Apache HTTP Server 2.4.x < 2.4.16 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 8970

Synopsis

The remote web server is missing an Apache HTTP Server patch update.

Description

The version of Apache HTTP Server 2.4 installed on the remote host is prior to 2.4.13. It is, therefore, affected by the following vulnerabilities :

- A flaw exists in the lua_websocket_read() function in the 'mod_lua' module due to incorrect handling of WebSocket PING frames. A remote attacker can exploit this, by sending a crafted WebSocket PING frame after a Lua script has called the wsupgrade() function, to crash a child process, resulting in a denial of service condition. (CVE-2015-0228)
- A NULL pointer dereference flaw exists in the read_request_line() function due to a failure to initialize the protocol structure member. A remote attacker can exploit this flaw, on installations that enable the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI, by sending a request that lacks a method, to cause a denial of service condition. (CVE-2015-0253)
- A flaw exists in the chunked transfer coding implementation due to a failure to properly parse chunk headers. A remote attacker can exploit this to conduct HTTP request smuggling attacks. (CVE-2015-3183)
- A security bypass flaw affects mod_authz_svn related to a failure to properly restrict anonymous access. This may allow anonymous access in scenarios where it is intended to be restricted to authenticated users. (CVE-2015-3184)
- A flaw exists in the ap_some_auth_required() function due to a failure to consider that a Require directive may be associated with an authorization setting rather than an authentication setting. A remote attacker can exploit this, if a module that relies on the 2.2 API behavior exists, to bypass intended access restrictions. (CVE-2015-3185)
- A flaw exists in the RC4 algorithm due to an initial double-byte bias in the keystream generation. An attacker can exploit this, via Bayesian analysis that combines a priori plaintext distribution with keystream distribution statistics, to conduct a plaintext recovery of the ciphertext. Note that RC4 cipher suites are now prohibited per RFC 7465. This issue was fixed in Apache version 2.4.13; however, 2.4.13, 2.4.14, and 2.4.15 were never publicly released. (CVE-2015-2808)

Solution

Upgrade to Apache HTTP Server version 2.4.16 or later.

See Also

http://www.apache.org/dist/httpd/CHANGES_2.4.16

http://httpd.apache.org/security/vulnerabilities_24.html

https://tools.ietf.org/html/rfc7465

http://www.nessus.org/u?e9892f49

Plugin Details

Severity: Medium

ID: 8970

Family: Web Servers

Published: 10/9/2015

Updated: 3/6/2019

Nessus ID: 84959

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:http_server

Patch Publication Date: 7/15/2015

Vulnerability Publication Date: 2/3/2015

Reference Information

CVE: CVE-2015-0228, CVE-2015-0253, CVE-2015-2808, CVE-2015-3183, CVE-2015-3184, CVE-2015-3185

BID: 73041, 75963, 75964, 75965