ID CVE-2016-0736
Summary In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server 2.4.0
    cpe:2.3:a:apache:http_server:2.4.0
  • Apache Software Foundation Apache HTTP Server 2.4.1
    cpe:2.3:a:apache:http_server:2.4.1
  • Apache Software Foundation Apache HTTP Server 2.4.2
    cpe:2.3:a:apache:http_server:2.4.2
  • Apache Software Foundation Apache HTTP Server 2.4.3
    cpe:2.3:a:apache:http_server:2.4.3
  • Apache Software Foundation Apache HTTP Server 2.4.6
    cpe:2.3:a:apache:http_server:2.4.6
  • Apache Software Foundation Apache HTTP Server 2.4.7
    cpe:2.3:a:apache:http_server:2.4.7
  • Apache Software Foundation Apache HTTP Server 2.4.8
    cpe:2.3:a:apache:http_server:2.4.8
  • Apache Software Foundation Apache HTTP Server 2.4.9
    cpe:2.3:a:apache:http_server:2.4.9
  • Apache Software Foundation Apache HTTP Server 2.4.10
    cpe:2.3:a:apache:http_server:2.4.10
  • Apache Software Foundation Apache HTTP Server 2.4.12
    cpe:2.3:a:apache:http_server:2.4.12
  • Apache Software Foundation Apache HTTP Server 2.4.14
    cpe:2.3:a:apache:http_server:2.4.14
  • Apache Software Foundation Apache HTTP Server 2.4.16
    cpe:2.3:a:apache:http_server:2.4.16
  • Apache Software Foundation HTTP Server 2.4.19
    cpe:2.3:a:apache:http_server:2.4.19
  • Apache Software Foundation HTTP Server 2.4.20
    cpe:2.3:a:apache:http_server:2.4.20
  • Apache Software Foundation Apache HTTP Server 2.4.21
    cpe:2.3:a:apache:http_server:2.4.21
  • Apache Software Foundation Apache HTTP Server 2.4.22
    cpe:2.3:a:apache:http_server:2.4.22
  • Apache Software Foundation HTTP Server 2.4.23
    cpe:2.3:a:apache:http_server:2.4.23
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
exploit-db via4
description Apache mod_session_crypto - Padding Oracle. CVE-2016-0736. Webapps exploit for Multiple platform
file exploits/multiple/webapps/40961.py
id EDB-ID:40961
last seen 2016-12-23
modified 2016-12-23
platform multiple
port
published 2016-12-23
reporter Exploit-DB
source https://www.exploit-db.com/download/40961/
title Apache mod_session_crypto - Padding Oracle
type webapps
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_13.NASL
    description The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, 10.12.x prior to 10.12.6, or is not macOS 10.13. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - AppSandbox - AppleScript - Application Firewall - ATS - Audio - CFNetwork - CFNetwork Proxies - CFString - Captive Network Assistant - CoreAudio - CoreText - DesktopServices - Directory Utility - file - Fonts - fsck_msdos - HFS - Heimdal - HelpViewer - IOFireWireFamily - ImageIO - Installer - Kernel - kext tools - libarchive - libc - libexpat - Mail - Mail Drafts - ntp - Open Scripting Architecture - PCRE - Postfix - Quick Look - QuickTime - Remote Management - SQLite - Sandbox - Screen Lock - Security - Spotlight - WebKit - zlib Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 103598
    published 2017-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103598
    title macOS < 10.13 Multiple Vulnerabilities
  • NASL family Misc.
    NASL id SECURITYCENTER_5_4_3_TNS_2017_04.NASL
    description According to its version, the installation of Tenable SecurityCenter on the remote host is affected by multiple vulnerabilities : - A flaw exists in the mod_session_crypto module due to encryption for data and cookies using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default). An unauthenticated, remote attacker can exploit this, via a padding oracle attack, to decrypt information without knowledge of the encryption key, resulting in the disclosure of potentially sensitive information. (CVE-2016-0736) - A denial of service vulnerability exists in the mod_auth_digest module during client entry allocation. An unauthenticated, remote attacker can exploit this, via specially crafted input, to exhaust shared memory resources, resulting in a server crash. (CVE-2016-2161) - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5387, CVE-2016-1000102, CVE-2016-1000104) - A carry propagation error exists in the Broadwell-specific Montgomery multiplication procedure when handling input lengths divisible by but longer than 256 bits. This can result in transient authentication and key negotiation failures or reproducible erroneous outcomes of public-key operations with specially crafted input. A man-in-the-middle attacker can possibly exploit this issue to compromise ECDH key negotiations that utilize Brainpool P-512 curves. (CVE-2016-7055) - A denial of service vulnerability exists in the mod_http2 module due to improper handling of the LimitRequestFields directive. An unauthenticated, remote attacker can exploit this, via specially crafted CONTINUATION frames in an HTTP/2 request, to inject unlimited request headers into the server, resulting in the exhaustion of memory resources. (CVE-2016-8740) - A flaw exists due to improper handling of whitespace patterns in user-agent headers. An unauthenticated, remote attacker can exploit this, via a specially crafted user-agent header, to cause the program to incorrectly process sequences of requests, resulting in interpreting responses incorrectly, polluting the cache, or disclosing the content from one request to a second downstream user-agent. (CVE-2016-8743) - A flaw exits in libcurl in the randit() function within file lib/rand.c due to improper initialization of the 32-bit random value, which is used, for example, to generate Digest and NTLM authentication nonces, resulting in weaker cryptographic operations than expected. (CVE-2016-9594) - A floating pointer exception flaw exists in the exif_convert_any_to_int() function in exif.c that is triggered when handling TIFF and JPEG image tags. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10158) - An integer overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper validation when handling phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10159) - An off-by-one overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10160) - An out-of-bounds read error exists in the finish_nested_data() function in var_unserializer.c due to improper validation of unserialized data. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-10161) - A denial of service vulnerability exists in the gdImageCreateFromGd2Ctx() function within file gd_gd2.c in the GD Graphics Library (LibGD) when handling images claiming to contain more image data than they actually do. An unauthenticated, remote attacker can exploit this to crash a process linked against the library. (CVE-2016-10167) - An out-of-bounds read error exists when handling packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An unauthenticated, remote attacker can exploit this, via specially crafted truncated packets, to cause a denial of service condition. (CVE-2017-3731) - A carry propagating error exists in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys. Note that this issue is very similar to CVE-2015-3193. Moreover, the attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example, this can occur by default in OpenSSL DHE based SSL/TLS cipher suites. (CVE-2017-3732) - An out-of-bounds read error exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. - Multiple stored cross-site scripting (XSS) vulnerabilities exist in unspecified scripts due to a failure to validate input before returning it to users. An authenticated, remote authenticated attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user's browser session. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 97726
    published 2017-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97726
    title Tenable SecurityCenter 5.x < 5.4.3 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-358-01.NASL
    description New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-02
    modified 2017-09-21
    plugin id 96090
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96090
    title Slackware 14.0 / 14.1 / 14.2 / current : httpd (SSA:2016-358-01) (httpoxy)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-36.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-36 (Apache: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache. Please review the CVE identifiers, upstream Apache Software Foundation documentation, and HTTPoxy website referenced below for details. Impact : A remote attacker could cause a Denial of Service condition via multiple vectors or response splitting and cache pollution. Additionally, an attacker could intercept unsecured (HTTP) transmissions via the HTTPoxy vulnerability. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-06-29
    plugin id 96516
    published 2017-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96516
    title GLSA-201701-36 : Apache: Multiple vulnerabilities (httpoxy)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1413.NASL
    description An update is now available for Red Hat JBoss Core Services on RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304) * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056) * A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) * A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 117315
    published 2018-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117315
    title RHEL 7 : JBoss Core Services (RHSA-2017:1413)
  • NASL family Misc.
    NASL id SECURITYCENTER_APACHE_2_4_25.NASL
    description The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of Apache : - A flaw exists in the mod_session_crypto module due to encryption for data and cookies using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default). An unauthenticated, remote attacker can exploit this, via a padding oracle attack, to decrypt information without knowledge of the encryption key, resulting in the disclosure of potentially sensitive information. (CVE-2016-0736) - A denial of service vulnerability exists in the mod_auth_digest module during client entry allocation. An unauthenticated, remote attacker can exploit this, via specially crafted input, to exhaust shared memory resources, resulting in a server crash. (CVE-2016-2161) - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5387) - A denial of service vulnerability exists in the mod_http2 module due to improper handling of the LimitRequestFields directive. An unauthenticated, remote attacker can exploit this, via specially crafted CONTINUATION frames in an HTTP/2 request, to inject unlimited request headers into the server, resulting in the exhaustion of memory resources. (CVE-2016-8740) - A flaw exists due to improper handling of whitespace patterns in user-agent headers. An unauthenticated, remote attacker can exploit this, via a specially crafted user-agent header, to cause the program to incorrectly process sequences of requests, resulting in interpreting responses incorrectly, polluting the cache, or disclosing the content from one request to a second downstream user-agent. (CVE-2016-8743) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-12-14
    plugin id 101044
    published 2017-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101044
    title Tenable SecurityCenter Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_862D6AB3C75E11E69F9820CF30E32F6D.NASL
    description Apache Software Foundation reports : Please reference CVE/URL list for details
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 96037
    published 2016-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96037
    title FreeBSD : Apache httpd -- several vulnerabilities (862d6ab3-c75e-11e6-9f98-20cf30e32f6d) (httpoxy)
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_12_4.NASL
    description The remote host is running a version of macOS that is 10.12.x prior to 10.12.4. It is, therefore, affected by multiple vulnerabilities in multiple components, some of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows : - apache - apache_mod_php - AppleGraphicsPowerManagement - AppleRAID - Audio - Bluetooth - Carbon - CoreGraphics - CoreMedia - CoreText - curl - EFI - FinderKit - FontParser - HTTPProtocol - Hypervisor - iBooks - ImageIO - Intel Graphics Driver - IOATAFamily - IOFireWireAVC - IOFireWireFamily - Kernel - Keyboards - libarchive - libc++abi - LibreSSL - MCX Client - Menus - Multi-Touch - OpenSSH - OpenSSL - Printing - python - QuickTime - Security - SecurityFoundation - sudo - System Integrity Protection - tcpdump - tiffutil - WebKit
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 99134
    published 2017-03-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99134
    title macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-0906.NASL
    description An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Bug Fix(es) : * When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002) * Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947) * In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 101445
    published 2017-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101445
    title Virtuozzo 7 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2017-0906)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-8D9B62C784.NASL
    description Security fix for CVE-2016-8743, CVE-2016-2161, CVE-2016-0736 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 96111
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96111
    title Fedora 25 : httpd (2016-8d9b62c784)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-417.NASL
    description This update for apache2 provides the following fixes : Security issues fixed : - CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712). - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). Bugfixes : - Add NotifyAccess=all to systemd service files to prevent warnings in the log when using mod_systemd (bsc#980663). This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 99155
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99155
    title openSUSE Security Update : apache2 (openSUSE-2017-417)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1085.NASL
    description According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) - It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 99951
    published 2017-05-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99951
    title EulerOS 2.0 SP1 : httpd (EulerOS-SA-2017-1085)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0801-1.NASL
    description This update for apache2 provides the following fixes: Security issues fixed : - CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712). - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). Bugfixes : - Add NotifyAccess=all to systemd service files to prevent warnings in the log when using mod_systemd (bsc#980663). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 97916
    published 2017-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97916
    title SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:0801-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0906.NASL
    description An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Bug Fix(es) : * When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002) * Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947) * In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 99340
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99340
    title RHEL 7 : httpd (RHSA-2017:0906)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-D22F50D985.NASL
    description Security fix for CVE-2016-8743, CVE-2016-2161, CVE-2016-0736 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 96114
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96114
    title Fedora 24 : httpd (2016-d22f50d985)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-0906.NASL
    description An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Bug Fix(es) : * When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002) * Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947) * In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 99379
    published 2017-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99379
    title CentOS 7 : httpd (CESA-2017:0906)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0797-1.NASL
    description This update for apache2 fixes the following security issues: Security issues fixed : - CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712). - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). Bugfixes : - Add missing copy of hcuri and hcexpr from the worker to the health check worker (bsc#1019380). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 97912
    published 2017-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97912
    title SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:0797-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3796.NASL
    description Several vulnerabilities were discovered in the Apache2 HTTP server. - CVE-2016-0736 RedTeam Pentesting GmbH discovered that mod_session_crypto was vulnerable to padding oracle attacks, which could allow an attacker to guess the session cookie. - CVE-2016-2161 Maksim Malyutin discovered that malicious input to mod_auth_digest could cause the server to crash, causing a denial of service. - CVE-2016-8743 David Dennerline, of IBM Security's X-Force Researchers, and Regis Leroy discovered problems in the way Apache handled a broad pattern of unusual whitespace patterns in HTTP requests. In some configurations, this could lead to response splitting or cache pollution vulnerabilities. To fix these issues, this update makes Apache httpd be more strict in what HTTP requests it accepts. If this causes problems with non-conforming clients, some checks can be relaxed by adding the new directive 'HttpProtocolOptions unsafe' to the configuration. This update also fixes the issue where mod_reqtimeout was not enabled by default on new installations.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 97400
    published 2017-02-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97400
    title Debian DSA-3796-1 : apache2 - security update
  • NASL family Web Servers
    NASL id APACHE_2_4_25.NASL
    description According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.25. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the mod_session_crypto module due to encryption for data and cookies using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default). An unauthenticated, remote attacker can exploit this, via a padding oracle attack, to decrypt information without knowledge of the encryption key, resulting in the disclosure of potentially sensitive information. (CVE-2016-0736) - A denial of service vulnerability exists in the mod_auth_digest module during client entry allocation. An unauthenticated, remote attacker can exploit this, via specially crafted input, to exhaust shared memory resources, resulting in a server crash. (CVE-2016-2161) - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5387) - A denial of service vulnerability exists in the mod_http2 module due to improper handling of the LimitRequestFields directive. An unauthenticated, remote attacker can exploit this, via specially crafted CONTINUATION frames in an HTTP/2 request, to inject unlimited request headers into the server, resulting in the exhaustion of memory resources. (CVE-2016-8740) - A flaw exists due to improper handling of whitespace patterns in user-agent headers. An unauthenticated, remote attacker can exploit this, via a specially crafted user-agent header, to cause the program to incorrectly process sequences of requests, resulting in interpreting responses incorrectly, polluting the cache, or disclosing the content from one request to a second downstream user-agent. (CVE-2016-8743) - A CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir (CVE-2016-4975) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-02-08
    plugin id 96451
    published 2017-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96451
    title Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (httpoxy)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-416.NASL
    description This update for apache2 fixes the following security issues : Security issues fixed : - CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712). - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). Bugfixes : - Add missing copy of hcuri and hcexpr from the worker to the health check worker (bsc#1019380). This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 99154
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99154
    title openSUSE Security Update : apache2 (openSUSE-2017-416)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-0906.NASL
    description From Red Hat Security Advisory 2017:0906 : An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Bug Fix(es) : * When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002) * Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947) * In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 99329
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99329
    title Oracle Linux 7 : httpd (ELSA-2017-0906)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170412_HTTPD_ON_SL7_X.NASL
    description Security Fix(es) : - It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) - It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Bug Fix(es) : - When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. - Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. - In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 99350
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99350
    title Scientific Linux Security Update : httpd on SL7.x x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-785.NASL
    description The following security-related issues were fixed : Padding oracle vulnerability in Apache mod_session_crypto (CVE-2016-0736) DoS vulnerability in mod_auth_digest (CVE-2016-2161) Apache HTTP request parsing whitespace defects (CVE-2016-8743)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 96631
    published 2017-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96631
    title Amazon Linux AMI : httpd24 (ALAS-2017-785)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3279-1.NASL
    description It was discovered that the Apache mod_session_crypto module was encrypting data and cookies using either CBC or ECB modes. A remote attacker could possibly use this issue to perform padding oracle attacks. (CVE-2016-0736) Maksim Malyutin discovered that the Apache mod_auth_digest module incorrectly handled malicious input. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service. (CVE-2016-2161) David Dennerline and Regis Leroy discovered that the Apache HTTP Server incorrectly handled unusual whitespace when parsing requests, contrary to specifications. When being used in combination with a proxy or backend server, a remote attacker could possibly use this issue to perform an injection attack and pollute cache. This update may introduce compatibility issues with clients that do not strictly follow HTTP protocol specifications. A new configuration option 'HttpProtocolOptions Unsafe' can be used to revert to the previous unsafe behaviour in problematic environments. (CVE-2016-8743). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 100098
    published 2017-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100098
    title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : apache2 vulnerabilities (USN-3279-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1086.NASL
    description According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) - It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-12
    plugin id 99952
    published 2017-05-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99952
    title EulerOS 2.0 SP2 : httpd (EulerOS-SA-2017-1086)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1414.NASL
    description An update is now available for Red Hat JBoss Core Services on RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304) * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056) * A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) * A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 117316
    published 2018-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117316
    title RHEL 6 : JBoss Core Services (RHSA-2017:1414)
packetstorm via4
data source https://packetstormsecurity.com/files/download/140265/rt-sa-2016-001.txt
id PACKETSTORM:140265
last seen 2016-12-23
published 2016-12-23
reporter redteam-pentesting.de
source https://packetstormsecurity.com/files/140265/Apache-mod_session_crypt-2.5-Padding-Oracle.html
title Apache mod_session_crypt 2.5 Padding Oracle
redhat via4
advisories
  • rhsa
    id RHSA-2017:0906
  • rhsa
    id RHSA-2017:1161
  • rhsa
    id RHSA-2017:1413
  • rhsa
    id RHSA-2017:1414
  • rhsa
    id RHSA-2017:1415
rpms
  • httpd-0:2.4.6-45.el7_3.4
  • httpd-devel-0:2.4.6-45.el7_3.4
  • httpd-manual-0:2.4.6-45.el7_3.4
  • httpd-tools-0:2.4.6-45.el7_3.4
  • mod_ldap-0:2.4.6-45.el7_3.4
  • mod_proxy_html-1:2.4.6-45.el7_3.4
  • mod_session-0:2.4.6-45.el7_3.4
  • mod_ssl-1:2.4.6-45.el7_3.4
refmap via4
bid 95078
confirm
debian DSA-3796
exploit-db 40961
gentoo GLSA-201701-36
sectrack 1037508
Last major update 27-07-2017 - 17:29
Published 27-07-2017 - 17:29
Last modified 24-04-2018 - 21:29
Back to Top