The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.

The remote Redhat Enterprise Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:0897 advisory.

  - tomcat: information disclosure in authentication headers (CVE-2010-1157)

  - httpd mod_cache, mod_dav: DoS (httpd child process crash) by parsing URI structure with missing path     segments (CVE-2010-1452)

  - apr-util: high memory consumption in apr_brigade_split_line() (CVE-2010-1623)

  - tomcat: file permission bypass flaw (CVE-2010-3718)

  - tomcat: cross-site-scripting vulnerability in the manager application (CVE-2010-4172)

  - tomcat: XSS vulnerability in HTML Manager interface (CVE-2011-0013)

  - apr: unconstrained recursion in apr_fnmatch (CVE-2011-0419)

  - httpd: mod_proxy_ajp worker moved to error state when timeout exceeded (CVE-2012-4557)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This Apache2 LTSS roll-up update for SUSE Linux Enterprise 10 SP3 LTSS fixes the following security issues and bugs :

  - CVE-2012-4557: Denial of Service via special requests in     mod_proxy_ajp

  - CVE-2012-0883: improper LD_LIBRARY_PATH handling

  - CVE-2012-2687: filename escaping problem

  - CVE-2012-0031: Fixed a scoreboard corruption (shared mem     segment) by child causes crash of privileged parent     (invalid free()) during shutdown.

  - CVE-2012-0053: Fixed an issue in error responses that     could expose 'httpOnly' cookies when no custom     ErrorDocument is specified for status code 400'.

  - The SSL configuration template has been adjusted not to     suggested weak ciphers CVE-2007-6750: The     'mod_reqtimeout' module was backported from Apache     2.2.21 to help mitigate the 'Slowloris' Denial of     Service attack.

    You need to enable the 'mod_reqtimeout' module in your     existing apache configuration to make it effective, e.g.
    in the APACHE_MODULES line in /etc/sysconfig/apache2.

  - CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This update     also includes several fixes for a mod_proxy reverse     exposure via RewriteRule or ProxyPassMatch directives.

  - CVE-2011-1473: Fixed the SSL renegotiation DoS by     disabling renegotiation by default.

  - CVE-2011-3607: Integer overflow in ap_pregsub function     resulting in a heap-based buffer overflow could     potentially allow local attackers to gain privileges

Additionally, some non-security bugs have been fixed which are listed in the changelog file.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- ignore case when checking against SNI server names.
    [bnc#798733] httpd-2.2.x-bnc798733-SNI_ignorecase.diff

  - better cleanup of busy count after recovering from     failure [bnc#789828]     httpd-2.2.x-bnc789828-mod_balancer.diff

- httpd-2.2.x-bnc788121-CVE-2012-4557-mod_proxy_ajp_timeout.diff:
backend timeouts should not affect the entire worker. [bnc#788121]

- httpd-2.2.x-envvars.diff obsoletes httpd-2.0.54-envvars.dif:
Fix for low profile bug CVE-2012-0883 about improper LD_LIBRARY_PATH handling. [bnc#757710]

- httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff Escape filename for the case that uploads are allowed with untrusted user's control over filenames and mod_negotiation enabled on the same directory. CVE-2012-2687 [bnc#777260]

- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff reworked to reflect the upstream changes. This will prevent the 'Invalid URI in request OPTIONS *' messages in the error log. [bnc#722545]

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-0512 advisory.

    - add security fix for CVE-2012-2687 (#850794)
    - add security fixes for CVE-2011-4317, CVE-2012-0053, CVE-2012-0031,       CVE-2011-3607 (#787599)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Niels Heinen discovered that multiple modules incorrectly sanitized certain strings, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain.
(CVE-2012-3499, CVE-2012-4558)

It was discovered that the mod_proxy_ajp module incorrectly handled error states. A remote attacker could use this issue to cause the server to stop responding, resulting in a denial of service. This issue only applied to Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 11.10. (CVE-2012-4557)

It was discovered that the apache2ctl script shipped in Ubuntu packages incorrectly created the lock directory. A local attacker could possibly use this issue to gain privileges. The symlink protections in Ubuntu 11.10 and later should reduce this vulnerability to a denial of service. (CVE-2013-1048).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated httpd packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687)

It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557)

These updated httpd packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes.

All users of httpd are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically.

This update fixes the following issues :

  - Denial of Service via special requests in mod_proxy_ajp.
    (CVE-2012-4557)

  - improper LD_LIBRARY_PATH handling. (CVE-2012-0883)

  - filename escaping problem Additionally, some     non-security bugs have been fixed:. (CVE-2012-2687)

  - ignore case when checking against SNI server names.
    [bnc#798733]

  - httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff     reworked to reflect the upstream changes. This will     prevent the 'Invalid URI in request OPTIONS *' messages     in the error log. [bnc#722545]

  - new sysconfig variable APACHE_DISABLE_SSL_COMPRESSION;
    if set to on, OPENSSL_NO_DEFAULT_ZLIB will be inherited     to the apache process; openssl will then transparently     disable compression. This change affects start script     and sysconfig fillup template. Default is on, SSL     compression disabled. Please see mod_deflate for     compressed transfer at http layer. [bnc#782956]

An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687)

It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557)

After installing the updated packages, the httpd daemon will be restarted automatically.

A vulnerability has been found in the Apache HTTPD Server :

  - CVE-2012-4557     A flaw was found when mod_proxy_ajp connects to a     backend server that takes too long to respond. Given a     specific configuration, a remote attacker could send     certain requests, putting a backend server into an error     state until the retry timeout expired. This could lead     to a temporary denial of service.

In addition, this update also adds a server side mitigation for the following issue :

  - CVE-2012-4929     If using SSL/TLS data compression with HTTPS in an     connection to a web browser, man-in-the-middle attackers     may obtain plaintext HTTP headers. This issue is known     as the 'CRIME' attack. This update of apache2 disables     SSL compression by default. A new SSLCompression     directive has been backported that may be used to     re-enable SSL data compression in environments where the     'CRIME' attack is not an issue. For more information,     please refer to the SSLCompression Directive     documentation.

Versions of Apache 2.2 earlier than 2.2.22 are potentially affected by the following vulnerabilities :

  - When configured as a reverse proxy, improper use of the RewriteRule and ProxyPasssMatch directives could cause the web server to proxy requests to arbitrary hosts.  This could allow a remote attacker to indirectly send request to intranet servers. (CVE-2011-3368, CVE-2011-4317)

  - A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf' directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607)

  - A format string handling error can allow the server to be crashed via maliciously crafted cookies. (CVE-2012-0021)

  - An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown. (CVE-2012-0031)

  - An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious use of either long or malformed HTTP headers. (CVE-2012-0053)

  - An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time to respond could lead to a temporary denial of service. (CVE-2012-4557)

According to its banner, the version of Apache 2.2.x installed on the remote host is prior to 2.2.22. It is, therefore, potentially affected by the following vulnerabilities :

  - When configured as a reverse proxy, improper use of the     RewriteRule and ProxyPassMatch directives could cause     the web server to proxy requests to arbitrary hosts.
    This could allow a remote attacker to indirectly send     requests to intranet servers.
    (CVE-2011-3368, CVE-2011-4317)

  - A heap-based buffer overflow exists when mod_setenvif     module is enabled and both a maliciously crafted     'SetEnvIf' directive and a maliciously crafted HTTP     request header are used. (CVE-2011-3607)

  - A format string handling error can allow the server to     be crashed via maliciously crafted cookies.
    (CVE-2012-0021)

  - An error exists in 'scoreboard.c' that can allow local     attackers to crash the server during shutdown.
    (CVE-2012-0031)

  - An error exists in 'protocol.c' that can allow     'HTTPOnly' cookies to be exposed to attackers through     the malicious use of either long or malformed HTTP     headers. (CVE-2012-0053)

  - An error in the mod_proxy_ajp module when used to     connect to a backend server that takes an overly long     time to respond could lead to a temporary denial of     service. (CVE-2012-4557)

Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.

ID	Name	Product	Family	Severity
193971	RHEL 5 / 6 : JBoss Enterprise Web Server 1.0.2 update (Moderate) (RHSA-2011:0897)	Nessus	Red Hat Local Security Checks	medium
83578	SUSE SLES10 Security Update : apache2 (SUSE-SU-2013:0469-1)	Nessus	SuSE Local Security Checks	medium
75181	openSUSE Security Update : apache2 (openSUSE-SU-2013:0243-1)	Nessus	SuSE Local Security Checks	medium
68750	Oracle Linux 6 : httpd (ELSA-2013-0512)	Nessus	Oracle Linux Local Security Checks	medium
65607	Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : apache2 vulnerabilities (USN-1765-1)	Nessus	Ubuntu Local Security Checks	medium
65145	CentOS 6 : httpd (CESA-2013:0512)	Nessus	CentOS Local Security Checks	medium
65023	SuSE 11.2 Security Update : Apache (SAT Patch Number 7409)	Nessus	SuSE Local Security Checks	medium
64952	Scientific Linux Security Update : httpd on SL6.x i386/x86_64 (20130221)	Nessus	Scientific Linux Local Security Checks	medium
64761	RHEL 6 : httpd (RHSA-2013:0512)	Nessus	Red Hat Local Security Checks	medium
63114	Debian DSA-2579-1 : apache2 - Multiple issues	Nessus	Debian Local Security Checks	medium
800552	Apache 2.2 < 2.2.22 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
6302	Apache 2.2 < 2.2.22 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
57791	Apache 2.2.x < 2.2.22 Multiple Vulnerabilities	Nessus	Web Servers	medium

Detections

Analytics

CVE-2012-4557

high

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

high

medium

medium