mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - firefox: Possible integer overflow to fix inside XML_Parse in Expat (CVE-2016-9063)

  - mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua authorization provider is used with different arguments     within different contexts, which allows remote attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a certain directory, and authorization for a second     group to access a second directory. (CVE-2014-8109)

  - Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the integrity of SDBM database     files used by apr_sdbm*() functions, resulting in a possible out of bound read access. A local user with     write access to the database can make a program or process using these functions crash, and cause a denial     of service. (CVE-2017-12618)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

According to the versions of the httpd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in Apache HTTP Server 2.4.0     to 2.4.38. When the path component of a request URL     contains multiple consecutive slashes ('/'), directives     such as LocationMatch and RewriteRule must account for     duplicates in regular expressions while other aspects     of the servers processing will implicitly collapse     them.(CVE-2019-0220)

  - A specially crafted request could have crashed the     Apache HTTP Server prior to version 2.4.30, due to an     out of bound access after a size limit is reached by     reading the HTTP header. This vulnerability is     considered very hard if not impossible to trigger in     non-debug mode (both log and build level), so it is     classified as low risk for common server     usage.(CVE-2018-1301)

  - In Apache httpd 2.4.0 to 2.4.29, when mod_session is     configured to forward its session data to CGI     applications (SessionEnv on, not the default), a remote     user may influence their content by using a 'Session'     header. This comes from the 'HTTP_SESSION' variable     name used by mod_session to forward its data to CGIs,     since the prefix 'HTTP_' is also used by the Apache     HTTP Server to pass HTTP header fields, per CGI     specifications.(CVE-2018-1283)

  - mod_lua.c in the mod_lua module in the Apache HTTP     Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua     authorization provider is used with different arguments     within different contexts, which allows remote     attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple     Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a     certain directory, and authorization for a second group     to access a second directory.(CVE-2014-8109)

  - In Apache HTTP server 2.4.0 to 2.4.39, Redirects     configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines     and redirect instead to an unexpected URL within the     request URL.(CVE-2019-10098)

  - In Apache HTTP Server 2.4.0-2.4.39, a limited     cross-site scripting issue was reported affecting the     mod_proxy error page. An attacker could cause the link     on the error page to be malformed and instead point to     a page of their choice. This would only be exploitable     where a server was set up with proxying enabled but was     misconfigured in such a way that the Proxy Error page     was displayed.(CVE-2019-10092)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the httpd packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in Apache HTTP Server 2.4.0     to 2.4.38. When the path component of a request URL     contains multiple consecutive slashes ('/'), directives     such as LocationMatch and RewriteRule must account for     duplicates in regular expressions while other aspects     of the servers processing will implicitly collapse     them.(CVE-2019-0220)

  - A specially crafted request could have crashed the     Apache HTTP Server prior to version 2.4.30, due to an     out of bound access after a size limit is reached by     reading the HTTP header. This vulnerability is     considered very hard if not impossible to trigger in     non-debug mode (both log and build level), so it is     classified as low risk for common server     usage.(CVE-2018-1301)

  - In Apache httpd 2.4.0 to 2.4.29, when mod_session is     configured to forward its session data to CGI     applications (SessionEnv on, not the default), a remote     user may influence their content by using a 'Session'     header. This comes from the 'HTTP_SESSION' variable     name used by mod_session to forward its data to CGIs,     since the prefix 'HTTP_' is also used by the Apache     HTTP Server to pass HTTP header fields, per CGI     specifications.(CVE-2018-1283)

  - mod_lua.c in the mod_lua module in the Apache HTTP     Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua     authorization provider is used with different arguments     within different contexts, which allows remote     attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple     Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a     certain directory, and authorization for a second group     to access a second directory.(CVE-2014-8109)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in Apache HTTP Server 2.4.0     to 2.4.38. When the path component of a request URL     contains multiple consecutive slashes ('/'), directives     such as LocationMatch and RewriteRule must account for     duplicates in regular expressions while other aspects     of the servers processing will implicitly collapse     them.(CVE-2019-0220)

  - A specially crafted request could have crashed the     Apache HTTP Server prior to version 2.4.30, due to an     out of bound access after a size limit is reached by     reading the HTTP header. This vulnerability is     considered very hard if not impossible to trigger in     non-debug mode (both log and build level), so it is     classified as low risk for common server     usage.(CVE-2018-1301)

  - In Apache httpd 2.4.0 to 2.4.29, when mod_session is     configured to forward its session data to CGI     applications (SessionEnv on, not the default), a remote     user may influence their content by using a 'Session'     header. This comes from the 'HTTP_SESSION' variable     name used by mod_session to forward its data to CGIs,     since the prefix 'HTTP_' is also used by the Apache     HTTP Server to pass HTTP header fields, per CGI     specifications.(CVE-2018-1283)

  - mod_lua.c in the mod_lua module in the Apache HTTP     Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua     authorization provider is used with different arguments     within different contexts, which allows remote     attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple     Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a     certain directory, and authorization for a second group     to access a second directory.(CVE-2014-8109)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.12. It is, therefore, affected by the following vulnerabilities :

 - A flaw exists in module mod_headers that can allow HTTP trailers to replace HTTP headers late during request processing, which a remote attacker can exploit to inject arbitrary headers. This can also cause some modules to function incorrectly or appear to function incorrectly. (CVE-2013-5704)

 - A NULL pointer dereference flaw exists in module mod_cache. A remote attacker, using an empty HTTP Content-Type header, can exploit this vulnerability to crash a caching forward proxy configuration, resulting in a denial of service if using a threaded MPM. (CVE-2014-3581)

 - A out-of-bounds memory read flaw exists in module mod_proxy_fcgi. An attacker, using a remote FastCGI server to send long response headers, can exploit this vulnerability to cause a denial of service by causing a buffer over-read. (CVE-2014-3583)

 - A flaw exists in module mod_lua when handling a LuaAuthzProvider used in multiple Require directives with different arguments. An attacker can exploit this vulnerability to bypass intended access restrictions. (CVE-2014-8109)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the version of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - mod_lua.c in the mod_lua module in the Apache HTTP     Server 2.3.x and 2.4.x through 2.4.10 does not support     an httpd configuration in which the same Lua     authorization provider is used with different arguments     within different contexts, which allows remote     attackers to bypass intended access restrictions in     opportunistic circumstances by leveraging multiple     Require directives, as demonstrated by a configuration     that specifies authorization for one group to access a     certain directory, and authorization for a second group     to access a second directory. (CVE-2014-8109)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.5. The installed version is affected by multiple vulnerabilities in the following components :

 - apache (CVE-2014-3581, CVE-2014-3583, CVE-2014-8109, CVE-2015-0228, CVE-2015-0253, CVE-2015-3183, CVE-2015-3185)
 - apache_mod_php (CVE-2015-2783, CVE-2015-2787, CVE-2015-3307, CVE-2015-3329, CVE-2015-3330, CVE-2015-4021, CVE-2015-4022, CVE-2015-4024, CVE-2015-4025, CVE-2015-4026, CVE-2015-4147, CVE-2015-4148)
 - Apple ID OD Plug-in (CVE-2015-3799)
 - AppleGraphicsControl (CVE-2015-5768)
 - Bluetooth (CVE-2015-3777, CVE-2015-3779, CVE-2015-3780, CVE-2015-3786, CVE-2015-3787)
 - bootp (CVE-2015-3778)
 - CloudKit (CVE-2015-3782)
 - CoreMedia Playback (CVE-2015-5777, CVE-2015-5778)
 - CoreText (CVE-2015-5761, CVE-2015-5755)
 - curl (CVE-2014-3613, CVE-2014-3620, CVE-2014-3707, CVE-2014-8150, CVE-2014-8151, CVE-2015-3143, CVE-2015-3144, CVE-2015-3145, CVE-2015-3148, CVE-2015-3153)
 - Data Detectors Engine (CVE-2015-5750)
 - Date & Time pref pane (CVE-2015-3757)
 - Dictionary Application (CVE-2015-3774)
 - DiskImages (CVE-2015-3800)
 - dyld (CVE-2015-3760)
 - FontParser (CVE-2015-3804, CVE-2015-5775, CVE-2015-5756)
 - groff (CVE-2009-5044, CVE-2009-5078)
 - ImageIO (CVE-2015-5758, CVE-2015-5781, CVE-2015-5782)
 - Install Framework Legacy (CVE-2015-5784, CVE-2015-5754)
 - IOFireWireFamily (CVE-2015-3769, CVE-2015-3771, CVE-2015-3772)
 - IOGraphics (CVE-2015-3770, CVE-2015-5783)
 - IOHIDFamily (CVE-2015-5774)
 - Kernel (CVE-2015-3766, CVE-2015-3768, CVE-2015-5747, CVE-2015-5748, CVE-2015-3806, CVE-2015-3803, CVE-2015-3802, CVE-2015-3805, CVE-2015-3776, CVE-2015-3761)
 - Libc (CVE-2015-3796, CVE-2015-3797, CVE-2015-3798)
 - Libinfo (CVE-2015-5776)
 - libpthread (CVE-2015-5757)
 - libxml2 (CVE-2014-0191, CVE-2014-3660, CVE-2015-3807)
 - libxpc (CVE-2015-3795)
 - mail_cmds (CVE-2014-7844)
 - Notification Center OSX (CVE-2015-3764)
 - ntfs (CVE-2015-5763)
 - OpenSSH (CVE-2015-5600)
 - OpenSSL (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792)
 - perl (CVE-2013-7422)
 - PostgreSQL (CVE-2014-0067, CVE-2014-8161, CVE-2015-0241, CVE-2015-0242, CVE-2015-0243, CVE-2015-0244)
 - python (CVE-2013-7040, CVE-2013-7338, CVE-2014-1912, CVE-2014-7185, CVE-2014-9365)
 - QL Office (CVE-2015-5773, CVE-2015-3784)
 - Quartz Composer Framework (CVE-2015-5771)
 - Quick Look (CVE-2015-3781)
 - QuickTime 7 (CVE-2015-3779, CVE-2015-5753, CVE-2015-5779, CVE-2015-3765, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751)
 - SceneKit (CVE-2015-5772, CVE-2015-3783)
 - Security (CVE-2015-3775)
 - SMBClient (CVE-2015-3773)
 - Speech UI (CVE-2015-3794)
 - sudo (CVE-2013-1775, CVE-2013-1776, CVE-2013-2776, CVE-2013-2777, CVE-2014-0106, CVE-2014-9680)
 - tcpdump (CVE-2014-8767, CVE-2014-8769, CVE-2014-9140)
 - Text Formats (CVE-2015-3762)
 - udf (CVE-2015-3767)

 Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote Mac OS X host has a version of OS X Server installed that is prior to 5.0.3. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in the mod_headers module that allows HTTP     trailers to replace HTTP headers late during request     processing. A remote attacker can exploit this to inject     arbitrary headers. This can also cause some modules to     function incorrectly or appear to function incorrectly.
    (CVE-2013-5704)

  - A privilege escalation vulnerability exists due to the     'make check' command not properly invoking initdb to     specify authentication requirements for a database     cluster to be used for tests. A local attacker can     exploit this issue to gain temporary server access and     elevated privileges. (CVE-2014-0067)

  - A NULL pointer dereference flaw exists in module     mod_cache. A remote attacker, using an empty HTTP     Content-Type header, can exploit this vulnerability to     crash a caching forward proxy configuration, resulting     in a denial of service if using a threaded MPM.
    (CVE-2014-3581)

  - A out-of-bounds memory read flaw exists in module     mod_proxy_fcgi. An attacker, using a remote FastCGI     server to send long response headers, can exploit this     vulnerability to cause a denial of service by causing     a buffer over-read. (CVE-2014-3583)

  - A flaw exists in module mod_lua when handling a     LuaAuthzProvider used in multiple Require directives     with different arguments. An attacker can exploit this     vulnerability to bypass intended access restrictions.
    (CVE-2014-8109)

  - An information disclosure vulnerability exists due to     improper handling of restricted column values in     constraint-violation error messages. An authenticated,     remote attacker can exploit this to gain access to     sensitive information. (CVE-2014-8161)

  - A flaw exists within the Domain Name Service due to an     error in the code used to follow delegations. A remote     attacker, with a maliciously-constructed zone or query,     can cause the service to issue unlimited queries,     resulting in resource exhaustion. (CVE-2014-8500)

  - A flaw exists in the lua_websocket_read() function in     the 'mod_lua' module due to incorrect handling of     WebSocket PING frames. A remote attacker can exploit     this, by sending a crafted WebSocket PING frame after a     Lua script has called the wsupgrade() function, to crash     a child process, resulting in a denial of service     condition. (CVE-2015-0228)

  - Multiple vulnerabilities exist due to several buffer     overflow errors related to the 'to_char' functions. An     authenticated, remote attacker can exploit these issues     to cause a denial of service or arbitrary code     execution. (CVE-2015-0241)

  - Multiple vulnerabilities exist due to several     stack-based buffer overflow errors in various *printf()     functions. The overflows are due to improper validation     of user-supplied input when formatting a floating point     number where the requested precision is greater than     approximately 500. An authenticated, remote attacker     can exploit these issues to cause a denial of service or     arbitrary code execution. (CVE-2015-0242)

  - Multiple vulnerabilities exist due to an overflow     condition in multiple functions in the 'pgcrypto'     extension. The overflows are due to improper validation     of user-supplied input when tracking memory sizes. An     authenticated, remote attacker can exploit these issues     to cause a denial of service or arbitrary code     execution. (CVE-2015-0243)

  - A SQL injection vulnerability exists due to improper     sanitization of user-supplied input when handling     crafted binary data within a command parameter. An     authenticated, remote attacker can exploit this issue     to inject or manipulate SQL queries, allowing the     manipulation or disclosure of arbitrary data.
    (CVE-2015-0244)

  - A NULL pointer dereference flaw exists in the     read_request_line() function due to a failure to     initialize the protocol structure member. A remote     attacker can exploit this flaw, on installations that     enable the INCLUDES filter and has an ErrorDocument 400     directive specifying a local URI, by sending a request     that lacks a method, to cause a denial of service     condition. (CVE-2015-0253)

  - A denial of service vulnerability exists due to an error     relating to DNSSEC validation and the managed-keys     feature. A remote attacker can trigger an incorrect     trust-anchor management scenario in which no key is     ready for use, resulting in an assertion failure and     daemon crash. (CVE-2015-1349)

  - A flaw exists in PostgreSQL client disconnect timeout     expiration that is triggered when a timeout interrupt     is fired partway through the session shutdown sequence.     (CVE-2015-3165)

  - A flaw exists in the printf() functions due to a failure     to check for errors. A remote attacker can use this to     gain access to sensitive information. (CVE-2015-3166)

  - The pgcrypto component in PostgreSQL has multiple error     messages for decryption with an incorrect key. A remote     attacker can use this to recover keys from other     systems. (CVE-2015-3167)

  - A flaw exists in the chunked transfer coding     implementation due to a failure to properly parse chunk     headers. A remote attacker can exploit this to conduct     HTTP request smuggling attacks. (CVE-2015-3183)

  - A flaw exists in the ap_some_auth_required() function     due to a failure to consider that a Require directive     may be associated with an authorization setting rather     than an authentication setting. A remote attacker can     exploit this, if a module that relies on the 2.2 API     behavior exists, to bypass intended access restrictions.
    (CVE-2015-3185)

  - Multiple unspecified XML flaws exist in the Wiki Server     based on Twisted. (CVE-2015-5911)

The remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-006. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - CoreText
  - FontParser
  - Libinfo
  - libxml2
  - OpenSSL
  - perl
  - PostgreSQL
  - QL Office
  - Quartz Composer Framework
  - QuickTime 7
  - SceneKit

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - Apple ID OD Plug-in
  - AppleGraphicsControl
  - Bluetooth
  - bootp
  - CloudKit
  - CoreMedia Playback
  - CoreText
  - curl
  - Data Detectors Engine
  - Date & Time pref pane
  - Dictionary Application
  - DiskImages
  - dyld
  - FontParser
  - groff
  - ImageIO
  - Install Framework Legacy
  - IOFireWireFamily
  - IOGraphics
  - IOHIDFamily
  - Kernel
  - Libc
  - Libinfo
  - libpthread
  - libxml2
  - libxpc
  - mail_cmds
  - Notification Center OSX
  - ntfs
  - OpenSSH
  - OpenSSL
  - perl
  - PostgreSQL
  - python
  - QL Office
  - Quartz Composer Framework
  - Quick Look
  - QuickTime 7
  - SceneKit
  - Security
  - SMBClient
  - Speech UI
  - sudo
  - tcpdump
  - Text Formats
  - udf 

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Update to new version 2.4.12.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Apache2 updated to fix four security issues and one non-security bug.

The following vulnerabilities have been fixed :

  - mod_headers rules could be bypassed via chunked     requests. Adds 'MergeTrailers' directive to restore     legacy behavior. (bsc#871310, CVE-2013-5704)

  - An empty value in Content-Type could lead to a crash     through a null pointer dereference and a denial of     service. (bsc#899836, CVE-2014-3581)

  - Remote attackers could bypass intended access     restrictions in mod_lua LuaAuthzProvider when multiple     Require directives with different arguments are used.
    (bsc#909715, CVE-2014-8109)

  - Remote attackers could cause a denial of service     (child-process crash) by sending a crafted WebSocket     Ping frame after a Lua script has called the wsupgrade     function. (bsc#918352, CVE-2015-0228)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

Updated apache packages fix security vulnerabilities :

Apache HTTPD before 2.4.9 was vulnerable to a denial of service in mod_dav when handling DAV_WRITE requests (CVE-2013-6438).

Apache HTTPD before 2.4.9 was vulnerable to a denial of service when logging cookies (CVE-2014-0098).

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the apache user (CVE-2014-0226).

A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash (CVE-2014-0117).

A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the DEFLATE input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system (CVE-2014-0118).

A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely (CVE-2014-0231).

A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled (CVE-2014-3581).

mod_lua.c in the mod_lua module in the Apache HTTP Server through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory (CVE-2014-8109).

In the mod_lua module in the Apache HTTP Server through 2.4.10, a maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash (CVE-2015-0228).

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers (CVE-2013-5704).

Note: With this update, httpd has been modified to not merge HTTP Trailer headers with other HTTP request headers. A newly introduced configuration directive MergeTrailers can be used to re-enable the old method of processing Trailer headers, which also re-introduces the aforementioned flaw.

This update also fixes the following bug :

Prior to this update, the mod_proxy_wstunnel module failed to set up an SSL connection when configured to use a back end server using the wss: URL scheme, causing proxied connections to fail. In these updated packages, SSL is used when proxying to wss: back end servers (rhbz#1141950).

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2523-1 advisory.

    Martin Holst Swende discovered that the mod_headers module allowed HTTP trailers to replace HTTP headers     during request processing. A remote attacker could possibly use this issue to bypass RequestHeaders     directives. (CVE-2013-5704)

    Mark Montague discovered that the mod_cache module incorrectly handled empty HTTP Content-Type headers. A     remote attacker could use this issue to cause the server to stop responding, leading to a denial of     service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-3581)

    Teguh P. Alko discovered that the mod_proxy_fcgi module incorrectly handled long response headers. A     remote attacker could use this issue to cause the server to stop responding, leading to a denial of     service. This issue only affected Ubuntu 14.10. (CVE-2014-3583)

    It was discovered that the mod_lua module incorrectly handled different arguments within different     contexts. A remote attacker could possibly use this issue to bypass intended access restrictions. This     issue only affected Ubuntu 14.10. (CVE-2014-8109)

    Guido Vranken discovered that the mod_lua module incorrectly handled a specially crafted websocket PING in     certain circumstances. A remote attacker could possibly use this issue to cause the server to stop     responding, leading to a denial of service. This issue only affected Ubuntu 14.10. (CVE-2015-0228)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. (CVE-2014-8109)

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
(CVE-2013-5704)

A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled.
(CVE-2014-3581)

The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers. (CVE-2014-3583)

Versions of Apache HTTP Server 2.3.x / 2.4.x prior to 2.4.12 are affected by an authorization bypass vulnerability because of insufficient authorization enforcement in LuaAuthzProvider. Specifically, this issue affects the 'mod_lua.c' module when LuaAuthzProvider is used in multiple Require directives with different arguments. Attackers can exploit this issue using readily available tools to obtain sensitive information that may aid in further attacks.

According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.12. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in module mod_headers that can allow HTTP     trailers to replace HTTP headers late during request     processing, which a remote attacker can exploit to     inject arbitrary headers. This can also cause some     modules to function incorrectly or appear to function     incorrectly. (CVE-2013-5704)

  - A NULL pointer dereference flaw exists in module     mod_cache. A remote attacker, using an empty HTTP     Content-Type header, can exploit this vulnerability to     crash a caching forward proxy configuration, resulting     in a denial of service if using a threaded MPM.
    (CVE-2014-3581)

  - A out-of-bounds memory read flaw exists in module     mod_proxy_fcgi. An attacker, using a remote FastCGI     server to send long response headers, can exploit this     vulnerability to cause a denial of service by causing     a buffer over-read. (CVE-2014-3583)

  - A flaw exists in module mod_lua when handling a     LuaAuthzProvider used in multiple Require directives     with different arguments. An attacker can exploit this     vulnerability to bypass intended access restrictions.
    (CVE-2014-8109)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Apache HTTP SERVER PROJECT reports : mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with response headers' size above 8K.

mod_cache: Avoid a crash when Content-Type has an empty value. PR 56924.

mod_lua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments. PR57204.

core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds 'MergeTrailers' directive to restore legacy behavior.

Apache2 was updated to fix bugs and security issues.

Security issues fixed: CVE-2013-5704: Added a change to fix a flaw in the way mod_headers handled chunked requests. Adds 'MergeTrailers' directive to restore legacy behavior [bnc#871310],

CVE-2014-8109: Fixes handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments.

Bugfixes :

  - changed apache2.service file to fix situation where     apache won't start at boot when using an encrypted     certificate because user isn't prompted for password     during boot [bnc#792309].

  - added <IfModule> around SSLSessionCache to avoid failing     to start [bnc#842377], [bnc#849445] and [bnc#864166].

ID	Name	Product	Family	Severity
198675	RHEL 7 : httpd (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
135617	EulerOS Virtualization 3.0.2.2 : httpd (EulerOS-SA-2020-1455)	Nessus	Huawei Local Security Checks	medium
134539	EulerOS Virtualization for ARM 64 3.0.2.0 : httpd (EulerOS-SA-2020-1250)	Nessus	Huawei Local Security Checks	medium
130866	EulerOS 2.0 SP5 : httpd (EulerOS-SA-2019-2157)	Nessus	Huawei Local Security Checks	medium
98907	Apache 2.4.x < 2.4.12 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
99802	EulerOS 2.0 SP1 : httpd (EulerOS-SA-2016-1039)	Nessus	Huawei Local Security Checks	medium
8981	Mac OS X < 10.10.5 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
86066	Mac OS X : OS X Server < 5.0.3 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
85409	Mac OS X Multiple Vulnerabilities (Security Update 2015-006)	Nessus	MacOS X Local Security Checks	high
85408	Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
83963	Fedora 21 : httpd-2.4.12-1.fc21 (2015-9216)	Nessus	Fedora Local Security Checks	medium
83945	SUSE SLES12 Security Update : apache2 (SUSE-SU-2015:0974-1)	Nessus	SuSE Local Security Checks	medium
82916	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : httpd (SSA:2015-111-03)	Nessus	Slackware Local Security Checks	medium
82346	Mandriva Linux Security Advisory : apache (MDVSA-2015:093)	Nessus	Mandriva Local Security Checks	medium
81755	Ubuntu 14.04 LTS : Apache HTTP Server vulnerabilities (USN-2523-1)	Nessus	Ubuntu Local Security Checks	high
81329	Amazon Linux AMI : httpd24 (ALAS-2015-483)	Nessus	Amazon Linux Local Security Checks	medium
8587	Apache HTTP Server 2.3.x / 2.4.x < 2.4.12 Authorization Bypass	Nessus Network Monitor	Web Servers	low
81126	Apache 2.4.x < 2.4.12 Multiple Vulnerabilities	Nessus	Web Servers	medium
81116	FreeBSD : apache24 -- several vulnerabilities (5804b9d4-a959-11e4-9363-20cf30e32f6d)	Nessus	FreeBSD Local Security Checks	medium
80300	openSUSE Security Update : apache2 (openSUSE-SU-2014:1726-1)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2014-8109

high

Tenable Plugins

critical

medium

medium

medium

high

medium

high

critical

high

high

medium

medium

medium

medium

high

medium

low

medium

medium

medium