A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:1915 advisory.

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in     mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team     could create one, though some particular compiler and/or compilation option might make it possible, with     limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow     (CVE-2020-35452)

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

  - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and     crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)

  - A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL     pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for     requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This     issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). (CVE-2021-44224)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3351 advisory.

  - A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool     (heap) memory location beyond the header value sent. This could cause the process to crash. This issue     affects Apache HTTP Server 2.4.54 and earlier. (CVE-2006-20001)

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

  - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of     Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This     issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
    (CVE-2022-36760)

  - Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated     early, resulting in some headers being incorporated into the response body. If the later headers have any     security purpose, they will not be interpreted by the client. (CVE-2022-37436)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7143 advisory.

    Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This     software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under     Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update     experience.

    This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 serves as a replacement for Red Hat     JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 10, and includes bug fixes and enhancements,     which are documented in the Release Notes linked to in the References section.

    Security Fix(es):

    * httpd: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193)

    * httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path (CVE-2021-36160)

    * httpd: Out-of-bounds write in ap_escape_quotes() via malicious input (CVE-2021-39275)

    * httpd: NULL pointer dereference via crafted request during HTTP/2 request processing (CVE-2021-41524)

    * httpd: possible NULL dereference or SSRF in forward proxy configurations (CVE-2021-44224)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6753 advisory.

    The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

    Security Fix(es):

    * httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943)

    * httpd: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193)

    * httpd: NULL pointer dereference via malformed requests (CVE-2021-34798)

    * httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path (CVE-2021-36160)

    * httpd: Out-of-bounds write in ap_escape_quotes() via malicious input (CVE-2021-39275)

    * httpd: possible NULL dereference or SSRF in forward proxy configurations (CVE-2021-44224)

    * httpd: mod_lua: Use of uninitialized value of in r:parsebody (CVE-2022-22719)

    * httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-22721)

    * httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)

    * httpd: mod_lua: DoS in r:parsebody (CVE-2022-29404)

    * httpd: mod_sed: DoS vulnerability (CVE-2022-30522)

    * httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)

    * httpd: out-of-bounds read via ap_rwrite() (CVE-2022-28614)

    * httpd: out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)

    * httpd: mod_lua: Information disclosure with websockets (CVE-2022-30556)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * proxy rewrite to unix socket fails with CVE-2021-40438 fix (BZ#2022319)

    Additional changes:

    * To fix CVE-2022-29404, the default value for the LimitRequestBody directive in the Apache HTTP Server     has been changed from 0 (unlimited) to 1 GiB.

    On systems where the value of LimitRequestBody is not explicitly specified in an httpd configuration     file, updating the httpd package sets LimitRequestBody to the default value of 1 GiB. As a consequence,     if the total size of the HTTP request body exceeds this 1 GiB default limit, httpd returns the 413 Request     Entity Too Large error code.

    If the new default allowed size of an HTTP request message body is insufficient for your use case, update     your httpd configuration files within the respective context (server, per-directory, per-file, or per-     location) and set your preferred limit in bytes. For example, to set a new 2 GiB limit, use:

    LimitRequestBody 2147483648

    Systems already configured to use any explicit value for the LimitRequestBody directive are unaffected     by this change.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202208-20 (Apache HTTPD: Multiple Vulnerabilities)

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

  - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier. (CVE-2021-34798)

  - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and     crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

  - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the     remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)

  - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request     processing, allowing an external source to DoS the server. This requires a specially crafted request. The     vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
    (CVE-2021-41524)

  - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could     use a path traversal attack to map URLs to files outside the directories configured by Alias-like     directives. If files outside of these directories are not protected by the usual default configuration     require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased     pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This     issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found     to be incomplete, see CVE-2021-42013. (CVE-2021-41773)

  - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker     could use a path traversal attack to map URLs to files outside the directories configured by Alias-like     directives. If files outside of these directories are not protected by the usual default configuration     require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased     pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache     2.4.50 and not earlier versions. (CVE-2021-42013)

  - A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL     pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for     requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This     issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). (CVE-2021-44224)

  - A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser     (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the     vulnerability though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and     earlier. (CVE-2021-44790)

  - A carefully crafted request body can cause a read to a random memory area which could cause the process to     crash. This issue affects Apache HTTP Server 2.4.52 and earlier. (CVE-2022-22719)

  - Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered     discarding the request body, exposing the server to HTTP Request Smuggling (CVE-2022-22720)

  - If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems     an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server     2.4.52 and earlier. (CVE-2022-22721)

  - Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap     memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and     prior versions. (CVE-2022-23943)

  - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of     Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This     issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
    (CVE-2022-26377)

  - The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an     attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with     mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use     the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against     current headers to resolve the issue. (CVE-2022-28614)

  - Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in     ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the     server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may     hypothetically be affected. (CVE-2022-28615)

  - In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0)     may cause a denial of service due to no default limit on possible input size. (CVE-2022-29404)

  - If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input     to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
    (CVE-2022-30522)

  - Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point     past the end of the storage allocated for the buffer. (CVE-2022-30556)

  - Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on     client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on     the origin server/application. (CVE-2022-31813)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-1915 advisory.

    - Resolves: #2035030 - CVE-2021-44224 httpd:2.4/httpd: possible NULL dereference       or SSRF in forward proxy configurations

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:1915 advisory.

  - Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in     mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team     could create one, though some particular compiler and/or compilation option might make it possible, with     limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow     (CVE-2020-35452)

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

  - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and     crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)

  - A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL     pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for     requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This     issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). (CVE-2021-44224)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1915 advisory.

    The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

    Security Fix(es):

    * httpd: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193)

    * httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path (CVE-2021-36160)

    * httpd: possible NULL dereference or SSRF in forward proxy configurations (CVE-2021-44224)

    * httpd: Single zero byte stack overflow in mod_auth_digest (CVE-2020-35452)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.6 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2022:1915 advisory.

  - httpd: Single zero byte stack overflow in mod_auth_digest (CVE-2020-35452)

  - httpd: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193)

  - httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path (CVE-2021-36160)

  - httpd: possible NULL dereference or SSRF in forward proxy configurations (CVE-2021-44224)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-9276 advisory.

    [2.4.37-43.0.3.3]
    - Resolves: CVE-2021-33193 a crafted method sent through HTTP/2 will       bypass validation [Orabug: 33942809]

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.19.2 and is missing a security patch, SC-202110.1.  It is therefore, affected by multiple vulnerabilities in the Apache subcomponent of Security Center. 

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The version of httpd24 installed on the remote host is prior to 2.4.51-1.94. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1543 advisory.

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

  - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier. (CVE-2021-34798)

  - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and     crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

  - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the     remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)

  - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request     processing, allowing an external source to DoS the server. This requires a specially crafted request. The     vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
    (CVE-2021-41524)

  - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could     use a path traversal attack to map URLs to files outside the directories configured by Alias-like     directives. If files outside of these directories are not protected by the usual default configuration     require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased     pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This     issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found     to be incomplete, see CVE-2021-42013. (CVE-2021-41773)

  - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker     could use a path traversal attack to map URLs to files outside the directories configured by Alias-like     directives. If files outside of these directories are not protected by the usual default configuration     require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased     pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache     2.4.50 and not earlier versions. (CVE-2021-42013)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of httpd installed on the remote host is prior to 2.4.51-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1716 advisory.

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

  - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier. (CVE-2021-34798)

  - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and     crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

  - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the     remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)

  - While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request     processing, allowing an external source to DoS the server. This requires a specially crafted request. The     vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
    (CVE-2021-41524)

  - A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could     use a path traversal attack to map URLs to files outside the directories configured by Alias-like     directives. If files outside of these directories are not protected by the usual default configuration     require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased     pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This     issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found     to be incomplete, see CVE-2021-42013. (CVE-2021-41773)

  - It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker     could use a path traversal attack to map URLs to files outside the directories configured by Alias-like     directives. If files outside of these directories are not protected by the usual default configuration     require all denied, these requests can succeed. If CGI scripts are also enabled for these aliased     pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache     2.4.50 and not earlier versions. (CVE-2021-42013)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3335-1 advisory.

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

  - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier. (CVE-2021-34798)

  - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and     crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

  - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the     remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the httpd package has been released.

The Apache project reports :

- moderate: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193)

- moderate: NULL pointer dereference in httpd core (CVE-2021-34798)

- moderate: mod_proxy_uwsgi out of bound read (CVE-2021-36160)

- low: ap_escape_quotes buffer overflow (CVE-2021-39275)

- high: mod_proxy SSRF (CVE-2021-40438)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5090-1 advisory.

    James Kettle discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain crafted     methods. A remote attacker could possibly use this issue to perform request splitting or cache poisoning     attacks. (CVE-2021-33193)

    It was discovered that the Apache HTTP Server incorrectly handled certain malformed requests. A remote     attacker could possibly use this issue to cause the server to crash, resulting in a denial of service.
    (CVE-2021-34798)

    Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly handled certain request uri-     paths. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial     of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. (CVE-2021-36160)

    It was discovered that the Apache HTTP Server incorrectly handled escaping quotes. If the server was     configured with third-party modules, a remote attacker could use this issue to cause the server to crash,     resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-39275)

    It was discovered that the Apache mod_proxy module incorrectly handled certain request uri-paths. A remote     attacker could possibly use this issue to cause the server to forward requests to arbitrary origin     servers. (CVE-2021-40438)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache httpd installed on the remote host is greater than 2.4.17 and prior to 2.4.49. It is, therefore, affected by a vulnerability as referenced in the 2.4.49 changelog. A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of httpd installed on the remote host is prior to 2.4.49. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2021-259-01 advisory.

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

  - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier. (CVE-2021-34798)

  - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and     crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier. (CVE-2021-39275)

  - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the     remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.49. It is, therefore, affected by multiple vulnerabilities:

 - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. (CVE-2021-33193)

 - Malformed requests may cause the server to dereference a NULL pointer. (CVE-2021-34798)

 - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). (CVE-2021-36160)

 - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. (CVE-2021-39275)

 - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. (CVE-2021-40438)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1234-1 advisory.

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED12 / SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:2918-1 advisory.

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:2954-1 advisory.

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:2954-1 advisory.

  - A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead     to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
    (CVE-2021-33193)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
184621	Rocky Linux 8 : httpd:2.4 (RLSA-2022:1915)	Nessus	Rocky Linux Local Security Checks	high
172449	Debian DLA-3351-1 : apache2 - LTS security update	Nessus	Debian Local Security Checks	critical
166564	RHEL 7 / 8 : Red Hat JBoss Core Services Apache HTTP Server 2.4.51 (RHSA-2022:7143)	Nessus	Red Hat Local Security Checks	critical
165553	RHEL 7 : httpd24-httpd (RHSA-2022:6753)	Nessus	Red Hat Local Security Checks	critical
164114	GLSA-202208-20 : Apache HTTPD: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
161278	Oracle Linux 8 : httpd:2.4 (ELSA-2022-1915)	Nessus	Oracle Linux Local Security Checks	high
161133	AlmaLinux 8 : httpd:2.4 (ALSA-2022:1915)	Nessus	Alma Linux Local Security Checks	high
161044	RHEL 8 : httpd:2.4 (RHSA-2022:1915)	Nessus	Red Hat Local Security Checks	high
160957	CentOS 8 : httpd:2.4 (CESA-2022:1915)	Nessus	CentOS Local Security Checks	high
159728	Oracle Linux 8 : httpd:2.4 (ELSA-2022-9276)	Nessus	Oracle Linux Local Security Checks	high
154240	Tenable SecurityCenter 5.16.0 < 5.19.2 Multiple Vulnerabilities (TNS-2021-17)	Nessus	Misc.	critical
154188	Amazon Linux AMI : httpd24 (ALAS-2021-1543)	Nessus	Amazon Linux Local Security Checks	critical
154179	Amazon Linux 2 : httpd (ALAS-2021-1716)	Nessus	Amazon Linux Local Security Checks	critical
154067	SUSE SLES15 Security Update : apache2 (SUSE-SU-2021:3335-1)	Nessus	SuSE Local Security Checks	critical
153939	Photon OS 3.0: Httpd PHSA-2021-3.0-0305	Nessus	PhotonOS Local Security Checks	high
153816	FreeBSD : Apache httpd -- multiple vulnerabilities (882a38f9-17dd-11ec-b335-d4c9ef517024)	Nessus	FreeBSD Local Security Checks	critical
153768	Ubuntu 18.04 LTS / 20.04 LTS : Apache HTTP Server vulnerabilities (USN-5090-1)	Nessus	Ubuntu Local Security Checks	critical
153743	Photon OS 2.0: Httpd PHSA-2021-2.0-0393	Nessus	PhotonOS Local Security Checks	high
153689	Photon OS 1.0: Httpd PHSA-2021-1.0-0435	Nessus	PhotonOS Local Security Checks	high
153585	Apache >= 2.4.17 < 2.4.49 mod_http2	Nessus	Web Servers	high
153456	Slackware Linux 14.0 / 14.1 / 14.2 / current httpd Multiple Vulnerabilities (SSA:2021-259-01)	Nessus	Slackware Local Security Checks	critical
112981	Apache 2.4.x < 2.4.49 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
153114	openSUSE 15 Security Update : apache2 (openSUSE-SU-2021:1234-1)	Nessus	SuSE Local Security Checks	high
153022	SUSE SLED12 / SLES12 Security Update : apache2 (SUSE-SU-2021:2918-1)	Nessus	SuSE Local Security Checks	high
152998	openSUSE 15 Security Update : apache2 (openSUSE-SU-2021:2954-1)	Nessus	SuSE Local Security Checks	high
152993	SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2021:2954-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2021-33193

high

Tenable Plugins

high

critical

critical

critical

critical

high

high

high

high

high

critical

critical

critical

critical

high

critical

critical

high

high

high

critical

critical

high

high

high

high