temporary server access and elevated privileges. (CVE-2014-0067) - A NULL pointer dereference flaw exists in module mod_cache. A remote attacker, using an empty HTTP Content-Type header, can exploit this vulnerability to crash a caching forward proxy configuration, resulting in a denial of service if using a threaded MPM. (CVE-2014-3581) - A out-of-bounds memory read flaw exists in module mod_proxy_fcgi. An attacker, using a remote FastCGI server to send long response headers, can exploit this vulnerability to cause a denial of service by causing a buffer over-read. (CVE-2014-3583) - A flaw exists in module mod_lua when handling a LuaAuthzProvider used in multiple Require directives with different arguments. An attacker can exploit this vulnerability to bypass intended access restrictions. (CVE-2014-8109) - An information disclosure vulnerability exists due to improper handling of restricted column values in constraint-violation error messages. An authenticated, remote attacker can exploit this to gain access to sensitive information. (CVE-2014-8161) - A flaw exists within the Domain Name Service due to an error in the code used to follow delegations. A remote attacker, with a maliciously-constructed zone or query, can cause the service to issue unlimited queries, resulting in resource exhaustion. (CVE-2014-8500) - A flaw exists in the lua_websocket_read() function in the 'mod_lua' module due to incorrect handling of WebSocket PING frames. A remote attacker can exploit this, by sending a crafted WebSocket PING frame after a Lua script has called the wsupgrade() function, to crash a child process, resulting in a denial of service condition. (CVE-2015-0228) - Multiple vulnerabilities exist due to several buffer overflow errors related to the 'to_char' functions. An authenticated, remote attacker can exploit these issues to cause a denial of service or arbitrary code execution. (CVE-2015-0241) - Multiple vulnerabilities exist due to several stack-based buffer overflow errors in various *printf() functions. The overflows are due to improper validation of user-supplied input when formatting a floating point number where the requested precision is greater than approximately 500. An authenticated, remote attacker can exploit these issues to cause a denial of service or arbitrary code execution. (CVE-2015-0242) - Multiple vulnerabilities exist due to an overflow condition in multiple functions in the 'pgcrypto' extension. The overflows are due to improper validation of user-supplied input when tracking memory sizes. An authenticated, remote attacker can exploit these issues to cause a denial of service or arbitrary code execution. (CVE-2015-0243) - A SQL injection vulnerability exists due to improper sanitization of user-supplied input when handling crafted binary data within a command parameter. An authenticated, remote attacker can exploit this issue to inject or manipulate SQL queries, allowing the manipulation or disclosure of arbitrary data. (CVE-2015-0244) - A NULL pointer dereference flaw exists in the read_request_line() function due to a failure to initialize the protocol structure member. A remote attacker can exploit this flaw, on installations that enable the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI, by sending a request that lacks a method, to cause a denial of service condition. (CVE-2015-0253) - A denial of service vulnerability exists due to an error relating to DNSSEC validation and the managed-keys feature. A remote attacker can trigger an incorrect trust-anchor management scenario in which no key is ready for use, resulting in an assertion failure and daemon crash. (CVE-2015-1349) - A flaw exists in PostgreSQL client disconnect timeout expiration that is triggered when a timeout interrupt is fired partway through the session shutdown sequence. (CVE-2015-3165) - A flaw exists in the printf() functions due to a failure to check for errors. A remote attacker can use this to gain access to sensitive information. (CVE-2015-3166) - The pgcrypto component in PostgreSQL has multiple error messages for decryption with an incorrect key. A remote attacker can use this to recover keys from other systems. (CVE-2015-3167) - A flaw exists in the chunked transfer coding implementation due to a failure to properly parse chunk headers. A remote attacker can exploit this to conduct HTTP request smuggling attacks. (CVE-2015-3183) - A flaw exists in the ap_some_auth_required() function due to a failure to consider that a Require directive may be associated with an authorization setting rather than an authentication setting. A remote attacker can exploit this, if a module that relies on the 2.2 API behavior exists, to bypass intended access restrictions. (CVE-2015-3185) - Multiple unspecified XML flaws exist in the Wiki Server based on Twisted. (CVE-2015-5911)
    last seen 2018-09-02
    modified 2018-07-14
    plugin id 86066
    published 2015-09-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86066
    title Mac OS X : OS X Server < 5.0.3 Multiple Vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2015-006.NASL
    description The remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-006. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - CoreText - FontParser - Libinfo - libxml2 - OpenSSL - perl - PostgreSQL - QL Office - Quartz Composer Framework - QuickTime 7 - SceneKit Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2018-09-01
    modified 2018-07-14
    plugin id 85409
    published 2015-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85409
    title Mac OS X Multiple Vulnerabilities (Security Update 2015-006)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3325.NASL
    description Several vulnerabilities have been found in the Apache HTTPD server. - CVE-2015-3183 An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use. - CVE-2015-3185 A design error in the 'ap_some_auth_required' function renders the API unusuable in apache2 2.4.x. This could lead to modules using this API to allow access when they should otherwise not do so. The fix backports the new 'ap_some_authn_required' API from 2.4.16. This issue does not affect the oldstable distribution (wheezy). In addition, the updated package for the oldstable distribution (wheezy) removes a limitation of the Diffie-Hellman (DH) parameters to 1024 bits. This limitation may potentially allow an attacker with very large computing resources, like a nation-state, to break DH key exchange by precomputation. The updated apache2 package also allows to configure custom DH parameters. More information is contained in the changelog.Debian.gz file. These improvements were already present in the stable, testing, and unstable distributions.
    last seen 2018-09-01
    modified 2018-07-10
    plugin id 85164
    published 2015-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85164
    title Debian DSA-3325-1 : apache2 - security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-635.NASL
    description Apache2 was updated to fix security issues. - CVE-2015-3185: The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x did not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. [bnc#938723] - CVE-2015-3183: The chunked transfer coding implementation in the Apache HTTP Server did not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c. [bnc#938728] On openSUSE 13.1 : - CVE-2015-4000: Fix Logjam vulnerability: change the default SSLCipherSuite cipherstring to disable export cipher suites and deploy Ephemeral Elliptic-Curve Diffie-Hellman (ECDHE) ciphers. Adjust 'gensslcert' script to generate a strong and unique Diffie Hellman Group and append it to the server certificate file [bnc#931723].
    last seen 2018-09-01
    modified 2016-10-13
    plugin id 86285
    published 2015-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86285
    title openSUSE Security Update : apache2 (openSUSE-2015-635) (Logjam)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1851-1.NASL
    description The Apache2 webserver was updated to fix several issues : Security issues fixed : - The chunked transfer coding implementation in the Apache HTTP Server did not properly parse chunk headers, which allowed remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c. [bsc#938728, CVE-2015-3183] - The LOGJAM security issue was addressed by: [bnc#931723 CVE-2015-4000] - changing the SSLCipherSuite cipherstring to disable export cipher suites and deploy Ephemeral Elliptic-Curve Diffie-Hellman (ECDHE) ciphers. - Adjust 'gensslcert' script to generate a strong and unique Diffie Hellman Group and append it to the server certificate file. - The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x did not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allowed remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. [bnc#938723 bnc#939516 CVE-2015-3185] - Tomcat mod_jk information leak due to incorrect JkMount/JkUnmount directives processing [bnc#927845 CVE-2014-8111] Other bugs fixed : - Now provides a suse_maintenance_mmn_# [bnc#915666]. - Hard-coded modules in the %files [bnc#444878]. - Fixed the IfModule directive around SSLSessionCache [bnc#911159]. - allow only TCP ports in Yast2 firewall files [bnc#931002] - fixed a regression when some LDAP searches or comparisons might be done with the wrong credentials when a backend connection is reused [bnc#930228] - Fixed split-logfile2 script [bnc#869790] - remove the changed MODULE_MAGIC_NUMBER_MINOR from which confuses modules the way that they expect functionality that our apache does not provide [bnc#915666] - gensslcert: CN now defaults to `hostname -f` [bnc#949766], fix help [bnc#949771] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-07-31
    plugin id 86703
    published 2015-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86703
    title SUSE SLES12 Security Update : apache2 (SUSE-SU-2015:1851-1) (Logjam)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2015-198-01.NASL
    description New httpd packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen 2018-09-01
    modified 2016-07-18
    plugin id 84829
    published 2015-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84829
    title Slackware 14.0 / 14.1 / current : httpd (SSA:2015-198-01)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2709.NASL
    description An update is now available for JBoss Core Services on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788) * It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS /SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) Red Hat would like to thank OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Gaetan Leurent (Inria) as the original reporters of CVE-2016-2183.
    last seen 2018-09-01
    modified 2018-07-30
    plugin id 103240
    published 2017-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103240
    title RHEL 7 : JBoss Core Services (RHSA-2017:2709)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_XCODE_7_0.NASL
    description The version of Apple Xcode installed on the remote Mac OS X host is prior to 7.0. It is, therefore, affected by the multiple vulnerabilities : - A memory leak issue exists in file d1_srtp.c related to the DTLS SRTP extension handling and specially crafted handshake messages. An attacker can exploit this to cause denial of service condition. (CVE-2014-3513) - A man-in-the-middle (MitM) information disclosure vulnerability, known as POODLE, exists due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) - A memory leak issue exists in file t1_lib.c related to session ticket handling. An attacker can exploit this to cause denial of service condition. (CVE-2014-3567) - An error exists related to the build configuration process and the 'no-ssl3' build option that allows servers and clients to process insecure SSL 3.0 handshake messages. (CVE-2014-3568) - A directory traversal vulnerability exists in send.js due to improper sanitization of user-supplied input. A remote, unauthenticated attacker can exploit this, via a specially crafted request, to access arbitrary files outside of the restricted path. (CVE-2014-6394) - A denial of service vulnerability exists in the mod_dav_svn and svnserve servers of Apache Subversion. A remote, unauthenticated attacker can exploit this, via a crafted combination of parameters, to cause the current process to abort through a failed assertion. (CVE-2015-0248) - A flaw exists in the mod_dav_svn server of Apache Subversion. A remote, authenticated attacker can exploit this, via a crafted HTTP request sequence, to spoof an 'svn:author' property value. (CVE-2015-0251) - A flaw exists in the Apache HTTP Server due to the ap_some_auth_required() function in file request.c not properly handling Require directive associations. A remote, unauthenticated attacker can exploit this to bypass access restrictions, by leveraging a module that relies on the 2.2 API behavior. (CVE-2015-3185) - A flaw exists in the IDE Xcode server due to improper restriction of access to the repository email lists. A remote, unauthenticated attacker can exploit this to access sensitive build information, by leveraging incorrect notification delivery. (CVE-2015-5909) - A flaw exists in the IDE Xcode server due to the transmission of server information in cleartext. A remote, man-in-the-middle attacker can exploit this to access sensitive information. (CVE-2015-5910)
    last seen 2018-09-01
    modified 2018-07-14
    plugin id 86245
    published 2015-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86245
    title Apple Xcode < 7.0 (Mac OS X) (POODLE)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1667.NASL
    description Updated httpd packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd service will be restarted automatically.
    last seen 2018-09-02
    modified 2018-07-02
    plugin id 85636
    published 2015-08-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85636
    title CentOS 7 : httpd (CESA-2015:1667)
  • NASL family Web Servers
    NASL id SECURITYCENTER_APACHE_2_4_16.NASL
    description The Tenable SecurityCenter application installed on the remote host contains a bundled version of Apache HTTP Server prior to 2.4.16. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the chunked transfer coding implementation in http_filters.c. due to a failure to properly parse chunk headers when handling large chunk-size values and invalid chunk-extension characters. A remote attacker can exploit this, via a crafted request, to carry out HTTP request smuggling, potentially resulting in cache poisoning or the hijacking of credentials. (CVE-2015-3183) - A security bypass vulnerability exists due to a failure in the ap_some_auth_required() function in request.c to consider that a Require directive may be associated with an authorization setting instead of an authentication setting. A remote attacker can exploit this, by leveraging the presence of a module that relies on the 2.2 API behavior, to bypass intended access restrictions under certain circumstances. (CVE-2015-3185) Note that the 4.x version of SecurityCenter is impacted only by CVE-2015-3183. The 5.x version is impacted by both CVE-2015-3183 and CVE-2015-3185
    last seen 2018-09-01
    modified 2018-08-13
    plugin id 85628
    published 2015-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85628
    title Tenable SecurityCenter Multiple Apache Vulnerabilities (TNS-2015-11)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1667.NASL
    description From Red Hat Security Advisory 2015:1667 : Updated httpd packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd service will be restarted automatically.
    last seen 2018-09-01
    modified 2018-07-18
    plugin id 85613
    published 2015-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85613
    title Oracle Linux 7 : httpd (ELSA-2015-1667)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_10_5.NASL
    description The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2018-09-02
    modified 2018-07-16
    plugin id 85408
    published 2015-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85408
    title Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities
  • NASL family Web Servers
    NASL id APACHE_2_4_16.NASL
    description According to its banner, the version of Apache 2.4.x installed on the remote host is prior to 2.4.16. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the lua_websocket_read() function in the 'mod_lua' module due to incorrect handling of WebSocket PING frames. A remote attacker can exploit this, by sending a crafted WebSocket PING frame after a Lua script has called the wsupgrade() function, to crash a child process, resulting in a denial of service condition. (CVE-2015-0228) - A NULL pointer dereference flaw exists in the read_request_line() function due to a failure to initialize the protocol structure member. A remote attacker can exploit this flaw, on installations that enable the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI, by sending a request that lacks a method, to cause a denial of service condition. (CVE-2015-0253) - A flaw exists in the chunked transfer coding implementation due to a failure to properly parse chunk headers. A remote attacker can exploit this to conduct HTTP request smuggling attacks. (CVE-2015-3183) - A flaw exists in the ap_some_auth_required() function due to a failure to consider that a Require directive may be associated with an authorization setting rather than an authentication setting. A remote attacker can exploit this, if a module that relies on the 2.2 API behavior exists, to bypass intended access restrictions. (CVE-2015-3185) - A flaw exists in the RC4 algorithm due to an initial double-byte bias in the keystream generation. An attacker can exploit this, via Bayesian analysis that combines an a priori plaintext distribution with keystream distribution statistics, to conduct a plaintext recovery of the ciphertext. Note that RC4 cipher suites are prohibited per RFC 7465. This issue was fixed in Apache version 2.4.13; however, 2.4.13, 2.4.14, and 2.4.15 were never publicly released. (VulnDB 128186) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2018-09-02
    modified 2018-06-29
    plugin id 84959
    published 2015-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84959
    title Apache 2.4.x < 2.4.16 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1667.NASL
    description Updated httpd packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd service will be restarted automatically.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 85617
    published 2015-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85617
    title RHEL 7 : httpd (RHSA-2015:1667)
redhat via4
advisories
  • bugzilla
    id 1243888
    title CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment httpd is earlier than 0:2.4.6-31.el7_1.1
          oval oval:com.redhat.rhsa:tst:20151667007
        • comment httpd is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245026
      • AND
        • comment httpd-devel is earlier than 0:2.4.6-31.el7_1.1
          oval oval:com.redhat.rhsa:tst:20151667005
        • comment httpd-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245028
      • AND
        • comment httpd-manual is earlier than 0:2.4.6-31.el7_1.1
          oval oval:com.redhat.rhsa:tst:20151667019
        • comment httpd-manual is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245034
      • AND
        • comment httpd-tools is earlier than 0:2.4.6-31.el7_1.1
          oval oval:com.redhat.rhsa:tst:20151667017
        • comment httpd-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245032
      • AND
        • comment mod_ldap is earlier than 0:2.4.6-31.el7_1.1
          oval oval:com.redhat.rhsa:tst:20151667011
        • comment mod_ldap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140921010
      • AND
        • comment mod_proxy_html is earlier than 1:2.4.6-31.el7_1.1
          oval oval:com.redhat.rhsa:tst:20151667015
        • comment mod_proxy_html is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140921008
      • AND
        • comment mod_session is earlier than 0:2.4.6-31.el7_1.1
          oval oval:com.redhat.rhsa:tst:20151667013
        • comment mod_session is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140921016
      • AND
        • comment mod_ssl is earlier than 1:2.4.6-31.el7_1.1
          oval oval:com.redhat.rhsa:tst:20151667009
        • comment mod_ssl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245030
    rhsa
    id RHSA-2015:1667
    released 2015-08-24
    severity Moderate
    title RHSA-2015:1667: httpd security update (Moderate)
  • rhsa
    id RHSA-2015:1666
  • rhsa
    id RHSA-2016:2957
  • rhsa
    id RHSA-2017:2708
  • rhsa
    id RHSA-2017:2709
  • rhsa
    id RHSA-2017:2710
rpms
  • httpd-0:2.4.6-31.el7_1.1
  • httpd-devel-0:2.4.6-31.el7_1.1
  • httpd-manual-0:2.4.6-31.el7_1.1
  • httpd-tools-0:2.4.6-31.el7_1.1
  • mod_ldap-0:2.4.6-31.el7_1.1
  • mod_proxy_html-1:2.4.6-31.el7_1.1
  • mod_session-0:2.4.6-31.el7_1.1
  • mod_ssl-1:2.4.6-31.el7_1.1
refmap via4
apple
  • APPLE-SA-2015-08-13-2
  • APPLE-SA-2015-09-16-2
  • APPLE-SA-2015-09-16-4
bid 75965
confirm
debian DSA-3325
sectrack 1032967
suse openSUSE-SU-2015:1684
ubuntu USN-2686-1
Last major update 23-12-2016 - 21:59
Published 20-07-2015 - 19:59
Last modified 04-01-2018 - 21:30
Back to Top