The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2010-0168 advisory.

    [2.2.3-31.0.1.el5_4.4]
    - Replace index.html with Oracle's index page oracle_index.html
    - Update vstring and distro in specfile

    [2.2.3-31.4]
    - require and BR a version of OpenSSL with the secure reneg API (#567980)

    [2.2.3-31.3]
    - mod_ssl: add SSLInsecureRenegotiation (#567980)
    - add security fixes for CVE-2010-0408, CVE-2010-0434 (#570440)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

CVE-2010-0408 httpd: mod_proxy_ajp remote temporary DoS

CVE-2010-0434 httpd: request header information leak

It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially crafted requests.
(CVE-2010-0408)

A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434)

This update also adds the following enhancement :

  - with the updated openssl packages from RHSA-2010:0162     installed, mod_ssl will refuse to renegotiate a TLS/SSL     connection with an unpatched client that does not     support RFC 5746. This update adds the     'SSLInsecureRenegotiation' configuration directive. If     this directive is enabled, mod_ssl will renegotiate     insecurely with unpatched clients. (BZ#567980)

Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior:
http://kbase.redhat.com/faq/docs/DOC-20491

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

The remote host is affected by the vulnerability described in GLSA-201206-25 (Apache HTTP Server: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache HTTP Server.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker might obtain sensitive information, gain privileges,       send requests to unintended servers behind proxies, bypass certain       security restrictions, obtain the values of HTTPOnly cookies, or cause a       Denial of Service in various ways.
    A local attacker could gain escalated privileges.
  Workaround :

    There is no known workaround at this time.

The following bugs have been fixed :

  - When using a multithreaded MPM Apache could leak memory     of requests handled by a different thread when     processing subrequests. (CVE-2010-0434)

  - Specially crafted requests could crash mod_proxy_ajp.
    (CVE-2010-0408)

Versions of Mac OS X 10.6 earlier than 10.6.5 are potentially affected by multiple vulnerabilities.  Mac OS X 10.6.5 contains security fixes for the following products :

  - AFP Server

  - Apache mod_perl

  - Apache

  - AppKit

  - ATS

  - CFNetwork

  - CoreGraphics

  - CoreText

  - CUPS

  - Directory Services

  - diskdev_cmds

Disk Images

  - Flash Player plug-in

  - gzip

  - Image Capture

  - ImageIO

  - Image RAW

  - Kernel

  - MySQL

  - neon

  - Networking

  - OpenLDAP

  - OpenSSL

  - Password Server

  - PHP

  - Printing

  - python

  - QuickLook

  - QuickTime

  - Safari RSS

  - Time Machine

  - Wiki Server

  - X11

  - xar

The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.5.

Mac OS X 10.6.5 contains security fixes for the following products :

  - AFP Server
  - Apache mod_perl
  - Apache
  - AppKit
  - ATS
  - CFNetwork
  - CoreGraphics
  - CoreText
  - CUPS
  - Directory Services
  - diskdev_cmds
  - Disk Images
  - Flash Player plug-in
  - gzip
  - Image Capture
  - ImageIO
  - Image RAW
  - Kernel
  - MySQL
  - neon
  - Networking
  - OpenLDAP
  - OpenSSL
  - Password Server
  - PHP
  - Printing
  - python
  - QuickLook
  - QuickTime
  - Safari RSS
  - Time Machine
  - Wiki Server
  - X11
  - xar

According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.15. It is, therefore, potentially affected by multiple vulnerabilities :

  - A TLS renegotiation prefix injection attack is possible.     (CVE-2009-3555)

  - The 'mod_proxy_ajp' module returns the wrong status code     if it encounters an error which causes the back-end     server to be put into an error state. (CVE-2010-0408)

  - The 'mod_isapi' attempts to unload the 'ISAPI.dll' when     it encounters various error states which could leave     call-backs in an undefined state. (CVE-2010-0425)

  - A flaw in the core sub-request process code can lead to     sensitive information from a request being handled by     the wrong thread if a multi-threaded environment is     used. (CVE-2010-0434)

  - Added 'mod_reqtimeout' module to mitigate Slowloris     attacks. (CVE-2007-6750)

The following bugs have been fixed :

When using a multi-threaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434). Specially crafted requests could crash mod_proxy_ajp.
(CVE-2010-0408)

The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ('httpd'). This version is principally a security and bugfix release. Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408 and CVE-2010-0434 within mod_proxy_ajp and mod_headers respectively. See the upstream changes file for further information: http://www.apache.org/dist/httpd/CHANGES_2.2.15

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Apache HTTP Server Project is proud to announce the release of version 2.2.15 of the Apache HTTP Server ('httpd'). This version is principally a security and bugfix release. This release fixes two minor security issues and includes a number of bug fixes. See the upstream changes file for further information:
http://www.apache.org/dist/httpd/CHANGES_2.2.15

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2010:0168 advisory.

  - httpd: mod_proxy_ajp remote temporary DoS (CVE-2010-0408)

  - httpd: request header information leak (CVE-2010-0434)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

When using a multithreaded MPM apache could leak memory of requests handled by a different thread when processing subrequests (CVE-2010-0434).

Specially crafted requests could crash mod_proxy_ajp (CVE-2010-0408).

Two issues have been found in the Apache HTTPD web server :

  - CVE-2010-0408     mod_proxy_ajp would return the wrong status code if it     encountered an error, causing a backend server to be put     into an error state until the retry timeout expired. A     remote attacker could send malicious requests to trigger     this issue, resulting in denial of service.

  - CVE-2010-0434     A flaw in the core subrequest process code was found,     which could lead to a daemon crash (segfault) or     disclosure of sensitive information if the headers of a     subrequest were modified by modules such as mod_headers.

Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Apache HTTP Server is a popular web server.

It was discovered that mod_proxy_ajp incorrectly returned an 'Internal Server Error' response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially crafted requests.
(CVE-2010-0408)

A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434)

This update also adds the following enhancement :

* with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the 'SSLInsecureRenegotiation' configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980)

Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior:
http://kbase.redhat.com/faq/docs/DOC-20491

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

It was discovered that mod_proxy_ajp did not properly handle errors when a client doesn't send a request body. A remote attacker could exploit this with a crafted request and cause a denial of service.
This issue affected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10.
(CVE-2010-0408)

It was discovered that Apache did not properly handle headers in subrequests under certain conditions. A remote attacker could exploit this with a crafted request and possibly obtain sensitive information from previous requests. (CVE-2010-0434).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, and -current to fix security issues. mod_ssl: A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated renegotiations. mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR. mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [This is the most serious flaw, but does not affect Linux systems]

According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.15.  Such versions are potentially affected by multiple vulnerabilities : 

  - A TLS renegotiation prefix attack is possible. (CVE-2009-3555)

  - The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-end server to be put into an error state. (CVE-2010-0408)

  - The 'mod_isapi' module attempts to unload the 'ISAPI.DLL' when it encounters various error states which could leave call-backs in an undefined state. (CVE-2010-0425)

  - A flaw in the core sub-request process code can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded environment is used. (CVE-2010-0434)

A vulnerability has been found and corrected in apache :

mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent after request headers indicate a request body is incoming; this is not a case of HTTP_INTERNAL_SERVER_ERROR (CVE-2010-0408).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.

The updated packages have been patched to correct this issue.

ID	Name	Product	Family	Severity
68022	Oracle Linux 5 : httpd (ELSA-2010-0168)	Nessus	Oracle Linux Local Security Checks	high
60754	Scientific Linux Security Update : httpd on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
59678	GLSA-201206-25 : Apache HTTP Server: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
50889	SuSE 11 Security Update : Apache 2 (SAT Patch Number 2293)	Nessus	SuSE Local Security Checks	medium
5705	Mac OS X 10.6 < 10.6.5 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
50548	Mac OS X 10.6.x < 10.6.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
45004	Apache 2.2.x < 2.2.15 Multiple Vulnerabilities	Nessus	Web Servers	critical
49827	SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 6987)	Nessus	SuSE Local Security Checks	medium
47417	Fedora 11 : httpd-2.2.15-1.fc11.1 (2010-6131)	Nessus	Fedora Local Security Checks	medium
47412	Fedora 12 : httpd-2.2.15-1.fc12.2 (2010-6055)	Nessus	Fedora Local Security Checks	medium
47408	Fedora 13 : httpd-2.2.15-1.fc13 (2010-5942)	Nessus	Fedora Local Security Checks	medium
46279	RHEL 5 : httpd (RHSA-2010:0168)	Nessus	Red Hat Local Security Checks	high
46013	SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 6984)	Nessus	SuSE Local Security Checks	medium
46011	openSUSE Security Update : apache2 (openSUSE-SU-2010:0165-1)	Nessus	SuSE Local Security Checks	medium
46009	openSUSE Security Update : apache2 (openSUSE-SU-2010:0165-1)	Nessus	SuSE Local Security Checks	medium
46006	openSUSE Security Update : apache2 (openSUSE-SU-2010:0165-1)	Nessus	SuSE Local Security Checks	medium
45557	Debian DSA-2035-1 : apache2 - multiple issues	Nessus	Debian Local Security Checks	medium
45367	CentOS 5 : httpd (CESA-2010:0168)	Nessus	CentOS Local Security Checks	medium
45037	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : apache2 vulnerabilities (USN-908-1)	Nessus	Ubuntu Local Security Checks	medium
45007	Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : httpd (SSA:2010-067-01)	Nessus	Slackware Local Security Checks	critical
5356	Apache < 2.2.15 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	critical
44963	Mandriva Linux Security Advisory : apache (MDVSA-2010:053)	Nessus	Mandriva Local Security Checks	medium

Detections

Analytics

CVE-2010-0408

high

Tenable Plugins

high

medium

high

medium

critical

critical

critical

medium

medium

medium

medium

high

medium

medium

medium

medium

medium

medium

medium

critical

critical

medium