Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2015 CPU)

high Nessus Plugin ID 81002

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

The version of Oracle HTTP Server installed on the remote host is affected by multiple vulnerabilities in the Web Listener subcomponent :

- An integer overflow condition exists in libxml2 within file xpath.c, related to XPath expressions when adding a new namespace note. An unauthenticated, remote attacker can exploit this, via a crafted XML file, to cause a denial of service condition or the execution of arbitary code. (CVE-2011-1944)

- An integer overflow condition exists in the HTTP server, specifically in the ap_pregsub() function within file server/util.c, when the mod_setenvif module is enabled.
A local attacker can exploit this to gain elevated privileges by using an .htaccess file with a crafted combination of SetEnvIf directives and HTTP request headers. (CVE-2011-3607)

- A flaw exists in libxml2, known as the 'internal entity expansion' with linear complexity issue, that allows specially crafted XML files to consume excessive CPU and memory resources. An unauthenticated, remote attacker can exploit this to cause a denial of service condition by using a specially crafted XML file containing an entity declaration with long replacement text and many references to this entity. (CVE-2013-0338)

- An out-of-bounds read error exists in libxml2 within file parser.c due to a failure to check for the XML_PARSER_EOF state. An unauthenticated, remote attacker can exploit this, via a specially crafted document that ends abruptly, to cause a denial of service condition. (CVE-2013-2877)

- A flaw exists within the mod_headers module in the HTTP server which allows bypassing the 'RequestHeader unset' directives. An unauthenticated, remote attacker can exploit this to inject arbitrary headers. This is done by placing a header in the trailer portion of data being sent using chunked transfer encoding.
(CVE-2013-5704)

- A flaw exists in the dav_xml_get_cdata() function in file main/util.c within the HTTP server mod_dav module due to incorrect stripping of whitespace characters from the CDATA sections. An unauthenticated, remote attacker via a specially crafted DAV WRITE request, can exploit this to cause a denial of service condition.
(CVE-2013-6438)

- A flaw exists in the log_cookie() function in file mod_log_config.c within the HTTP server mod_log_config module due to improper handling of specially crafted cookies during truncation. An unauthenticated, remote attacker can exploit this to cause a denial of service condition via a segmentation fault. (CVE-2014-0098)

- A flaw exists in libxml2, specifically in the xmlParserHandlePEReference() function in file parser.c, due to loading external parameter entities even when entity substitution is disabled. An unauthenticated, remote attacker can exploit this issue, via a specially crafted XML file, to conduct XML External Entity (XXE) attacks that exhaust CPU and memory resources, resulting in a denial of service condition. (CVE-2014-0191)

- A race condition exists in the HTTP server within the mod_status module when using a threaded Multi-Processing Module (MPM). If an unauthenticated, remote attacker is able to access status pages served by mod_status, the attacker can exploit this issue, by sending specially crafted requests, to cause the httpd child process to crash or possibly execute arbitrary code with the privileges of the user running the web server.
(CVE-2014-0226)

- An unspecified flaw exists in the Web Listener subcomponent that allows an unauthenticated, remote attacker to impact confidentiality, integrity, and availability. (CVE-2014-6571)

- An unspecified flaw exists in the J2EE subcomponent that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2015-0372)

- An unspecified flaw exists in the Web Listener subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition.
(CVE-2015-0386)

Solution

Apply the appropriate patch according to the January 2015 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?75c6cafb

Plugin Details

Severity: High

ID: 81002

File Name: oracle_http_server_cpu_jan_2015.nasl

Version: 1.27

Type: local

Agent: windows, macosx, unix

Family: Web Servers

Published: 1/27/2015

Updated: 6/19/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2013-5704

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:fusion_middleware, cpe:/a:oracle:http_server

Required KB Items: Oracle/OHS/Installed

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/20/2015

Vulnerability Publication Date: 3/23/2011

Reference Information

CVE: CVE-2003-1418, CVE-2011-1944, CVE-2011-3607, CVE-2013-0338, CVE-2013-2877, CVE-2013-5704, CVE-2013-6438, CVE-2014-0098, CVE-2014-0191, CVE-2014-0226, CVE-2014-6571, CVE-2015-0372, CVE-2015-0386, CVE-2015-2808, CVE-2016-2183

BID: 48056, 50494, 58180, 61050, 66303, 66550, 67233, 68678, 72143, 72183, 72193, 73684, 92630

CWE: 200