ID CVE-2016-8743
Summary Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server 2.4.1
    cpe:2.3:a:apache:http_server:2.4.1
  • Apache Software Foundation Apache HTTP Server 2.4.2
    cpe:2.3:a:apache:http_server:2.4.2
  • Apache Software Foundation Apache HTTP Server 2.4.3
    cpe:2.3:a:apache:http_server:2.4.3
  • Apache Software Foundation Apache HTTP Server 2.4.4
    cpe:2.3:a:apache:http_server:2.4.4
  • Apache Software Foundation Apache HTTP Server 2.4.6
    cpe:2.3:a:apache:http_server:2.4.6
  • Apache Software Foundation Apache HTTP Server 2.4.7
    cpe:2.3:a:apache:http_server:2.4.7
  • Apache Software Foundation Apache HTTP Server 2.4.9
    cpe:2.3:a:apache:http_server:2.4.9
  • Apache Software Foundation Apache HTTP Server 2.4.10
    cpe:2.3:a:apache:http_server:2.4.10
  • Apache Software Foundation Apache HTTP Server 2.4.12
    cpe:2.3:a:apache:http_server:2.4.12
  • Apache Software Foundation Apache HTTP Server 2.4.16
    cpe:2.3:a:apache:http_server:2.4.16
  • Apache Software Foundation Apache HTTP Server 2.4.17
    cpe:2.3:a:apache:http_server:2.4.17
  • Apache Software Foundation Apache HTTP Server 2.4.18
    cpe:2.3:a:apache:http_server:2.4.18
  • Apache Software Foundation HTTP Server 2.4.20
    cpe:2.3:a:apache:http_server:2.4.20
  • Apache Software Foundation HTTP Server 2.4.23
    cpe:2.3:a:apache:http_server:2.4.23
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-19
CAPEC
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_12_4.NASL
    description The remote host is running a version of macOS that is 10.12.x prior to 10.12.4. It is, therefore, affected by multiple vulnerabilities in multiple components, some of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows : - apache - apache_mod_php - AppleGraphicsPowerManagement - AppleRAID - Audio - Bluetooth - Carbon - CoreGraphics - CoreMedia - CoreText - curl - EFI - FinderKit - FontParser - HTTPProtocol - Hypervisor - iBooks - ImageIO - Intel Graphics Driver - IOATAFamily - IOFireWireAVC - IOFireWireFamily - Kernel - Keyboards - libarchive - libc++abi - LibreSSL - MCX Client - Menus - Multi-Touch - OpenSSH - OpenSSL - Printing - python - QuickTime - Security - SecurityFoundation - sudo - System Integrity Protection - tcpdump - tiffutil - WebKit
    last seen 2019-01-16
    modified 2018-07-14
    plugin id 99134
    published 2017-03-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99134
    title macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)
  • NASL family Web Servers
    NASL id APACHE_2_2_32.NASL
    description According to its banner, the version of Apache running on the remote host is 2.2.x prior to 2.2.32. It is, therefore, affected by the following vulnerabilities : - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5387) - A flaw exists due to improper handling of whitespace patterns in user-agent headers. An unauthenticated, remote attacker can exploit this, via a specially crafted user-agent header, to cause the program to incorrectly process sequences of requests, resulting in interpreting responses incorrectly, polluting the cache, or disclosing the content from one request to a second downstream user-agent. (CVE-2016-8743) - A CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir (CVE-2016-4975) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-10
    modified 2019-02-08
    plugin id 96450
    published 2017-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96450
    title Apache 2.2.x < 2.2.32 Multiple Vulnerabilities (httpoxy)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-358-01.NASL
    description New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-02
    modified 2017-09-21
    plugin id 96090
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96090
    title Slackware 14.0 / 14.1 / 14.2 / current : httpd (SSA:2016-358-01) (httpoxy)
  • NASL family Web Servers
    NASL id HPSMH_7_6_1.NASL
    description According to its banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.6.1. It is, therefore, affected by multiple vulnerabilities including multiple local and remote code execution vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 103530
    published 2017-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103530
    title HP System Management Homepage < 7.6.1 Multiple Vulnerabilities (HPSBMU03753)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2017-004.NASL
    description The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components : - 802.1X - apache - AppleScript - ATS - Audio - CFString - CoreText - curl - Dictionary Widget - file - Fonts - fsck_msdos - HFS - Heimdal - HelpViewer - ImageIO - Kernel - libarchive - Open Scripting Architecture - PCRE - Postfix - Quick Look - QuickTime - Remote Management - Sandbox - StreamingZip - tcpdump - Wi-Fi
    last seen 2019-01-16
    modified 2018-07-14
    plugin id 104379
    published 2017-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104379
    title macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-001 and 2017-004)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-36.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-36 (Apache: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache. Please review the CVE identifiers, upstream Apache Software Foundation documentation, and HTTPoxy website referenced below for details. Impact : A remote attacker could cause a Denial of Service condition via multiple vectors or response splitting and cache pollution. Additionally, an attacker could intercept unsecured (HTTP) transmissions via the HTTPoxy vulnerability. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2017-06-29
    plugin id 96516
    published 2017-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96516
    title GLSA-201701-36 : Apache: Multiple vulnerabilities (httpoxy)
  • NASL family Misc.
    NASL id SECURITYCENTER_5_4_3_TNS_2017_04.NASL
    description According to its version, the installation of Tenable SecurityCenter on the remote host is affected by multiple vulnerabilities : - A flaw exists in the mod_session_crypto module due to encryption for data and cookies using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default). An unauthenticated, remote attacker can exploit this, via a padding oracle attack, to decrypt information without knowledge of the encryption key, resulting in the disclosure of potentially sensitive information. (CVE-2016-0736) - A denial of service vulnerability exists in the mod_auth_digest module during client entry allocation. An unauthenticated, remote attacker can exploit this, via specially crafted input, to exhaust shared memory resources, resulting in a server crash. (CVE-2016-2161) - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5387, CVE-2016-1000102, CVE-2016-1000104) - A carry propagation error exists in the Broadwell-specific Montgomery multiplication procedure when handling input lengths divisible by but longer than 256 bits. This can result in transient authentication and key negotiation failures or reproducible erroneous outcomes of public-key operations with specially crafted input. A man-in-the-middle attacker can possibly exploit this issue to compromise ECDH key negotiations that utilize Brainpool P-512 curves. (CVE-2016-7055) - A denial of service vulnerability exists in the mod_http2 module due to improper handling of the LimitRequestFields directive. An unauthenticated, remote attacker can exploit this, via specially crafted CONTINUATION frames in an HTTP/2 request, to inject unlimited request headers into the server, resulting in the exhaustion of memory resources. (CVE-2016-8740) - A flaw exists due to improper handling of whitespace patterns in user-agent headers. An unauthenticated, remote attacker can exploit this, via a specially crafted user-agent header, to cause the program to incorrectly process sequences of requests, resulting in interpreting responses incorrectly, polluting the cache, or disclosing the content from one request to a second downstream user-agent. (CVE-2016-8743) - A flaw exits in libcurl in the randit() function within file lib/rand.c due to improper initialization of the 32-bit random value, which is used, for example, to generate Digest and NTLM authentication nonces, resulting in weaker cryptographic operations than expected. (CVE-2016-9594) - A floating pointer exception flaw exists in the exif_convert_any_to_int() function in exif.c that is triggered when handling TIFF and JPEG image tags. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10158) - An integer overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper validation when handling phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10159) - An off-by-one overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10160) - An out-of-bounds read error exists in the finish_nested_data() function in var_unserializer.c due to improper validation of unserialized data. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-10161) - A denial of service vulnerability exists in the gdImageCreateFromGd2Ctx() function within file gd_gd2.c in the GD Graphics Library (LibGD) when handling images claiming to contain more image data than they actually do. An unauthenticated, remote attacker can exploit this to crash a process linked against the library. (CVE-2016-10167) - An out-of-bounds read error exists when handling packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An unauthenticated, remote attacker can exploit this, via specially crafted truncated packets, to cause a denial of service condition. (CVE-2017-3731) - A carry propagating error exists in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys. Note that this issue is very similar to CVE-2015-3193. Moreover, the attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example, this can occur by default in OpenSSL DHE based SSL/TLS cipher suites. (CVE-2017-3732) - An out-of-bounds read error exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. - Multiple stored cross-site scripting (XSS) vulnerabilities exist in unspecified scripts due to a failure to validate input before returning it to users. An authenticated, remote authenticated attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user's browser session. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 97726
    published 2017-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97726
    title Tenable SecurityCenter 5.x < 5.4.3 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-863.NASL
    description ap_find_token() buffer overread : A buffer over-read flaw was found in the httpd's ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. (CVE-2017-7668 ) Apache HTTP Request Parsing Whitespace Defects : It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) ap_get_basic_auth_pw() authentication bypass : It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167) mod_mime buffer overread : A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679) mod_http2 NULL pointer dereference : A NULL pointer dereference flaw was found in the mod_http2 module of httpd. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP/2 request. (CVE-2017-7659) mod_ssl NULL pointer dereference : A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause a httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)
    last seen 2019-01-16
    modified 2018-04-18
    plugin id 102178
    published 2017-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102178
    title Amazon Linux AMI : httpd24 (ALAS-2017-863)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1413.NASL
    description An update is now available for Red Hat JBoss Core Services on RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304) * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056) * A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) * A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 117315
    published 2018-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117315
    title RHEL 7 : JBoss Core Services (RHSA-2017:1413)
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_13.NASL
    description The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, 10.12.x prior to 10.12.6, or is not macOS 10.13. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - AppSandbox - AppleScript - Application Firewall - ATS - Audio - CFNetwork - CFNetwork Proxies - CFString - Captive Network Assistant - CoreAudio - CoreText - DesktopServices - Directory Utility - file - Fonts - fsck_msdos - HFS - Heimdal - HelpViewer - IOFireWireFamily - ImageIO - Installer - Kernel - kext tools - libarchive - libc - libexpat - Mail - Mail Drafts - ntp - Open Scripting Architecture - PCRE - Postfix - Quick Look - QuickTime - Remote Management - SQLite - Sandbox - Screen Lock - Security - Spotlight - WebKit - zlib Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-01-16
    modified 2018-07-14
    plugin id 103598
    published 2017-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103598
    title macOS < 10.13 Multiple Vulnerabilities
  • NASL family Misc.
    NASL id SECURITYCENTER_APACHE_2_4_25.NASL
    description The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of Apache : - A flaw exists in the mod_session_crypto module due to encryption for data and cookies using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default). An unauthenticated, remote attacker can exploit this, via a padding oracle attack, to decrypt information without knowledge of the encryption key, resulting in the disclosure of potentially sensitive information. (CVE-2016-0736) - A denial of service vulnerability exists in the mod_auth_digest module during client entry allocation. An unauthenticated, remote attacker can exploit this, via specially crafted input, to exhaust shared memory resources, resulting in a server crash. (CVE-2016-2161) - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5387) - A denial of service vulnerability exists in the mod_http2 module due to improper handling of the LimitRequestFields directive. An unauthenticated, remote attacker can exploit this, via specially crafted CONTINUATION frames in an HTTP/2 request, to inject unlimited request headers into the server, resulting in the exhaustion of memory resources. (CVE-2016-8740) - A flaw exists due to improper handling of whitespace patterns in user-agent headers. An unauthenticated, remote attacker can exploit this, via a specially crafted user-agent header, to cause the program to incorrectly process sequences of requests, resulting in interpreting responses incorrectly, polluting the cache, or disclosing the content from one request to a second downstream user-agent. (CVE-2016-8743) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-01-16
    modified 2018-12-14
    plugin id 101044
    published 2017-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101044
    title Tenable SecurityCenter Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-851.NASL
    description Apache HTTP Request Parsing Whitespace Defects It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning.(CVE-2016-8743)
    last seen 2019-01-16
    modified 2018-04-18
    plugin id 101004
    published 2017-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101004
    title Amazon Linux AMI : httpd (ALAS-2017-851)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0729-1.NASL
    description This update for apache2 fixes the following issues: Security issues fixed : - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-30
    plugin id 97831
    published 2017-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97831
    title SUSE SLES11 Security Update : apache2 (SUSE-SU-2017:0729-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2815-2.NASL
    description This update for apache2 fixes the following issues : Security issues fixed : CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (bsc#1016715) CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes which prohibit CR or LF injection into the 'Location' or other outbound header key or value. (bsc#1104826) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 118291
    published 2018-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118291
    title SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:2815-2)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1721.NASL
    description An update for httpd is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Note: Administrators of Red Hat Satellite 5 and Red Hat Satellite Proxy 5 systems should consult Red Hat Knowledgebase article 3013361 linked to in the Reference section before installing this update. Bug Fix(es) : * Previously, httpd was unable to correctly check a boundary of an array, and in rare cases it attempted to access an element of an array that was out of bounds. Consequently, httpd terminated unexpectedly with a segmentation fault at proxy_util.c. With this update, bounds checking has been fixed, and httpd no longer crashes. (BZ#1463354)
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 101385
    published 2017-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101385
    title RHEL 6 : httpd (RHSA-2017:1721)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2815-1.NASL
    description This update for apache2 fixes the following issues : Security issues fixed : CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (bsc#1016715) CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes which prohibit CR or LF injection into the 'Location' or other outbound header key or value. (bsc#1104826) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 117695
    published 2018-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117695
    title SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:2815-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1414.NASL
    description An update is now available for Red Hat JBoss Core Services on RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304) * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056) * A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) * A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 117316
    published 2018-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117316
    title RHEL 6 : JBoss Core Services (RHSA-2017:1414)
  • NASL family Misc.
    NASL id ORACLE_SECURE_GLOBAL_DESKTOP_APR_2017_CPU.NASL
    description The version of Oracle Secure Global Desktop installed on the remote host is 4.71, 5.2, or 5.3 and is missing a security patch from the April 2017 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities : - An integer overflow condition exists in the Window System (X11) subcomponent in multiple functions in X.Org libExt due to improper validation of user-supplied input when calculating the amount of memory required to handle return data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. Note that this issue only affects version 4.71. (CVE-2013-1982) - An integer overflow condition exists in X.Org libXfixes in the XFixesGetCursorImage() function when handling large cursor dimensions or name lengths due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2013-1983) - An integer overflow condition exists within multiple functions in X.Org libXi due to improper validation of user-supplied input when calculating the amount of memory needed to handle return data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2013-1984) - An integer overflow condition exists in X.Org libXinerama in the XineramaQueryScreens() function due to improper validation of user-supplied input when calculating the amount of memory needed to handle return data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2013-1985) - An integer overflow condition exists in multiple functions in X.Org libXrandr due to improper validation of user-supplied input when calculating the amount of memory needed to handle return data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2013-1986) - An integer overflow condition exists in multiple functions in X.Org libXrender due to improper validation of user-supplied input when calculating the amount of memory needed to handle return data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2013-1987) - An overflow condition exists in X.Org libXi in the XListInputDevices() function, related to an unexpected sign extension, due to improper checking of the amount of memory needed to handle returned data when converting smaller integer types to larger ones. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2013-1995) - An overflow condition exists within multiple functions in X.Org LibXi due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted length or index, to cause a denial of service condition or the execution of arbitrary code. (CVE-2013-1998) - An overflow condition exists in X.Org LibXt in the _XtResourceConfigurationEH() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted length or index, to cause a denial of service condition or the execution of arbitrary code. (CVE-2013-2002) - An integer overflow condition exists in X.Org libXcursor in the _XcursorFileHeaderCreate() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2013-2003) - An uninitialized pointer flaw exists within multiple functions in X.Org LibXt due to a failure to check for proper initialization of pointers. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the possible execution of arbitrary code. (CVE-2013-2005) - A flaw exists in the Application Server subcomponent (Apache Tomcat) due to a failure to process passwords when they are paired with non-existent usernames. An authenticated, remote attacker can exploit this, via a timing attack, to enumerate user account names. (CVE-2016-0762) - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit these to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the 'openssl ts' command, to cause a denial of service or to disclose sensitive information. (CVE-2016-2180) - A denial of service vulnerability exists in the Anti-Replay feature in the DTLS implementation due to improper handling of epoch sequence numbers in records. An unauthenticated, remote attacker can exploit this, via spoofed DTLS records, to cause legitimate packets to be dropped. (CVE-2016-2181) - An overflow condition exists in the BN_bn2dec() function in bn_print.c due to improper validation of user-supplied input when handling BIGNUM values. An unauthenticated, remote attacker can exploit this to crash the process. (CVE-2016-2182) - A vulnerability exists, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. (CVE-2016-2183) - A flaw exists in the Core subcomponent, specifically in the libcurl library, due to improper validation of TLS certificates. An authenticated, remote attacker with the ability to intercept network traffic can exploit this issue to disclose or manipulate transmitted data by spoofing the TLS/SSL server using a certificate that appears valid. Note that this issue only affects versions 5.2 and 5.3. (CVE-2016-3739) - A flaw exists in cURL and libcurl when loading dynamic link library (DLL) files security.dll, secur32.dll, or ws2_32.dll due searching an insecure path which may not be trusted or under user control. A local attacker can exploit this, via a Trojan DLL file placed in the search path, to execute arbitrary code with the privileges of the user running the program. (CVE-2016-4802) - A security bypass vulnerability exists in Apache Tomcat due to an unspecified flaw related to web applications. A local attacker can exploit this, via a utility method that is available to web applications, to bypass a configured SecurityManager. (CVE-2016-5018) - An out-of-bounds access error exists in the Window System (X11) subcomponent, specifically in the XvQueryAdaptors() function in file Xv.c, when handling server responses. An authenticated, remote attacker can exploit this to impact confidentiality, integrity, and availability. (CVE-2016-5407) - A use-after-free error exists in cURL and libcurl within file lib/vtls/vtls.c due to the program attempting to resume TLS sessions even if the client certificate fails. An unauthenticated, remote attacker can exploit this to bypass validation mechanisms, allowing the attacker to possibly control which connection is used. (CVE-2016-5419) - A flaw exists in cURL and libcurl in the Curl_ssl_config_matches() function within file lib/vtls/vtls.c due to the program reusing TLS connections with different client certificates. An unauthenticated, remote attacker can exploit this to disclose sensitive cross-realm information. (CVE-2016-5420) - A use-after-free error exists in cURL and libcurl in in the close_all_connections() function within file lib/multi.c due to connection pointers not being properly cleared. An unauthenticated, remote attacker can exploit this to have an unspecified impact on confidentiality, integrity, and availability. (CVE-2016-5421) - A flaw exists in the tls_decrypt_ticket() function in t1_lib.c due to improper handling of ticket HMAC digests. An unauthenticated, remote attacker can exploit this, via a ticket that is too short, to crash the process, resulting in a denial of service. (CVE-2016-6302) - An integer overflow condition exists in the MDC2_Update() function in mdc2dgst.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or possibly the execution of arbitrary code. (CVE-2016-6303) - A flaw exists in the ssl_parse_clienthello_tlsext() function in t1_lib.c due to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition. (CVE-2016-6304) - A flaw exists in the SSL_peek() function in rec_layer_s3.c due to improper handling of empty records. An unauthenticated, remote attacker can exploit this, by triggering a zero-length record in an SSL_peek call, to cause an infinite loop, resulting in a denial of service condition. (CVE-2016-6305) - An out-of-bounds read error exists in the certificate parser that allows an unauthenticated, remote attacker to cause a denial of service via crafted certificate operations. (CVE-2016-6306) - A denial of service vulnerability exists in the state-machine implementation due to a failure to check for an excessive length before allocating memory. An unauthenticated, remote attacker can exploit this, via a crafted TLS message, to exhaust memory resources. (CVE-2016-6307) - A denial of service vulnerability exists in the DTLS implementation due to improper handling of excessively long DTLS messages. An unauthenticated, remote attacker can exploit this, via a crafted DTLS message, to exhaust available memory resources. (CVE-2016-6308) - A flaw exists in Apache Tomcat within SecurityManager due to improper restriction of access to system properties by the configuration files system property replacement feature. A local attacker can exploit this, via a crafted web application, to bypass SecurityManager restrictions and disclose system properties. (CVE-2016-6794) - A flaw exists in Apache Tomcat that allows a local attacker to bypass a configured SecurityManager by changing the configuration parameters for the JSP Servlet. (CVE-2016-6796) - A flaw exists in Apache Tomcat due to a failure to limit web application access to global JNDI resources. A local attacker can exploit this to gain unauthorized access to resources. (CVE-2016-6797) - A flaw exists in Apache Tomcat when handling request lines containing certain invalid characters. An unauthenticated, remote attacker can exploit this to conduct HTTP response splitting attacks by injecting additional headers into responses. (CVE-2016-6816) - An infinite loop condition exists in Apache Tomcat in the HTTP/2 parser when handling overly large headers. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition. (CVE-2016-6817) - A carry propagation error exists in the Broadwell-specific Montgomery multiplication procedure when handling input lengths divisible by but longer than 256 bits. This can result in transient authentication and key negotiation failures or reproducible erroneous outcomes of public-key operations with specially crafted input. A man-in-the-middle attacker can possibly exploit this issue to compromise ECDH key negotiations that utilize Brainpool P-512 curves. (CVE-2016-7055) - A flaw exists in cURL in the Curl_cookie_init() function within file lib/cookie.c when handling cookies. An unauthenticated, remote attacker can exploit this to inject new cookies for arbitrary domains. (CVE-2016-8615) - A flaw exists in cURL in the ConnectionExists() function within file lib/url.c when checking credentials supplied for reused connections due to the comparison being case-insensitive. An unauthenticated, remote attacker can exploit this to authenticate without knowing the proper case of the username and password. (CVE-2016-8616) - An integer overflow condition exists in cURL in the base64_encode() function within file lib/base64.c due to improper validation of certain input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-8617) - A denial of service vulnerability exists in cURL in the alloc_addbyter() function within file lib/mprintf.c due to improper validation of overly long input when it is supplied to the curl_maprintf() API method. An unauthenticated, remote attacker can exploit this to free already freed memory and thereby crash the program. (CVE-2016-8618) - A double-free error exists in cURL in the read_data() function within file lib/security.c when handling Kerberos authentication. An unauthenticated, remote attacker can exploit this to free already freed memory, resulting in an unspecified impact on confidentiality, integrity, and availability. (CVE-2016-8619) - An out-of-bounds access error exists in cURL in file tool_urlglob.c within the globbing feature. An unauthenticated, remote attacker can exploit this to disclose memory contents or execute arbitrary code. (CVE-2016-8620) - An out-of-bounds error exists in cURL in the parsedate() function within file lib/parsedate.c when handling dates. An unauthenticated, remote attacker can exploit this to disclose memory contents or cause a denial of service condition. (CVE-2016-8621) - An integer truncation error exists in cURL in the curl_easy_unescape() function within file lib/escape.c when handling overly large URLs. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-8622) - A use-after-free error exists in cURL within file lib/cookie.c when handling shared cookies. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2016-8623) - A flaw exists in cURL in the parseurlandfillconn() function within file lib/url.c when parsing the authority component of a URL with the host name part ending in a '#' character. An unauthenticated, remote attacker can exploit this to establish a connection to a different host than intended. (CVE-2016-8624) - A flaw exists in cURL within International Domain Names (IDNA) handling when translating domain names to puny code for DNS resolving due to using the outdated IDNA 2003 standard instead of the IDNA 2008 standard, which can result in incorrect translation of a domain name. An unauthenticated, remote attacker can exploit this to cause network traffic to be redirected to a different host than intended. (CVE-2016-8625) - A flaw exists in Apache Tomcat within the catalina/mbeans/JmxRemoteLifecycleListener.java class that is triggered during the deserialization of Java objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-8735) - A flaw exists in the Web Server component (Apache HTTP Server) when handling whitespace patterns in User-Agent headers. An authenticated, remote attacker can exploit this, via a specially crafted User-Agent header, to cause incorrect processing of sequences of requests, resulting in incorrectly interpreting responses, polluting the cache, or disclosing content from one request to a second downstream user-agent. (CVE-2016-8743) - A NULL pointer dereference flaw exists within file ssl/statem/statem_clnt.c when handling parameters for the DHE or ECDHE key exchanges. An unauthenticated, remote attacker can exploit this, via specially crafted parameters, to cause a denial of service condition. (CVE-2017-3730) - A out-of-bounds read error exists exists in the Core subcomponent, specifically in OpenSSL, when handling packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An unauthenticated, remote attacker can exploit this, via specially crafted truncated packets, to cause a denial of service condition. (CVE-2017-3731) - A carry propagating error exists in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys. Note that this issue is very similar to CVE-2015-3193. Moreover, the attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example, this can occur by default in OpenSSL DHE based SSL/TLS cipher suites. (CVE-2017-3732) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 99930
    published 2017-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99930
    title Oracle Secure Global Desktop Multiple Vulnerabilities (April 2017 CPU) (SWEET32)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0801-1.NASL
    description This update for apache2 provides the following fixes: Security issues fixed : - CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712). - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). Bugfixes : - Add NotifyAccess=all to systemd service files to prevent warnings in the log when using mod_systemd (bsc#980663). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-30
    plugin id 97916
    published 2017-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97916
    title SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:0801-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1086.NASL
    description According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) - It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-13
    modified 2019-02-12
    plugin id 99952
    published 2017-05-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99952
    title EulerOS 2.0 SP2 : httpd (EulerOS-SA-2017-1086)
  • NASL family Web Servers
    NASL id APACHE_2_4_25.NASL
    description According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.25. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the mod_session_crypto module due to encryption for data and cookies using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default). An unauthenticated, remote attacker can exploit this, via a padding oracle attack, to decrypt information without knowledge of the encryption key, resulting in the disclosure of potentially sensitive information. (CVE-2016-0736) - A denial of service vulnerability exists in the mod_auth_digest module during client entry allocation. An unauthenticated, remote attacker can exploit this, via specially crafted input, to exhaust shared memory resources, resulting in a server crash. (CVE-2016-2161) - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5387) - A denial of service vulnerability exists in the mod_http2 module due to improper handling of the LimitRequestFields directive. An unauthenticated, remote attacker can exploit this, via specially crafted CONTINUATION frames in an HTTP/2 request, to inject unlimited request headers into the server, resulting in the exhaustion of memory resources. (CVE-2016-8740) - A flaw exists due to improper handling of whitespace patterns in user-agent headers. An unauthenticated, remote attacker can exploit this, via a specially crafted user-agent header, to cause the program to incorrectly process sequences of requests, resulting in interpreting responses incorrectly, polluting the cache, or disclosing the content from one request to a second downstream user-agent. (CVE-2016-8743) - A CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir (CVE-2016-4975) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-10
    modified 2019-02-08
    plugin id 96451
    published 2017-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96451
    title Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (httpoxy)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170711_HTTPD_ON_SL6_X.NASL
    description Security Fix(es) : - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Note: Administrators of Red Hat Satellite 5 and Red Hat Satellite Proxy 5 systems should consult Red Hat Knowledgebase article 3013361 linked to in the Reference section before installing this update. Bug Fix(es) : - Previously, httpd was unable to correctly check a boundary of an array, and in rare cases it attempted to access an element of an array that was out of bounds. Consequently, httpd terminated unexpectedly with a segmentation fault at proxy_util.c. With this update, bounds checking has been fixed, and httpd no longer crashes.
    last seen 2019-01-16
    modified 2018-12-27
    plugin id 101387
    published 2017-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101387
    title Scientific Linux Security Update : httpd on SL6.x i386/x86_64
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-1721.NASL
    description An update for httpd is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Note: Administrators of Red Hat Satellite 5 and Red Hat Satellite Proxy 5 systems should consult Red Hat Knowledgebase article 3013361 linked to in the Reference section before installing this update. Bug Fix(es) : * Previously, httpd was unable to correctly check a boundary of an array, and in rare cases it attempted to access an element of an array that was out of bounds. Consequently, httpd terminated unexpectedly with a segmentation fault at proxy_util.c. With this update, bounds checking has been fixed, and httpd no longer crashes. (BZ#1463354) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-27
    plugin id 119218
    published 2018-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119218
    title Virtuozzo 6 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2017-1721)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-1721.NASL
    description An update for httpd is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Note: Administrators of Red Hat Satellite 5 and Red Hat Satellite Proxy 5 systems should consult Red Hat Knowledgebase article 3013361 linked to in the Reference section before installing this update. Bug Fix(es) : * Previously, httpd was unable to correctly check a boundary of an array, and in rare cases it attempted to access an element of an array that was out of bounds. Consequently, httpd terminated unexpectedly with a segmentation fault at proxy_util.c. With this update, bounds checking has been fixed, and httpd no longer crashes. (BZ#1463354)
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 101488
    published 2017-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101488
    title CentOS 6 : httpd (CESA-2017:1721)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-0906.NASL
    description An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Bug Fix(es) : * When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002) * Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947) * In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047)
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 99379
    published 2017-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99379
    title CentOS 7 : httpd (CESA-2017:0906)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0906.NASL
    description An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Bug Fix(es) : * When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002) * Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947) * In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047)
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 99340
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99340
    title RHEL 7 : httpd (RHSA-2017:0906)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-D22F50D985.NASL
    description Security fix for CVE-2016-8743, CVE-2016-2161, CVE-2016-0736 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-02-01
    plugin id 96114
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96114
    title Fedora 24 : httpd (2016-d22f50d985)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0797-1.NASL
    description This update for apache2 fixes the following security issues: Security issues fixed : - CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712). - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). Bugfixes : - Add missing copy of hcuri and hcexpr from the worker to the health check worker (bsc#1019380). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-30
    plugin id 97912
    published 2017-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97912
    title SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:0797-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3279-1.NASL
    description It was discovered that the Apache mod_session_crypto module was encrypting data and cookies using either CBC or ECB modes. A remote attacker could possibly use this issue to perform padding oracle attacks. (CVE-2016-0736) Maksim Malyutin discovered that the Apache mod_auth_digest module incorrectly handled malicious input. A remote attacker could possibly use this issue to cause Apache to crash, resulting in a denial of service. (CVE-2016-2161) David Dennerline and Regis Leroy discovered that the Apache HTTP Server incorrectly handled unusual whitespace when parsing requests, contrary to specifications. When being used in combination with a proxy or backend server, a remote attacker could possibly use this issue to perform an injection attack and pollute cache. This update may introduce compatibility issues with clients that do not strictly follow HTTP protocol specifications. A new configuration option 'HttpProtocolOptions Unsafe' can be used to revert to the previous unsafe behaviour in problematic environments. (CVE-2016-8743). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 100098
    published 2017-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100098
    title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : apache2 vulnerabilities (USN-3279-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-416.NASL
    description This update for apache2 fixes the following security issues : Security issues fixed : - CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712). - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). Bugfixes : - Add missing copy of hcuri and hcexpr from the worker to the health check worker (bsc#1019380). This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-01-16
    modified 2018-01-26
    plugin id 99154
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99154
    title openSUSE Security Update : apache2 (openSUSE-2017-416)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-785.NASL
    description The following security-related issues were fixed : Padding oracle vulnerability in Apache mod_session_crypto (CVE-2016-0736) DoS vulnerability in mod_auth_digest (CVE-2016-2161) Apache HTTP request parsing whitespace defects (CVE-2016-8743)
    last seen 2019-01-16
    modified 2018-04-18
    plugin id 96631
    published 2017-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96631
    title Amazon Linux AMI : httpd24 (ALAS-2017-785)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-0906.NASL
    description From Red Hat Security Advisory 2017:0906 : An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Bug Fix(es) : * When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002) * Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947) * In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047)
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 99329
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99329
    title Oracle Linux 7 : httpd (ELSA-2017-0906)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170412_HTTPD_ON_SL7_X.NASL
    description Security Fix(es) : - It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) - It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Bug Fix(es) : - When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. - Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. - In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails.
    last seen 2019-01-16
    modified 2018-12-27
    plugin id 99350
    published 2017-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99350
    title Scientific Linux Security Update : httpd on SL7.x x86_64
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_862D6AB3C75E11E69F9820CF30E32F6D.NASL
    description Apache Software Foundation reports : Please reference CVE/URL list for details
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 96037
    published 2016-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96037
    title FreeBSD : Apache httpd -- several vulnerabilities (862d6ab3-c75e-11e6-9f98-20cf30e32f6d) (httpoxy)
  • NASL family Junos Local Security Checks
    NASL id JUNIPER_SPACE_JSA_10838.NASL
    description According to its self-reported version number, the remote Junos Space version is prior to 17.2R1. It is, therefore, affected by multiple vulnerabilities.
    last seen 2019-01-16
    modified 2018-08-03
    plugin id 108520
    published 2018-03-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108520
    title Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1046.NASL
    description This update for apache2 fixes the following issues : Security issues fixed : - CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (bsc#1016715) - CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes which prohibit CR or LF injection into the 'Location' or other outbound header key or value. (bsc#1104826) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-01-16
    modified 2018-09-27
    plugin id 117789
    published 2018-09-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117789
    title openSUSE Security Update : apache2 (openSUSE-2018-1046)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-841.NASL
    description The fix for CVE-2016-8743 introduced a regression which would segfault apache workers under certain conditions (#858373), an issue similar to previously fixed CVE-2015-0253. The issue was introduced in DLA-841-1 and the associated 2.2.22-13+deb7u8 package version. For Debian 7 'Wheezy', these problems have been fixed in version 2.2.22-13+deb7u11. We recommend that you upgrade your apache2 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-07-09
    plugin id 97438
    published 2017-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97438
    title Debian DLA-841-2 : apache2 regression update
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL00373024.NASL
    description Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (CVE-2016-8743) Impact An attacker may be able to perform HTTP request smuggling through specially crafted HTTP requests. For more information about HTTP request smuggling, refer to Section 9.5 Request Smuggling of Internet Engineering Task Force (RFC 7230). Note : This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.
    last seen 2019-01-16
    modified 2019-01-04
    plugin id 110056
    published 2018-05-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110056
    title F5 Networks BIG-IP : Apache vulnerability (K00373024)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3796.NASL
    description Several vulnerabilities were discovered in the Apache2 HTTP server. - CVE-2016-0736 RedTeam Pentesting GmbH discovered that mod_session_crypto was vulnerable to padding oracle attacks, which could allow an attacker to guess the session cookie. - CVE-2016-2161 Maksim Malyutin discovered that malicious input to mod_auth_digest could cause the server to crash, causing a denial of service. - CVE-2016-8743 David Dennerline, of IBM Security's X-Force Researchers, and Regis Leroy discovered problems in the way Apache handled a broad pattern of unusual whitespace patterns in HTTP requests. In some configurations, this could lead to response splitting or cache pollution vulnerabilities. To fix these issues, this update makes Apache httpd be more strict in what HTTP requests it accepts. If this causes problems with non-conforming clients, some checks can be relaxed by adding the new directive 'HttpProtocolOptions unsafe' to the configuration. This update also fixes the issue where mod_reqtimeout was not enabled by default on new installations.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 97400
    published 2017-02-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97400
    title Debian DSA-3796-1 : apache2 - security update
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-1721.NASL
    description From Red Hat Security Advisory 2017:1721 : An update for httpd is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Note: Administrators of Red Hat Satellite 5 and Red Hat Satellite Proxy 5 systems should consult Red Hat Knowledgebase article 3013361 linked to in the Reference section before installing this update. Bug Fix(es) : * Previously, httpd was unable to correctly check a boundary of an array, and in rare cases it attempted to access an element of an array that was out of bounds. Consequently, httpd terminated unexpectedly with a segmentation fault at proxy_util.c. With this update, bounds checking has been fixed, and httpd no longer crashes. (BZ#1463354)
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 101382
    published 2017-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101382
    title Oracle Linux 6 : httpd (ELSA-2017-1721)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2554-1.NASL
    description This update for apache2 fixes the following issues : Security issues fixed : CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (bsc#1016715) CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes which prohibit CR or LF injection into the 'Location' or other outbound header key or value. (bsc#1104826) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 112199
    published 2018-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112199
    title SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:2554-1)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-0906.NASL
    description An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) * It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) * It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue. Bug Fix(es) : * When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002) * Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947) * In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-30
    modified 2019-01-29
    plugin id 101445
    published 2017-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101445
    title Virtuozzo 7 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2017-0906)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1085.NASL
    description According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736) - It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161) - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-23
    modified 2019-01-22
    plugin id 99951
    published 2017-05-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99951
    title EulerOS 2.0 SP1 : httpd (EulerOS-SA-2017-1085)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-8D9B62C784.NASL
    description Security fix for CVE-2016-8743, CVE-2016-2161, CVE-2016-0736 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-02-01
    plugin id 96111
    published 2016-12-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96111
    title Fedora 25 : httpd (2016-8d9b62c784)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-417.NASL
    description This update for apache2 provides the following fixes : Security issues fixed : - CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712). - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). Bugfixes : - Add NotifyAccess=all to systemd service files to prevent warnings in the log when using mod_systemd (bsc#980663). This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-01-16
    modified 2018-01-26
    plugin id 99155
    published 2017-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99155
    title openSUSE Security Update : apache2 (openSUSE-2017-417)
redhat via4
advisories
  • bugzilla
    id 1429947
    title Backport: mod_proxy_wstunnel - AH02447: err/hup on backconn
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment httpd is earlier than 0:2.4.6-45.el7_3.4
          oval oval:com.redhat.rhsa:tst:20170906007
        • comment httpd is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245017
      • AND
        • comment httpd-devel is earlier than 0:2.4.6-45.el7_3.4
          oval oval:com.redhat.rhsa:tst:20170906005
        • comment httpd-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245019
      • AND
        • comment httpd-manual is earlier than 0:2.4.6-45.el7_3.4
          oval oval:com.redhat.rhsa:tst:20170906019
        • comment httpd-manual is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245025
      • AND
        • comment httpd-tools is earlier than 0:2.4.6-45.el7_3.4
          oval oval:com.redhat.rhsa:tst:20170906015
        • comment httpd-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245023
      • AND
        • comment mod_ldap is earlier than 0:2.4.6-45.el7_3.4
          oval oval:com.redhat.rhsa:tst:20170906013
        • comment mod_ldap is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140921010
      • AND
        • comment mod_proxy_html is earlier than 1:2.4.6-45.el7_3.4
          oval oval:com.redhat.rhsa:tst:20170906011
        • comment mod_proxy_html is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140921008
      • AND
        • comment mod_session is earlier than 0:2.4.6-45.el7_3.4
          oval oval:com.redhat.rhsa:tst:20170906017
        • comment mod_session is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140921016
      • AND
        • comment mod_ssl is earlier than 1:2.4.6-45.el7_3.4
          oval oval:com.redhat.rhsa:tst:20170906009
        • comment mod_ssl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245021
    rhsa
    id RHSA-2017:0906
    released 2017-04-12
    severity Moderate
    title RHSA-2017:0906: httpd security and bug fix update (Moderate)
  • bugzilla
    id 1463354
    title segfault in ap_proxy_set_scoreboard_lb
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment httpd is earlier than 0:2.2.15-60.el6_9.4
          oval oval:com.redhat.rhsa:tst:20171721005
        • comment httpd is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245017
      • AND
        • comment httpd-devel is earlier than 0:2.2.15-60.el6_9.4
          oval oval:com.redhat.rhsa:tst:20171721007
        • comment httpd-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245019
      • AND
        • comment httpd-manual is earlier than 0:2.2.15-60.el6_9.4
          oval oval:com.redhat.rhsa:tst:20171721013
        • comment httpd-manual is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245025
      • AND
        • comment httpd-tools is earlier than 0:2.2.15-60.el6_9.4
          oval oval:com.redhat.rhsa:tst:20171721009
        • comment httpd-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245023
      • AND
        • comment mod_ssl is earlier than 1:2.2.15-60.el6_9.4
          oval oval:com.redhat.rhsa:tst:20171721011
        • comment mod_ssl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111245021
    rhsa
    id RHSA-2017:1721
    released 2017-07-11
    severity Moderate
    title RHSA-2017:1721: httpd security and bug fix update (Moderate)
  • rhsa
    id RHSA-2017:1161
  • rhsa
    id RHSA-2017:1413
  • rhsa
    id RHSA-2017:1414
  • rhsa
    id RHSA-2017:1415
rpms
  • httpd-0:2.4.6-45.el7_3.4
  • httpd-devel-0:2.4.6-45.el7_3.4
  • httpd-manual-0:2.4.6-45.el7_3.4
  • httpd-tools-0:2.4.6-45.el7_3.4
  • mod_ldap-0:2.4.6-45.el7_3.4
  • mod_proxy_html-1:2.4.6-45.el7_3.4
  • mod_session-0:2.4.6-45.el7_3.4
  • mod_ssl-1:2.4.6-45.el7_3.4
  • httpd-0:2.2.15-60.el6_9.4
  • httpd-devel-0:2.2.15-60.el6_9.4
  • httpd-manual-0:2.2.15-60.el6_9.4
  • httpd-tools-0:2.2.15-60.el6_9.4
  • mod_ssl-1:2.2.15-60.el6_9.4
refmap via4
bid 95077
confirm
debian DSA-3796
gentoo GLSA-201701-36
sectrack 1037508
Last major update 27-07-2017 - 17:29
Published 27-07-2017 - 17:29
Last modified 24-04-2018 - 21:29
Back to Top