envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.

According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.2. It is, therefore, potentially affected by an insecure library loading issue.

The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars' file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO), leading to arbitrary code execution.

Note that the scanner did not actually test for this flaw, but instead has relied on the version in the server's banner.

This Apache2 LTSS roll-up update for SUSE Linux Enterprise 10 SP3 LTSS fixes the following security issues and bugs :

  - CVE-2012-4557: Denial of Service via special requests in     mod_proxy_ajp

  - CVE-2012-0883: improper LD_LIBRARY_PATH handling

  - CVE-2012-2687: filename escaping problem

  - CVE-2012-0031: Fixed a scoreboard corruption (shared mem     segment) by child causes crash of privileged parent     (invalid free()) during shutdown.

  - CVE-2012-0053: Fixed an issue in error responses that     could expose 'httpOnly' cookies when no custom     ErrorDocument is specified for status code 400'.

  - The SSL configuration template has been adjusted not to     suggested weak ciphers CVE-2007-6750: The     'mod_reqtimeout' module was backported from Apache     2.2.21 to help mitigate the 'Slowloris' Denial of     Service attack.

    You need to enable the 'mod_reqtimeout' module in your     existing apache configuration to make it effective, e.g.
    in the APACHE_MODULES line in /etc/sysconfig/apache2.

  - CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This update     also includes several fixes for a mod_proxy reverse     exposure via RewriteRule or ProxyPassMatch directives.

  - CVE-2011-1473: Fixed the SSL renegotiation DoS by     disabling renegotiation by default.

  - CVE-2011-3607: Integer overflow in ap_pregsub function     resulting in a heap-based buffer overflow could     potentially allow local attackers to gain privileges

Additionally, some non-security bugs have been fixed which are listed in the changelog file.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes the following security issues with apache2 httpd :

  - Improper LD_LIBRARY_PATH handling (CVE-2012-0883 )

  - Filename escaping problem (CVE-2012-2687 )

Additionally, some non-security bugs have been fixed as enumerated in the changelog of the RPM.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Solaris system is missing necessary patches to address security updates :

  - envvars (aka envvars-std) in the Apache HTTP Server     before 2.4.2 places a zero-length directory name in the     LD_LIBRARY_PATH, which allows local users to gain     privileges via a Trojan horse DSO in the current working     directory during execution of apachectl. (CVE-2012-0883)

  - Multiple cross-site scripting (XSS) vulnerabilities in     the make_variant_list function in mod_negotiation.c in     the mod_negotiation module in the Apache HTTP Server     2.4.x before 2.4.3, when the MultiViews option is     enabled, allow remote attackers to inject arbitrary web     script or HTML via a crafted filename that is not     properly handled during construction of a variant list.
    (CVE-2012-2687)

- ignore case when checking against SNI server names.
    [bnc#798733] httpd-2.2.x-bnc798733-SNI_ignorecase.diff

  - better cleanup of busy count after recovering from     failure [bnc#789828]     httpd-2.2.x-bnc789828-mod_balancer.diff

- httpd-2.2.x-bnc788121-CVE-2012-4557-mod_proxy_ajp_timeout.diff:
backend timeouts should not affect the entire worker. [bnc#788121]

- httpd-2.2.x-envvars.diff obsoletes httpd-2.0.54-envvars.dif:
Fix for low profile bug CVE-2012-0883 about improper LD_LIBRARY_PATH handling. [bnc#757710]

- httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff Escape filename for the case that uploads are allowed with untrusted user's control over filenames and mod_negotiation enabled on the same directory. CVE-2012-2687 [bnc#777260]

- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff reworked to reflect the upstream changes. This will prevent the 'Invalid URI in request OPTIONS *' messages in the error log. [bnc#722545]

The remote host is missing Mac OS X security update 2013-004 that fixes multiple security issues. 

The remote host is running a version of Mac OS X 10.8 that is older than 10.8.5. The newer version contains numerous security-related fixes for the following components :

  - Apache
  - Bind
  - Certificate Trust Policy
  - CoreGraphics
  - ImageIO
  - Installer
  - IPSec
  - Kernel
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - Power Management
  - QuickTime
  - Screen Lock
  - sudo

 This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit.

 Note that successful exploitation of the most serious issues could result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-004 applied.  This update contains several security-related fixes for the following component :

  - Apache
  - Bind
  - Certificate Trust Policy
  - ClamAV
  - Installer
  - IPSec
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - QuickTime
  - sudo

Note that successful exploitation of the most serious issues could result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.8.x that is prior to 10.8.5. The newer version contains multiple security-related fixes for the following components :

  - Apache
  - Bind
  - Certificate Trust Policy
  - CoreGraphics
  - ImageIO
  - Installer
  - IPSec
  - Kernel
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - Power Management
  - QuickTime
  - Screen Lock
  - sudo

This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit.

Note that successful exploitation of the most serious issues could result in arbitrary code execution.

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is a version prior to 7.2.1.0. It is, therefore, affected by the following vulnerabilities :

  - An information disclosure vulnerability, known as BEAST,     exists in the SSL 3.0 and TLS 1.0 protocols due to a     flaw in the way the initialization vector (IV) is     selected when operating in cipher-block chaining (CBC)     modes. A man-in-the-middle attacker can exploit this     to obtain plaintext HTTP header data, by using a     blockwise chosen-boundary attack (BCBA) on an HTTPS     session, in conjunction with JavaScript code that uses     the HTML5 WebSocket API, the Java URLConnection API,     or the Silverlight WebClient API. (CVE-2011-3389)

  - The utility 'apachectl' can receive a zero-length     directory name in the LD_LIBRARY_PATH via the 'envvars'     file. A local attacker with access to that utility     could exploit this to load a malicious Dynamic Shared     Object (DSO), leading to arbitrary code execution.
    (CVE-2012-0883)

  - Numerous, unspecified errors could allow remote denial     of service attacks. (CVE-2012-2110, CVE-2012-2329,     CVE-2012-2336, CVE-2013-2357, CVE-2013-2358,     CVE-2013-2359, CVE-2013-2360)

  - The fix for CVE-2012-1823 does not completely correct     the CGI query parameter vulnerability. Disclosure of     PHP source code and code execution are still possible.
    Note that this vulnerability is exploitable only when     PHP is used in CGI-based configurations.  Apache with     'mod_php' is not an exploitable configuration.
    (CVE-2012-2311, CVE-2012-2335)

  - Unspecified errors exist that could allow unauthorized     access. (CVE-2012-5217, CVE-2013-2355)

  - Unspecified errors exist that could allow disclosure of     sensitive information. (CVE-2013-2356, CVE-2013-2363)

  - An unspecified error exists that could allow cross-site     scripting attacks. (CVE-2013-2361)

  - Unspecified errors exist that could allow a local     attacker to cause denial of service conditions.
    (CVE-2013-2362, CVE-2013-2364)

  - An as-yet unspecified vulnerability exists that could     cause a denial of service condition. (CVE-2013-4821)

This update fixes the following security issues with apache2 httpd :

  - Improper LD_LIBRARY_PATH handling. (CVE-2012-0883)

  - Filename escaping problem (CVE-2012-2687) Additionally,     some non-security bugs have been fixed as enumerated in     the changelog of the RPM.

This update fixes the following issues :

  - Denial of Service via special requests in mod_proxy_ajp.
    (CVE-2012-4557)

  - improper LD_LIBRARY_PATH handling. (CVE-2012-0883)

  - filename escaping problem Additionally, some     non-security bugs have been fixed:. (CVE-2012-2687)

  - ignore case when checking against SNI server names.
    [bnc#798733]

  - httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff     reworked to reflect the upstream changes. This will     prevent the 'Invalid URI in request OPTIONS *' messages     in the error log. [bnc#722545]

  - new sysconfig variable APACHE_DISABLE_SSL_COMPRESSION;
    if set to on, OPENSSL_NO_DEFAULT_ZLIB will be inherited     to the apache process; openssl will then transparently     disable compression. This change affects start script     and sysconfig fillup template. Default is on, SSL     compression disabled. Please see mod_deflate for     compressed transfer at http layer. [bnc#782956]

This update contains the 2.2.23 release of the Apache HTTP Server.

http://www.eu.apache.org/dist/httpd/CHANGES_2.2.23

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities has been found and corrected in apache (ASF HTTPD) :

Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory (CVE-2012-0883).

Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled (CVE-2012-2687).

The updated packages have been upgraded to the latest 2.2.23 version which is not vulnerable to these issues.

Update :

Packages for Mandriva Linux 2011 is also being provided.

Apache versions earlier than 2.2.23 are affected by the following vulnerabilities.

  - The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars' file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO), leading to arbitrary code execution. (CVE-2012-0883)

  - An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks. (CVE-2012-2687)

According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.23. It is, therefore, potentially affected by the following vulnerabilities :

  - The utility 'apachectl' can receive a zero-length     directory name in the LD_LIBRARY_PATH via the 'envvars'     file. A local attacker with access to that utility     could exploit this to load a malicious Dynamic Shared     Object (DSO), leading to arbitrary code execution.
    (CVE-2012-0883)

  - An input validation error exists related to     'mod_negotiation', 'Multiviews' and untrusted uploads     that can allow cross-site scripting attacks.
    (CVE-2012-2687)

Note that Nessus has not tested for these flaws but has instead relied on the version in the server's banner.

Apache reports :

Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory.

The remote host is affected by the vulnerability described in GLSA-201206-25 (Apache HTTP Server: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache HTTP Server.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker might obtain sensitive information, gain privileges,       send requests to unintended servers behind proxies, bypass certain       security restrictions, obtain the values of HTTPOnly cookies, or cause a       Denial of Service in various ways.
    A local attacker could gain escalated privileges.
  Workaround :

    There is no known workaround at this time.

According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.2. It is, therefore, potentially affected by an insecure library loading issue. 

The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars' file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO), leading to arbitrary code execution. 

Note that Nessus did not actually test for this flaw, but instead has relied on the version in the server's banner.

ID	Name	Product	Family	Severity
98900	Apache 2.4.x < 2.4.2 'LD_LIBRARY_PATH' Insecure Library Loading	Web App Scanning	Component Vulnerability	high
83578	SUSE SLES10 Security Update : apache2 (SUSE-SU-2013:0469-1)	Nessus	SuSE Local Security Checks	medium
83577	SUSE SLES10 Security Update : apache2 (SUSE-SU-2013:0387-1)	Nessus	SuSE Local Security Checks	medium
80583	Oracle Solaris Third-Party Patch Update : apache (multiple_vulnerabilities_in_apache_http2)	Nessus	Solaris Local Security Checks	medium
75181	openSUSE Security Update : apache2 (openSUSE-SU-2013:0243-1)	Nessus	SuSE Local Security Checks	medium
8008	Mac OS X 10.8 < 10.8.5 Multiple Vulnerabilities (Security Update 2013-004)	Nessus Network Monitor	Web Clients	critical
69878	Mac OS X Multiple Vulnerabilities (Security Update 2013-004)	Nessus	MacOS X Local Security Checks	critical
69877	Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
69020	HP System Management Homepage < 7.2.1.0 Multiple Vulnerabilities (BEAST)	Nessus	Web Servers	high
65025	SuSE 10 Security Update : apache2 (ZYPP Patch Number 8443)	Nessus	SuSE Local Security Checks	medium
65023	SuSE 11.2 Security Update : Apache (SAT Patch Number 7409)	Nessus	SuSE Local Security Checks	medium
64595	Fedora 17 : httpd-2.2.23-1.fc17 (2013-1661)	Nessus	Fedora Local Security Checks	medium
62386	Mandriva Linux Security Advisory : apache (MDVSA-2012:154-1)	Nessus	Mandriva Local Security Checks	medium
6576	Apache 2.2 < 2.2.23 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
62101	Apache 2.2.x < 2.2.23 Multiple Vulnerabilities	Nessus	Web Servers	high
61388	FreeBSD : Apache -- Insecure LD_LIBRARY_PATH handling (de2bc01f-dc44-11e1-9f4d-002354ed89bc)	Nessus	FreeBSD Local Security Checks	medium
59678	GLSA-201206-25 : Apache HTTP Server: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
58795	Apache 2.4.x < 2.4.2 'LD_LIBRARY_PATH' Insecure Library Loading	Nessus	Web Servers	high

Detections

Analytics

CVE-2012-0883

high

Tenable Plugins

high

medium

medium

medium

medium

critical

critical

critical

high

medium

medium

medium

medium

high

high

medium

high

high