Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - httpd: mod_mime buffer overread (CVE-2017-7679)

  - httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)

  - Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive     information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which     reveals child process IDs (PID). (CVE-2003-1418)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - firefox: Possible integer overflow to fix inside XML_Parse in Expat (CVE-2016-9063)

  - httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)

  - Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive     information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which     reveals child process IDs (PID). (CVE-2003-1418)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

According to the versions of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Possible CRLF injection allowing HTTP response     splitting attacks for sites which use mod_userdir. This     issue was mitigated by changes made in 2.4.25 and     2.2.32 which prohibit CR or LF injection into the     'Location' or other outbound header key or value. Fixed     in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23).
    Fixed in Apache HTTP Server 2.2.32 (Affected     2.2.0-2.2.31).(CVE-2016-4975)

  - A specially crafted request could have crashed the     Apache HTTP Server prior to version 2.4.30, due to an     out of bound access after a size limit is reached by     reading the HTTP header. This vulnerability is     considered very hard if not impossible to trigger in     non-debug mode (both log and build level), so it is     classified as low risk for common server     usage.(CVE-2018-1301)

  - In Apache httpd 2.4.0 to 2.4.29, when mod_session is     configured to forward its session data to CGI     applications (SessionEnv on, not the default), a remote     user may influence their content by using a 'Session'     header. This comes from the 'HTTP_SESSION' variable     name used by mod_session to forward its data to CGIs,     since the prefix 'HTTP_' is also used by the Apache     HTTP Server to pass HTTP header fields, per CGI     specifications.(CVE-2018-1283)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.25. It is, therefore, affected by the following vulnerabilities :

 - A flaw exists in the mod_session_crypto module due to encryption for data and cookies using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default). An unauthenticated, remote attacker can exploit this, via a padding oracle attack, to decrypt information without knowledge of the encryption key, resulting in the disclosure of potentially sensitive information. (CVE-2016-0736)

 - A denial of service vulnerability exists in the mod_auth_digest module during client entry allocation. An unauthenticated, remote attacker can exploit this, via specially crafted input, to exhaust shared memory resources, resulting in a server crash. (CVE-2016-2161)

 - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5387)

 - A denial of service vulnerability exists in the mod_http2 module due to improper handling of the LimitRequestFields directive. An unauthenticated, remote attacker can exploit this, via specially crafted CONTINUATION frames in an HTTP/2 request, to inject unlimited request headers into the server, resulting in the exhaustion of memory resources. (CVE-2016-8740)

 - A flaw exists due to improper handling of whitespace patterns in user-agent headers. An unauthenticated, remote attacker can exploit this, via a specially crafted user-agent header, to cause the program to incorrectly process sequences of requests, resulting in interpreting responses incorrectly, polluting the cache, or disclosing the content from one request to a second downstream user-agent. (CVE-2016-8743)

 - A CRLF vulnerability exists in the mod_userdir module. An unauthenticated, remote attacker can exploit this, allowing HTTP response splitting attacks. (CVE-2016-4975)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for apache2 fixes the following issues :

Security issues fixed :

CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (bsc#1016715)

CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes which prohibit CR or LF injection into the 'Location' or other outbound header key or value. (bsc#1104826)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for apache2 fixes the following issues :

Security issues fixed :

  - CVE-2016-8743: Fixed liberal whitespace interpretation     accepted from requests and sent in response lines and     headers. Accepting these different behaviors represented     a security concern when httpd participates in any chain     of proxies or interacts with back-end application     servers, either through mod_proxy or using conventional     CGI mechanisms, and may result in request smuggling,     response splitting and cache pollution. (bsc#1016715)

  - CVE-2016-4975: Fixed possible CRLF injection allowing     HTTP response splitting attacks for sites which use     mod_userdir. This issue was mitigated by changes which     prohibit CR or LF injection into the 'Location' or other     outbound header key or value. (bsc#1104826) This update     was imported from the SUSE:SLE-12-SP2:Update update     project.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2186 advisory.

    This release adds the new Apache HTTP Server 2.4.29 packages that are part     of the JBoss Core Services offering.

    This release serves as a replacement for Red Hat JBoss Core Services     Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for     information on the most significant bug fixes,     enhancements and component upgrades included in this release.

    This release upgrades OpenSSL to version 1.0.2.n

    Security Fix(es):

    *  openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182)

    *  openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302)

    *  openssl: certificate message OOB reads (CVE-2016-6306)

    *  openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055)

    *  openssl: Truncated packet could crash via OOB read (CVE-2017-3731)

    *  openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)

    *  openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)

    *  openssl: Read/write after SSL object in error state (CVE-2017-3737)

    *  openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)

    Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6306     and CVE-2016-7055. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of     CVE-2016-6306.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2185 advisory.

  - openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() (CVE-2016-2182)

  - httpd: CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir     (CVE-2016-4975)

  - openssl: Insufficient TLS session ticket HMAC length checks (CVE-2016-6302)

  - openssl: certificate message OOB reads (CVE-2016-6306)

  - openssl: Carry propagating bug in Montgomery multiplication (CVE-2016-7055)

  - openssl: Truncated packet could crash via OOB read (CVE-2017-3731)

  - openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)

  - openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)

  - openssl: Read/write after SSL object in error state (CVE-2017-3737)

  - openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update for httpd is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es) :

* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack.
(CVE-2016-0736)

* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)

* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)

Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.

Bug Fix(es) :

* When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs.
(BZ#1420002)

* Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947)

* In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails.
(BZ#1420047)

Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for httpd is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es) :

* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack.
(CVE-2016-0736)

* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)

* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)

Note: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad Request' error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive 'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.

Bug Fix(es) :

* When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs.
(BZ#1420002)

* Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947)

* In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails.
(BZ#1420047)

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.25. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in the mod_session_crypto module due to     encryption for data and cookies using the configured     ciphers with possibly either CBC or ECB modes of     operation (AES256-CBC by default). An unauthenticated,     remote attacker can exploit this, via a padding oracle     attack, to decrypt information without knowledge of the     encryption key, resulting in the disclosure of     potentially sensitive information. (CVE-2016-0736)

  - A denial of service vulnerability exists in the     mod_auth_digest module during client entry allocation.
    An unauthenticated, remote attacker can exploit this,     via specially crafted input, to exhaust shared memory     resources, resulting in a server crash. (CVE-2016-2161)

  - The Apache HTTP Server is affected by a     man-in-the-middle vulnerability known as 'httpoxy' due     to a failure to properly resolve namespace conflicts in     accordance with RFC 3875 section 4.1.18. The HTTP_PROXY     environment variable is set based on untrusted user data     in the 'Proxy' header of HTTP requests. The HTTP_PROXY     environment variable is used by some web client     libraries to specify a remote proxy server. An     unauthenticated, remote attacker can exploit this, via a     crafted 'Proxy' header in an HTTP request, to redirect     an application's internal HTTP traffic to an arbitrary     proxy server where it may be observed or manipulated.
    (CVE-2016-5387)

  - A denial of service vulnerability exists in the     mod_http2 module due to improper handling of the     LimitRequestFields directive. An unauthenticated, remote     attacker can exploit this, via specially crafted     CONTINUATION frames in an HTTP/2 request, to inject     unlimited request headers into the server, resulting in     the exhaustion of memory resources. (CVE-2016-8740)

  - A flaw exists due to improper handling of whitespace     patterns in user-agent headers. An unauthenticated,     remote attacker can exploit this, via a specially     crafted user-agent header, to cause the program to     incorrectly process sequences of requests, resulting in     interpreting responses incorrectly, polluting the cache,     or disclosing the content from one request to a second     downstream user-agent. (CVE-2016-8743)

  - A CRLF injection allowing HTTP response splitting attacks for     sites which use mod_userdir (CVE-2016-4975)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of Apache running on the remote host is 2.2.x prior to 2.2.32. It is, therefore, affected by the following vulnerabilities :

  - The Apache HTTP Server is affected by a     man-in-the-middle vulnerability known as 'httpoxy' due     to a failure to properly resolve namespace conflicts in     accordance with RFC 3875 section 4.1.18. The HTTP_PROXY     environment variable is set based on untrusted user data     in the 'Proxy' header of HTTP requests. The HTTP_PROXY     environment variable is used by some web client     libraries to specify a remote proxy server. An     unauthenticated, remote attacker can exploit this, via a     crafted 'Proxy' header in an HTTP request, to redirect     an application's internal HTTP traffic to an arbitrary     proxy server where it may be observed or manipulated.
    (CVE-2016-5387)

  - A flaw exists due to improper handling of whitespace     patterns in user-agent headers. An unauthenticated,     remote attacker can exploit this, via a specially     crafted user-agent header, to cause the program to     incorrectly process sequences of requests, resulting in     interpreting responses incorrectly, polluting the cache,     or disclosing the content from one request to a second     downstream user-agent. (CVE-2016-8743)

  - A CRLF injection allowing HTTP response splitting attacks for     sites which use mod_userdir (CVE-2016-4975)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
198611	RHEL 5 : httpd (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
198583	RHEL 6 : httpd (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
131894	EulerOS 2.0 SP2 : httpd (EulerOS-SA-2019-2402)	Nessus	Huawei Local Security Checks	medium
98910	Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (httpoxy)	Web App Scanning	Component Vulnerability	high
118291	SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:2815-2)	Nessus	SuSE Local Security Checks	high
117789	openSUSE Security Update : apache2 (openSUSE-2018-1046)	Nessus	SuSE Local Security Checks	high
117695	SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:2815-1)	Nessus	SuSE Local Security Checks	high
112199	SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:2554-1)	Nessus	SuSE Local Security Checks	high
111147	RHEL 6 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 6 (RHSA-2018:2186)	Nessus	Red Hat Local Security Checks	critical
111146	RHEL 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 RHEL 7 (RHSA-2018:2185)	Nessus	Red Hat Local Security Checks	critical
101445	Virtuozzo 7 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2017-0906)	Nessus	Virtuozzo Local Security Checks	high
99379	CentOS 7 : httpd (CESA-2017:0906)	Nessus	CentOS Local Security Checks	high
99340	RHEL 7 : httpd (RHSA-2017:0906)	Nessus	Red Hat Local Security Checks	high
96451	Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (httpoxy)	Nessus	Web Servers	high
96450	Apache 2.2.x < 2.2.32 Multiple Vulnerabilities (httpoxy)	Nessus	Web Servers	high

Detections

Analytics

CVE-2016-4975

medium

Tenable Plugins

critical

critical

medium

high

high

high

high

high

critical

critical

high

high

high

high

high