{"id": "DEBIAN:DSA-4164-1:0A7F5", "bulletinFamily": "unix", "title": "[SECURITY] [DSA 4164-1] apache2 security update", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4164-1 security@debian.org\nhttps://www.debian.org/security/ Stefan Fritsch\nApril 03, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : apache2\nCVE ID : CVE-2017-15710 CVE-2017-15715 CVE-2018-1283 CVE-2018-1301\n CVE-2018-1303 CVE-2018-1312\n\nSeveral vulnerabilities have been found in the Apache HTTPD server.\n\nCVE-2017-15710\n\n Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if\n configured with AuthLDAPCharsetConfig, could cause an of bound write\n if supplied with a crafted Accept-Language header. This could\n potentially be used for a Denial of Service attack.\n\nCVE-2017-15715\n\n Elar Lang discovered that expression specified in <FilesMatch> could\n match '$' to a newline character in a malicious filename, rather\n than matching only the end of the filename. This could be exploited\n in environments where uploads of some files are are externally\n blocked, but only by matching the trailing portion of the filename.\n\nCVE-2018-1283\n\n When mod_session is configured to forward its session data to CGI\n applications (SessionEnv on, not the default), a remote user could\n influence their content by using a "Session" header.\n\nCVE-2018-1301\n\n Robert Swiecki reported that a specially crafted request could have\n crashed the Apache HTTP Server, due to an out of bound access after\n a size limit is reached by reading the HTTP header.\n\nCVE-2018-1303\n\n Robert Swiecki reported that a specially crafted HTTP request header\n could have crashed the Apache HTTP Server if using\n mod_cache_socache, due to an out of bound read while preparing data\n to be cached in shared memory.\n\nCVE-2018-1312\n\n Nicolas Daniels discovered that when generating an HTTP Digest\n authentication challenge, the nonce sent by mod_auth_digest to\n prevent reply attacks was not correctly generated using a\n pseudo-random seed. In a cluster of servers using a common Digest\n authentication configuration, HTTP requests could be replayed across\n servers by an attacker without detection.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 2.4.10-10+deb8u12.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.4.25-3+deb9u4.\n\nWe recommend that you upgrade your apache2 packages.\n\nFor the detailed security status of apache2 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/apache2\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "published": "2018-04-03T16:02:38", "modified": "2018-04-03T16:02:38", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00090.html", "reporter": "Debian", "references": [], "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "type": "debian", "lastseen": "2020-08-12T00:51:30", "edition": 14, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "suse", "idList": ["SUSE-SU-2018:0879-1", "SUSE-SU-2018:0901-1"]}, {"type": "ubuntu", "idList": ["USN-3627-2", "USN-3627-1", "USN-3937-2"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220181152", "OPENVAS:1361412562310874436", "OPENVAS:1361412562310704164", "OPENVAS:1361412562310874332", "OPENVAS:1361412562310812846", "OPENVAS:1361412562311220181213", "OPENVAS:1361412562310843516", "OPENVAS:1361412562311220191015", "OPENVAS:1361412562310812844", "OPENVAS:1361412562310843505"]}, {"type": "fedora", "idList": ["FEDORA:63AEC601CFBA", "FEDORA:25F7D616A900", "FEDORA:8940760F288E"]}, {"type": "nessus", "idList": ["SUSE_SU-2018-0901-1.NASL", "APACHE_2_4_30.NASL", "FEDORA_2018-375E3244B6.NASL", "FEDORA_2018-E6D9251471.NASL", "UBUNTU_USN-3627-1.NASL", "SUSE_SU-2018-1161-1.NASL", "UBUNTU_USN-3627-2.NASL", "SUSE_SU-2018-0879-1.NASL", "DEBIAN_DSA-4164.NASL", "FEDORA_2018-6744CA470D.NASL"]}, {"type": "cve", "idList": ["CVE-2018-1312", "CVE-2017-15715", "CVE-2018-1301", "CVE-2017-15710", "CVE-2018-1283", "CVE-2018-1303"]}, {"type": "amazon", "idList": ["ALAS-2018-1004"]}, {"type": "archlinux", "idList": ["ASA-201804-4"]}, {"type": "freebsd", "idList": ["F38187E7-2F6E-11E8-8F07-B499BAEBFEAF"]}, {"type": "f5", "idList": ["F5:K14027805", "F5:K22902581", "F5:K94597539", "F5:K78131906", "F5:K27757011", "F5:K20623215"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1389-1:75ED8"]}, {"type": "redhat", "idList": ["RHSA-2020:3958", "RHSA-2020:1121", "RHSA-2019:0366", "RHSA-2019:0367"]}, {"type": "symantec", "idList": ["SMNTC-1457"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1898", "ELSA-2020-3958", "ELSA-2020-1121"]}, {"type": "centos", "idList": ["CESA-2020:3958", "CESA-2020:1121"]}, {"type": "httpd", "idList": ["HTTPD:55F8C86BB4FE80544B301C6F772E1F21", "HTTPD:94C27BCF50CA81A222019B9F06735AA1", "HTTPD:13B5FCC9676077F8FD08063C83511140", "HTTPD:B6CF5630624F83951A477D36DC8FD634", "HTTPD:E05CACB9D575871BA1E3088D02930266", "HTTPD:D26FFC4C8AA598C5F130A0223836644E"]}], "modified": "2020-08-12T00:51:30", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-08-12T00:51:30", "rev": 2}, "vulnersScore": 6.3}, "affectedPackage": [{"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "apache2-suexec-custom_2.4.25-3+deb9u4_all.deb", "packageName": "apache2-suexec-custom", "packageVersion": "2.4.25-3+deb9u4"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-mpm-itk_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-mpm-itk", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-dbg_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-dbg", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-mpm-prefork_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-mpm-prefork", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-mpm-event_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-mpm-event", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-suexec-custom_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-suexec-custom", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-mpm-worker_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-mpm-worker", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "apache2-data_2.4.25-3+deb9u4_all.deb", "packageName": "apache2-data", "packageVersion": "2.4.25-3+deb9u4"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "libapache2-mod-macro_2.4.10-10+deb8u12_all.deb", "packageName": "libapache2-mod-macro", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "apache2-dev_2.4.25-3+deb9u4_all.deb", "packageName": "apache2-dev", "packageVersion": "2.4.25-3+deb9u4"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "apache2-doc_2.4.25-3+deb9u4_all.deb", "packageName": "apache2-doc", "packageVersion": "2.4.25-3+deb9u4"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-data_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-data", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-utils_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-utils", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2.2-bin_2.4.10-10+deb8u12_all.deb", "packageName": "apache2.2-bin", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-suexec_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-suexec", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2_2.4.10-10+deb8u12_all.deb", "packageName": "apache2", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2.2-common_2.4.10-10+deb8u12_all.deb", "packageName": "apache2.2-common", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "apache2-dbg_2.4.25-3+deb9u4_all.deb", "packageName": "apache2-dbg", "packageVersion": "2.4.25-3+deb9u4"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-doc_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-doc", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-suexec-pristine_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-suexec-pristine", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "apache2-ssl-dev_2.4.25-3+deb9u4_all.deb", "packageName": "apache2-ssl-dev", "packageVersion": "2.4.25-3+deb9u4"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "apache2-suexec-pristine_2.4.25-3+deb9u4_all.deb", "packageName": "apache2-suexec-pristine", "packageVersion": "2.4.25-3+deb9u4"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-dev_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-dev", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "libapache2-mod-proxy-html_2.4.10-10+deb8u12_all.deb", "packageName": "libapache2-mod-proxy-html", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "apache2_2.4.25-3+deb9u4_all.deb", "packageName": "apache2", "packageVersion": "2.4.25-3+deb9u4"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "apache2-bin_2.4.10-10+deb8u12_all.deb", "packageName": "apache2-bin", "packageVersion": "2.4.10-10+deb8u12"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "apache2-utils_2.4.25-3+deb9u4_all.deb", "packageName": "apache2-utils", "packageVersion": "2.4.25-3+deb9u4"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "apache2-bin_2.4.25-3+deb9u4_all.deb", "packageName": "apache2-bin", "packageVersion": "2.4.25-3+deb9u4"}], "scheme": null}

{"suse": [{"lastseen": "2018-04-05T23:06:39", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "This update for apache2 fixes the following issues:\n\n\n * CVE-2018-1283: when mod_session is configured to forward its session\n data to CGI applications (SessionEnv on, not the default), a remote\n user may influence their content by using a \\&quot;Session\\&quot; header leading\n to unexpected behavior [bsc#1086814].\n\n * CVE-2018-1301: due to an out of bound access after a size limit being\n reached by reading the HTTP header, a specially crafted request could\n lead to remote denial of service. [bsc#1086817]\n\n * CVE-2018-1303: a specially crafted HTTP request header could lead to\n crash due to an out of bound read while preparing data to be cached in\n shared memory.[bsc#1086813]\n\n * CVE-2017-15715: a regular expression could match '$' to a newline\n character in a malicious filename, rather than matching only the end\n of the filename. leading to corruption of uploaded files.[bsc#1086774]\n\n * CVE-2018-1312: when generating an HTTP Digest authentication\n challenge, the nonce sent to prevent reply attacks was not correctly\n generated using a pseudo-random seed. In a cluster of servers using a\n common Digest authentication configuration, HTTP requests could be\n replayed across servers by an attacker without detection. [bsc#1086775]\n\n * CVE-2017-15710: mod_authnz_ldap, if configured with\n AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup\n the right charset encoding when verifying the user's credentials. If\n the header value is not present in the charset conversion table, a\n fallback mechanism is used to truncate it to a two characters value to\n allow a quick retry (for example, 'en-US' is truncated to 'en'). A\n header value of less than two characters forces an out of bound write\n of one NUL byte to a memory location that is not part of the string.\n In the worst case, quite unlikely, the process would crash which could\n be used as a Denial of Service attack. In the more likely case, this\n memory is already reserved for future use and the issue has no effect\n at all. [bsc#1086820]\n\n * gensslcert: fall back to 'localhost' as hostname [bsc#1057406]\n\n", "edition": 1, "modified": "2018-04-05T21:09:45", "published": "2018-04-05T21:09:45", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00004.html", "id": "SUSE-SU-2018:0879-1", "type": "suse", "title": "Security update for apache2 (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-09T05:08:32", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "This update for apache2 fixes the following issues:\n\n\n * CVE-2018-1283: when mod_session is configured to forward its session\n data to CGI applications (SessionEnv on, not the default), a remote\n user may influence their content by using a \\&quot;Session\\&quot; header leading\n to unexpected behavior [bsc#1086814].\n\n * CVE-2018-1301: due to an out of bound access after a size limit being\n reached by reading the HTTP header, a specially crafted request could\n lead to remote denial of service. [bsc#1086817]\n\n * CVE-2018-1303: a specially crafted HTTP request header could lead to\n crash due to an out of bound read while preparing data to be cached in\n shared memory.[bsc#1086813]\n\n * CVE-2017-15715: a regular expression could match '$' to a newline\n character in a malicious filename, rather than matching only the end\n of the filename. leading to corruption of uploaded files.[bsc#1086774]\n\n * CVE-2018-1312: when generating an HTTP Digest authentication\n challenge, the nonce sent to prevent reply attacks was not correctly\n generated using a pseudo-random seed. In a cluster of servers using a\n common Digest authentication configuration, HTTP requests could be\n replayed across servers by an attacker without detection. [bsc#1086775]\n\n * CVE-2017-15710: mod_authnz_ldap, if configured with\n AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup\n the right charset encoding when verifying the user's credentials. If\n the header value is not present in the charset conversion table, a\n fallback mechanism is used to truncate it to a two characters value to\n allow a quick retry (for example, 'en-US' is truncated to 'en'). A\n header value of less than two characters forces an out of bound write\n of one NUL byte to a memory location that is not part of the string.\n In the worst case, quite unlikely, the process would crash which could\n be used as a Denial of Service attack. In the more likely case, this\n memory is already reserved for future use and the issue has no effect\n at all. [bsc#1086820]\n\n * gensslcert: fall back to 'localhost' as hostname [bsc#1057406]\n\n", "edition": 1, "modified": "2018-04-09T03:07:20", "published": "2018-04-09T03:07:20", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00005.html", "id": "SUSE-SU-2018:0901-1", "type": "suse", "title": "Security update for apache2 (important)", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntu": [{"lastseen": "2020-07-02T11:36:11", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "USN-3627-1 fixed vulnerabilities in Apache HTTP Server. This update \nprovides the corresponding updates for Ubuntu 18.04 LTS.\n\nOriginal advisory details:\n\nAlex Nichols and Jakob Hirsch discovered that the Apache HTTP Server \nmod_authnz_ldap module incorrectly handled missing charset encoding \nheaders. A remote attacker could possibly use this issue to cause the \nserver to crash, resulting in a denial of service. (CVE-2017-15710)\n\nElar Lang discovered that the Apache HTTP Server incorrectly handled \ncertain characters specified in . A remote attacker could \npossibly use this issue to upload certain files, contrary to expectations. \n(CVE-2017-15715)\n\nIt was discovered that the Apache HTTP Server mod_session module \nincorrectly handled certain headers. A remote attacker could possibly use \nthis issue to influence session data. (CVE-2018-1283)\n\nRobert Swiecki discovered that the Apache HTTP Server incorrectly handled \ncertain requests. A remote attacker could possibly use this issue to cause \nthe server to crash, leading to a denial of service. (CVE-2018-1301)\n\nRobert Swiecki discovered that the Apache HTTP Server mod_cache_socache \nmodule incorrectly handled certain headers. A remote attacker could \npossibly use this issue to cause the server to crash, leading to a denial \nof service. (CVE-2018-1303)\n\nNicolas Daniels discovered that the Apache HTTP Server incorrectly \ngenerated the nonce when creating HTTP Digest authentication challenges. \nA remote attacker could possibly use this issue to replay HTTP requests \nacross a cluster of servers. (CVE-2018-1312)", "edition": 5, "modified": "2018-04-30T00:00:00", "published": "2018-04-30T00:00:00", "id": "USN-3627-2", "href": "https://ubuntu.com/security/notices/USN-3627-2", "title": "Apache HTTP Server vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:40:38", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server \nmod_authnz_ldap module incorrectly handled missing charset encoding \nheaders. A remote attacker could possibly use this issue to cause the \nserver to crash, resulting in a denial of service. (CVE-2017-15710)\n\nElar Lang discovered that the Apache HTTP Server incorrectly handled \ncertain characters specified in . A remote attacker could \npossibly use this issue to upload certain files, contrary to expectations. \n(CVE-2017-15715)\n\nIt was discovered that the Apache HTTP Server mod_session module \nincorrectly handled certain headers. A remote attacker could possibly use \nthis issue to influence session data. (CVE-2018-1283)\n\nRobert Swiecki discovered that the Apache HTTP Server incorrectly handled \ncertain requests. A remote attacker could possibly use this issue to cause \nthe server to crash, leading to a denial of service. (CVE-2018-1301)\n\nRobert Swiecki discovered that the Apache HTTP Server mod_cache_socache \nmodule incorrectly handled certain headers. A remote attacker could \npossibly use this issue to cause the server to crash, leading to a denial \nof service. (CVE-2018-1303)\n\nNicolas Daniels discovered that the Apache HTTP Server incorrectly \ngenerated the nonce when creating HTTP Digest authentication challenges. \nA remote attacker could possibly use this issue to replay HTTP requests \nacross a cluster of servers. (CVE-2018-1312)", "edition": 5, "modified": "2018-04-19T00:00:00", "published": "2018-04-19T00:00:00", "id": "USN-3627-1", "href": "https://ubuntu.com/security/notices/USN-3627-1", "title": "Apache HTTP Server vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:33:23", "bulletinFamily": "unix", "cvelist": ["CVE-2019-0217", "CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710"], "description": "USN-3937-1 and USN-3627-1 fixed several vulnerabilities in Apache. \nThis update provides the corresponding update for Ubuntu 12.04 ESM.\n\nOriginal advisory details:\n\nSimon Kappel discovered that the Apache HTTP Server mod_auth_digest module \nincorrectly handled threads. A remote attacker with valid credentials could \npossibly use this issue to authenticate using another username, bypassing \naccess control restrictions. (CVE-2019-0217)\n\nAlex Nichols and Jakob Hirsch discovered that the Apache HTTP Server mod_authnz_ldap \nmodule incorrectly handled missing charset encoding headers. A remote attacker \ncould possibly use this issue to cause the server to crash, resulting in a denial of \nservice. (CVE-2017-15710)\n\nRobert Swiecki discovered that the Apache HTTP Server incorrectly handled \ncertain requests. A remote attacker could possibly use this issue to cause \nthe server to crash, leading to a denial of service. (CVE-2018-1301)\n\nNicolas Daniels discovered that the Apache HTTP Server incorrectly generated \nthe nonce when creating HTTP Digest authentication challenges. A remote attacker \ncould possibly use this issue to replay HTTP requests across a cluster of servers. \n(CVE-2018-1312)", "edition": 3, "modified": "2019-04-10T00:00:00", "published": "2019-04-10T00:00:00", "id": "USN-3937-2", "href": "https://ubuntu.com/security/notices/USN-3937-2", "title": "Apache vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1283", "CVE-2018-1301", "CVE-2018-1303", "CVE-2018-1312"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2018-04-05T23:59:00", "published": "2018-04-05T23:59:00", "id": "FEDORA:8940760F288E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: httpd-2.4.33-2.fc27", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1283", "CVE-2018-1301", "CVE-2018-1303", "CVE-2018-1312"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2018-04-05T11:50:14", "published": "2018-04-05T11:50:14", "id": "FEDORA:25F7D616A900", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: httpd-2.4.33-2.fc28", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15710", "CVE-2017-15715", "CVE-2017-9798", "CVE-2018-1283", "CVE-2018-1301", "CVE-2018-1303", "CVE-2018-1312"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2018-05-12T18:27:28", "published": "2018-05-12T18:27:28", "id": "FEDORA:63AEC601CFBA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: httpd-2.4.33-4.fc26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T01:46:54", "description": "Several vulnerabilities have been found in the Apache HTTPD server.\n\n - CVE-2017-15710\n Alex Nichols and Jakob Hirsch reported that\n mod_authnz_ldap, if configured with\n AuthLDAPCharsetConfig, could cause an out of bound write\n if supplied with a crafted Accept-Language header. This\n could potentially be used for a Denial of Service\n attack.\n\n - CVE-2017-15715\n Elar Lang discovered that expression specified in\n <FilesMatch> could match '$' to a newline character in a\n malicious filename, rather than matching only the end of\n the filename. This could be exploited in environments\n where uploads of some files are externally blocked, but\n only by matching the trailing portion of the filename.\n\n - CVE-2018-1283\n When mod_session is configured to forward its session\n data to CGI applications (SessionEnv on, not the\n default), a remote user could influence their content by\n using a 'Session' header.\n\n - CVE-2018-1301\n Robert Swiecki reported that a specially crafted request\n could have crashed the Apache HTTP Server, due to an out\n of bound access after a size limit is reached by reading\n the HTTP header.\n\n - CVE-2018-1303\n Robert Swiecki reported that a specially crafted HTTP\n request header could have crashed the Apache HTTP Server\n if using mod_cache_socache, due to an out of bound read\n while preparing data to be cached in shared memory.\n\n - CVE-2018-1312\n Nicolas Daniels discovered that when generating an HTTP\n Digest authentication challenge, the nonce sent by\n mod_auth_digest to prevent replay attacks was not\n correctly generated using a pseudo-random seed. In a\n cluster of servers using a common Digest authentication\n configuration, HTTP requests could be replayed across\n servers by an attacker without detection.", "edition": 30, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-04T00:00:00", "title": "Debian DSA-4164-1 : apache2 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:apache2", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4164.NASL", "href": "https://www.tenable.com/plugins/nessus/108816", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4164. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108816);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/13 12:30:46\");\n\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_xref(name:\"DSA\", value:\"4164\");\n\n script_name(english:\"Debian DSA-4164-1 : apache2 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been found in the Apache HTTPD server.\n\n - CVE-2017-15710\n Alex Nichols and Jakob Hirsch reported that\n mod_authnz_ldap, if configured with\n AuthLDAPCharsetConfig, could cause an out of bound write\n if supplied with a crafted Accept-Language header. This\n could potentially be used for a Denial of Service\n attack.\n\n - CVE-2017-15715\n Elar Lang discovered that expression specified in\n <FilesMatch> could match '$' to a newline character in a\n malicious filename, rather than matching only the end of\n the filename. This could be exploited in environments\n where uploads of some files are externally blocked, but\n only by matching the trailing portion of the filename.\n\n - CVE-2018-1283\n When mod_session is configured to forward its session\n data to CGI applications (SessionEnv on, not the\n default), a remote user could influence their content by\n using a 'Session' header.\n\n - CVE-2018-1301\n Robert Swiecki reported that a specially crafted request\n could have crashed the Apache HTTP Server, due to an out\n of bound access after a size limit is reached by reading\n the HTTP header.\n\n - CVE-2018-1303\n Robert Swiecki reported that a specially crafted HTTP\n request header could have crashed the Apache HTTP Server\n if using mod_cache_socache, due to an out of bound read\n while preparing data to be cached in shared memory.\n\n - CVE-2018-1312\n Nicolas Daniels discovered that when generating an HTTP\n Digest authentication challenge, the nonce sent by\n mod_auth_digest to prevent replay attacks was not\n correctly generated using a pseudo-random seed. In a\n cluster of servers using a common Digest authentication\n configuration, HTTP requests could be replayed across\n servers by an attacker without detection.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-15710\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2017-15715\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-1283\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-1301\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-1303\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2018-1312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/apache2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/apache2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/apache2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4164\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the apache2 packages.\n\nFor the oldstable distribution (jessie), these problems have been\nfixed in version 2.4.10-10+deb8u12.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 2.4.25-3+deb9u4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"apache2\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-bin\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-data\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-dbg\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-dev\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-doc\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-mpm-event\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-mpm-itk\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-mpm-prefork\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-mpm-worker\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-suexec\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-suexec-custom\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-suexec-pristine\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2-utils\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2.2-bin\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"apache2.2-common\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libapache2-mod-macro\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libapache2-mod-proxy-html\", reference:\"2.4.10-10+deb8u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2\", reference:\"2.4.25-3+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-bin\", reference:\"2.4.25-3+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-data\", reference:\"2.4.25-3+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-dbg\", reference:\"2.4.25-3+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-dev\", reference:\"2.4.25-3+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-doc\", reference:\"2.4.25-3+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-ssl-dev\", reference:\"2.4.25-3+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-suexec-custom\", reference:\"2.4.25-3+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-suexec-pristine\", reference:\"2.4.25-3+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"apache2-utils\", reference:\"2.4.25-3+deb9u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:22:04", "description": "This update :\n\n - fixes the **mod_md** default store directory\n\n - fixes a startup failure in certain **mod_ssl** vhost\n configurations\n\n----\n\nThis update includes the latest upstream release of the Apache HTTP\nServer, version 2.4.33. A number of security vulnerabilities are fixed\nin this release :\n\n - *Low*: Possible out of bound read in mod_cache_socache\n (CVE-2018-1303)\n\n - *Low*: Possible out of bound access after failure in\n reading the HTTP request (CVE-2018-1301)\n\n - *Low*: Weak Digest auth nonce generation in\n mod_auth_digest (CVE-2018-1312)\n\n - *Low*: <FilesMatch> bypass with a trailing newline in\n the file name (CVE-2017-15715)\n\n - *Low*: Out of bound write in mod_authnz_ldap when using\n too small Accept-Language values (CVE-2017-15710)\n\n - *Moderate*: Tampering of mod_session data for CGI\n applications (CVE-2018-1283)\n\nFor more information about changes in this release, see:\nhttps://www.apache.org/dist/httpd/CHANGES_2.4.33\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-14T00:00:00", "title": "Fedora 26 : httpd (2018-e6d9251471)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "modified": "2018-05-14T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:httpd", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2018-E6D9251471.NASL", "href": "https://www.tenable.com/plugins/nessus/109745", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-e6d9251471.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109745);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_xref(name:\"FEDORA\", value:\"2018-e6d9251471\");\n\n script_name(english:\"Fedora 26 : httpd (2018-e6d9251471)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update :\n\n - fixes the **mod_md** default store directory\n\n - fixes a startup failure in certain **mod_ssl** vhost\n configurations\n\n----\n\nThis update includes the latest upstream release of the Apache HTTP\nServer, version 2.4.33. A number of security vulnerabilities are fixed\nin this release :\n\n - *Low*: Possible out of bound read in mod_cache_socache\n (CVE-2018-1303)\n\n - *Low*: Possible out of bound access after failure in\n reading the HTTP request (CVE-2018-1301)\n\n - *Low*: Weak Digest auth nonce generation in\n mod_auth_digest (CVE-2018-1312)\n\n - *Low*: <FilesMatch> bypass with a trailing newline in\n the file name (CVE-2017-15715)\n\n - *Low*: Out of bound write in mod_authnz_ldap when using\n too small Accept-Language values (CVE-2017-15710)\n\n - *Moderate*: Tampering of mod_session data for CGI\n applications (CVE-2018-1283)\n\nFor more information about changes in this release, see:\nhttps://www.apache.org/dist/httpd/CHANGES_2.4.33\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-e6d9251471\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"httpd-2.4.33-4.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-18T10:54:37", "description": "Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server\nmod_authnz_ldap module incorrectly handled missing charset encoding\nheaders. A remote attacker could possibly use this issue to cause the\nserver to crash, resulting in a denial of service. (CVE-2017-15710)\n\nElar Lang discovered that the Apache HTTP Server incorrectly handled\ncertain characters specified in <FilesMatch>. A remote attacker could\npossibly use this issue to upload certain files, contrary to\nexpectations. (CVE-2017-15715)\n\nIt was discovered that the Apache HTTP Server mod_session module\nincorrectly handled certain headers. A remote attacker could possibly\nuse this issue to influence session data. (CVE-2018-1283)\n\nRobert Swiecki discovered that the Apache HTTP Server incorrectly\nhandled certain requests. A remote attacker could possibly use this\nissue to cause the server to crash, leading to a denial of service.\n(CVE-2018-1301)\n\nRobert Swiecki discovered that the Apache HTTP Server\nmod_cache_socache module incorrectly handled certain headers. A remote\nattacker could possibly use this issue to cause the server to crash,\nleading to a denial of service. (CVE-2018-1303)\n\nNicolas Daniels discovered that the Apache HTTP Server incorrectly\ngenerated the nonce when creating HTTP Digest authentication\nchallenges. A remote attacker could possibly use this issue to replay\nHTTP requests across a cluster of servers. (CVE-2018-1312).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 22, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-20T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : Apache HTTP Server vulnerabilities (USN-3627-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "modified": "2018-04-20T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:apache2-bin", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3627-1.NASL", "href": "https://www.tenable.com/plugins/nessus/109199", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3627-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109199);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_xref(name:\"USN\", value:\"3627-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : Apache HTTP Server vulnerabilities (USN-3627-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server\nmod_authnz_ldap module incorrectly handled missing charset encoding\nheaders. A remote attacker could possibly use this issue to cause the\nserver to crash, resulting in a denial of service. (CVE-2017-15710)\n\nElar Lang discovered that the Apache HTTP Server incorrectly handled\ncertain characters specified in <FilesMatch>. A remote attacker could\npossibly use this issue to upload certain files, contrary to\nexpectations. (CVE-2017-15715)\n\nIt was discovered that the Apache HTTP Server mod_session module\nincorrectly handled certain headers. A remote attacker could possibly\nuse this issue to influence session data. (CVE-2018-1283)\n\nRobert Swiecki discovered that the Apache HTTP Server incorrectly\nhandled certain requests. A remote attacker could possibly use this\nissue to cause the server to crash, leading to a denial of service.\n(CVE-2018-1301)\n\nRobert Swiecki discovered that the Apache HTTP Server\nmod_cache_socache module incorrectly handled certain headers. A remote\nattacker could possibly use this issue to cause the server to crash,\nleading to a denial of service. (CVE-2018-1303)\n\nNicolas Daniels discovered that the Apache HTTP Server incorrectly\ngenerated the nonce when creating HTTP Digest authentication\nchallenges. A remote attacker could possibly use this issue to replay\nHTTP requests across a cluster of servers. (CVE-2018-1312).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3627-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected apache2-bin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|17\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 17.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"apache2-bin\", pkgver:\"2.4.7-1ubuntu4.20\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"apache2-bin\", pkgver:\"2.4.18-2ubuntu3.8\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"apache2-bin\", pkgver:\"2.4.27-2ubuntu4.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2-bin\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:18:37", "description": "This update includes the latest upstream release of the Apache HTTP\nServer, version 2.4.33. A number of security vulnerabilities are fixed\nin this release :\n\n - *Low*: Possible out of bound read in mod_cache_socache\n (CVE-2018-1303)\n\n - *Low*: Possible out of bound access after failure in\n reading the HTTP request (CVE-2018-1301)\n\n - *Low*: Weak Digest auth nonce generation in\n mod_auth_digest (CVE-2018-1312)\n\n - *Low*: <FilesMatch> bypass with a trailing newline in\n the file name (CVE-2017-15715)\n\n - *Low*: Out of bound write in mod_authnz_ldap when using\n too small Accept-Language values (CVE-2017-15710)\n\n - *Moderate*: Tampering of mod_session data for CGI\n applications (CVE-2018-1283)\n\nFor more information about changes in this release, see:\nhttps://www.apache.org/dist/httpd/CHANGES_2.4.33\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 11, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : httpd (2018-6744ca470d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:httpd", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-6744CA470D.NASL", "href": "https://www.tenable.com/plugins/nessus/120484", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-6744ca470d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120484);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_xref(name:\"FEDORA\", value:\"2018-6744ca470d\");\n\n script_name(english:\"Fedora 28 : httpd (2018-6744ca470d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update includes the latest upstream release of the Apache HTTP\nServer, version 2.4.33. A number of security vulnerabilities are fixed\nin this release :\n\n - *Low*: Possible out of bound read in mod_cache_socache\n (CVE-2018-1303)\n\n - *Low*: Possible out of bound access after failure in\n reading the HTTP request (CVE-2018-1301)\n\n - *Low*: Weak Digest auth nonce generation in\n mod_auth_digest (CVE-2018-1312)\n\n - *Low*: <FilesMatch> bypass with a trailing newline in\n the file name (CVE-2017-15715)\n\n - *Low*: Out of bound write in mod_authnz_ldap when using\n too small Accept-Language values (CVE-2017-15710)\n\n - *Moderate*: Tampering of mod_session data for CGI\n applications (CVE-2018-1283)\n\nFor more information about changes in this release, see:\nhttps://www.apache.org/dist/httpd/CHANGES_2.4.33\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-6744ca470d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"httpd-2.4.33-2.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T06:10:13", "description": "This update for apache2 fixes the following issues :\n\n - CVE-2018-1283: when mod_session is configured to forward\n its session data to CGI applications (SessionEnv on, not\n the default), a remote user may influence their content\n by using a \\'Session\\' header leading to unexpected\n behavior [bsc#1086814].\n\n - CVE-2018-1301: due to an out of bound access after a\n size limit being reached by reading the HTTP header, a\n specially crafted request could lead to remote denial of\n service. [bsc#1086817]\n\n - CVE-2018-1303: a specially crafted HTTP request header\n could lead to crash due to an out of bound read while\n preparing data to be cached in shared\n memory.[bsc#1086813]\n\n - CVE-2017-15715: a regular expression could match '$' to\n a newline character in a malicious filename, rather than\n matching only the end of the filename. leading to\n corruption of uploaded files.[bsc#1086774]\n\n - CVE-2018-1312: when generating an HTTP Digest\n authentication challenge, the nonce sent to prevent\n reply attacks was not correctly generated using a\n pseudo-random seed. In a cluster of servers using a\n common Digest authentication configuration, HTTP\n requests could be replayed across servers by an attacker\n without detection. [bsc#1086775]\n\n - CVE-2017-15710: mod_authnz_ldap, if configured with\n AuthLDAPCharsetConfig, uses the Accept-Language header\n value to lookup the right charset encoding when\n verifying the user's credentials. If the header value is\n not present in the charset conversion table, a fallback\n mechanism is used to truncate it to a two characters\n value to allow a quick retry (for example, 'en-US' is\n truncated to 'en'). A header value of less than two\n characters forces an out of bound write of one NUL byte\n to a memory location that is not part of the string. In\n the worst case, quite unlikely, the process would crash\n which could be used as a Denial of Service attack. In\n the more likely case, this memory is already reserved\n for future use and the issue has no effect at all.\n [bsc#1086820]\n\n - gensslcert: fall back to 'localhost' as hostname\n [bsc#1057406]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 30, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-10T00:00:00", "title": "SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:0901-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:apache2-worker", "p-cpe:/a:novell:suse_linux:apache2-prefork", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:apache2-worker-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-prefork-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-example-pages", "p-cpe:/a:novell:suse_linux:apache2-utils-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-utils", "p-cpe:/a:novell:suse_linux:apache2-debugsource", "p-cpe:/a:novell:suse_linux:apache2"], "id": "SUSE_SU-2018-0901-1.NASL", "href": "https://www.tenable.com/plugins/nessus/108945", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:0901-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108945);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/09/10 13:51:47\");\n\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n\n script_name(english:\"SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:0901-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for apache2 fixes the following issues :\n\n - CVE-2018-1283: when mod_session is configured to forward\n its session data to CGI applications (SessionEnv on, not\n the default), a remote user may influence their content\n by using a \\'Session\\' header leading to unexpected\n behavior [bsc#1086814].\n\n - CVE-2018-1301: due to an out of bound access after a\n size limit being reached by reading the HTTP header, a\n specially crafted request could lead to remote denial of\n service. [bsc#1086817]\n\n - CVE-2018-1303: a specially crafted HTTP request header\n could lead to crash due to an out of bound read while\n preparing data to be cached in shared\n memory.[bsc#1086813]\n\n - CVE-2017-15715: a regular expression could match '$' to\n a newline character in a malicious filename, rather than\n matching only the end of the filename. leading to\n corruption of uploaded files.[bsc#1086774]\n\n - CVE-2018-1312: when generating an HTTP Digest\n authentication challenge, the nonce sent to prevent\n reply attacks was not correctly generated using a\n pseudo-random seed. In a cluster of servers using a\n common Digest authentication configuration, HTTP\n requests could be replayed across servers by an attacker\n without detection. [bsc#1086775]\n\n - CVE-2017-15710: mod_authnz_ldap, if configured with\n AuthLDAPCharsetConfig, uses the Accept-Language header\n value to lookup the right charset encoding when\n verifying the user's credentials. If the header value is\n not present in the charset conversion table, a fallback\n mechanism is used to truncate it to a two characters\n value to allow a quick retry (for example, 'en-US' is\n truncated to 'en'). A header value of less than two\n characters forces an out of bound write of one NUL byte\n to a memory location that is not part of the string. In\n the worst case, quite unlikely, the process would crash\n which could be used as a Denial of Service attack. In\n the more likely case, this memory is already reserved\n for future use and the issue has no effect at all.\n [bsc#1086820]\n\n - gensslcert: fall back to 'localhost' as hostname\n [bsc#1057406]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1057406\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086774\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086813\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086814\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086817\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086820\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-15710/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-15715/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1283/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1301/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1303/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1312/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20180901-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?57783496\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-602=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"apache2-2.4.10-14.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"apache2-debuginfo-2.4.10-14.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"apache2-debugsource-2.4.10-14.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"apache2-example-pages-2.4.10-14.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"apache2-prefork-2.4.10-14.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"apache2-prefork-debuginfo-2.4.10-14.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"apache2-utils-2.4.10-14.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"apache2-utils-debuginfo-2.4.10-14.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"apache2-worker-2.4.10-14.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"apache2-worker-debuginfo-2.4.10-14.31.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:16:51", "description": "This update includes the latest upstream release of the Apache HTTP\nServer, version 2.4.33. A number of security vulnerabilities are fixed\nin this release :\n\n - *Low*: Possible out of bound read in mod_cache_socache\n (CVE-2018-1303)\n\n - *Low*: Possible out of bound access after failure in\n reading the HTTP request (CVE-2018-1301)\n\n - *Low*: Weak Digest auth nonce generation in\n mod_auth_digest (CVE-2018-1312)\n\n - *Low*: <FilesMatch> bypass with a trailing newline in\n the file name (CVE-2017-15715)\n\n - *Low*: Out of bound write in mod_authnz_ldap when using\n too small Accept-Language values (CVE-2017-15710)\n\n - *Moderate*: Tampering of mod_session data for CGI\n applications (CVE-2018-1283)\n\nFor more information about changes in this release, see:\nhttps://www.apache.org/dist/httpd/CHANGES_2.4.33\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 23, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-06T00:00:00", "title": "Fedora 27 : httpd (2018-375e3244b6)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "modified": "2018-04-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:httpd", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2018-375E3244B6.NASL", "href": "https://www.tenable.com/plugins/nessus/108856", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-375e3244b6.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108856);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_xref(name:\"FEDORA\", value:\"2018-375e3244b6\");\n\n script_name(english:\"Fedora 27 : httpd (2018-375e3244b6)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update includes the latest upstream release of the Apache HTTP\nServer, version 2.4.33. A number of security vulnerabilities are fixed\nin this release :\n\n - *Low*: Possible out of bound read in mod_cache_socache\n (CVE-2018-1303)\n\n - *Low*: Possible out of bound access after failure in\n reading the HTTP request (CVE-2018-1301)\n\n - *Low*: Weak Digest auth nonce generation in\n mod_auth_digest (CVE-2018-1312)\n\n - *Low*: <FilesMatch> bypass with a trailing newline in\n the file name (CVE-2017-15715)\n\n - *Low*: Out of bound write in mod_authnz_ldap when using\n too small Accept-Language values (CVE-2017-15710)\n\n - *Moderate*: Tampering of mod_session data for CGI\n applications (CVE-2018-1283)\n\nFor more information about changes in this release, see:\nhttps://www.apache.org/dist/httpd/CHANGES_2.4.33\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-375e3244b6\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"httpd-2.4.33-2.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-18T10:54:38", "description": "USN-3627-1 fixed vulnerabilities in Apache HTTP Server. This update\nprovides the corresponding updates for Ubuntu 18.04 LTS.\n\nAlex Nichols and Jakob Hirsch discovered that the Apache HTTP Server\nmod_authnz_ldap module incorrectly handled missing charset encoding\nheaders. A remote attacker could possibly use this issue to cause the\nserver to crash, resulting in a denial of service. (CVE-2017-15710)\n\nElar Lang discovered that the Apache HTTP Server incorrectly handled\ncertain characters specified in <FilesMatch>. A remote attacker could\npossibly use this issue to upload certain files, contrary to\nexpectations. (CVE-2017-15715)\n\nIt was discovered that the Apache HTTP Server mod_session module\nincorrectly handled certain headers. A remote attacker could possibly\nuse this issue to influence session data. (CVE-2018-1283)\n\nRobert Swiecki discovered that the Apache HTTP Server incorrectly\nhandled certain requests. A remote attacker could possibly use this\nissue to cause the server to crash, leading to a denial of service.\n(CVE-2018-1301)\n\nRobert Swiecki discovered that the Apache HTTP Server\nmod_cache_socache module incorrectly handled certain headers. A remote\nattacker could possibly use this issue to cause the server to crash,\nleading to a denial of service. (CVE-2018-1303)\n\nNicolas Daniels discovered that the Apache HTTP Server incorrectly\ngenerated the nonce when creating HTTP Digest authentication\nchallenges. A remote attacker could possibly use this issue to replay\nHTTP requests across a cluster of servers. (CVE-2018-1312).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 20, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-01T00:00:00", "title": "Ubuntu 18.04 LTS : Apache HTTP Server vulnerabilities (USN-3627-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "modified": "2018-05-01T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:apache2-bin", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts"], "id": "UBUNTU_USN-3627-2.NASL", "href": "https://www.tenable.com/plugins/nessus/109466", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3627-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109466);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_xref(name:\"USN\", value:\"3627-2\");\n\n script_name(english:\"Ubuntu 18.04 LTS : Apache HTTP Server vulnerabilities (USN-3627-2)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"USN-3627-1 fixed vulnerabilities in Apache HTTP Server. This update\nprovides the corresponding updates for Ubuntu 18.04 LTS.\n\nAlex Nichols and Jakob Hirsch discovered that the Apache HTTP Server\nmod_authnz_ldap module incorrectly handled missing charset encoding\nheaders. A remote attacker could possibly use this issue to cause the\nserver to crash, resulting in a denial of service. (CVE-2017-15710)\n\nElar Lang discovered that the Apache HTTP Server incorrectly handled\ncertain characters specified in <FilesMatch>. A remote attacker could\npossibly use this issue to upload certain files, contrary to\nexpectations. (CVE-2017-15715)\n\nIt was discovered that the Apache HTTP Server mod_session module\nincorrectly handled certain headers. A remote attacker could possibly\nuse this issue to influence session data. (CVE-2018-1283)\n\nRobert Swiecki discovered that the Apache HTTP Server incorrectly\nhandled certain requests. A remote attacker could possibly use this\nissue to cause the server to crash, leading to a denial of service.\n(CVE-2018-1301)\n\nRobert Swiecki discovered that the Apache HTTP Server\nmod_cache_socache module incorrectly handled certain headers. A remote\nattacker could possibly use this issue to cause the server to crash,\nleading to a denial of service. (CVE-2018-1303)\n\nNicolas Daniels discovered that the Apache HTTP Server incorrectly\ngenerated the nonce when creating HTTP Digest authentication\nchallenges. A remote attacker could possibly use this issue to replay\nHTTP requests across a cluster of servers. (CVE-2018-1312).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3627-2/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected apache2-bin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.04\", pkgname:\"apache2-bin\", pkgver:\"2.4.29-1ubuntu4.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2-bin\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T06:10:13", "description": "This update for apache2 fixes the following issues :\n\n - CVE-2018-1283: when mod_session is configured to forward\n its session data to CGI applications (SessionEnv on, not\n the default), a remote user may influence their content\n by using a \\'Session\\' header leading to unexpected\n behavior [bsc#1086814].\n\n - CVE-2018-1301: due to an out of bound access after a\n size limit being reached by reading the HTTP header, a\n specially crafted request could lead to remote denial of\n service. [bsc#1086817]\n\n - CVE-2018-1303: a specially crafted HTTP request header\n could lead to crash due to an out of bound read while\n preparing data to be cached in shared\n memory.[bsc#1086813]\n\n - CVE-2017-15715: a regular expression could match '$' to\n a newline character in a malicious filename, rather than\n matching only the end of the filename. leading to\n corruption of uploaded files.[bsc#1086774]\n\n - CVE-2018-1312: when generating an HTTP Digest\n authentication challenge, the nonce sent to prevent\n reply attacks was not correctly generated using a\n pseudo-random seed. In a cluster of servers using a\n common Digest authentication configuration, HTTP\n requests could be replayed across servers by an attacker\n without detection. [bsc#1086775]\n\n - CVE-2017-15710: mod_authnz_ldap, if configured with\n AuthLDAPCharsetConfig, uses the Accept-Language header\n value to lookup the right charset encoding when\n verifying the user's credentials. If the header value is\n not present in the charset conversion table, a fallback\n mechanism is used to truncate it to a two characters\n value to allow a quick retry (for example, 'en-US' is\n truncated to 'en'). A header value of less than two\n characters forces an out of bound write of one NUL byte\n to a memory location that is not part of the string. In\n the worst case, quite unlikely, the process would crash\n which could be used as a Denial of Service attack. In\n the more likely case, this memory is already reserved\n for future use and the issue has no effect at all.\n [bsc#1086820]\n\n - gensslcert: fall back to 'localhost' as hostname\n [bsc#1057406]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 30, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-06T00:00:00", "title": "SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:0879-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:apache2-worker", "p-cpe:/a:novell:suse_linux:apache2-prefork", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:apache2-worker-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-prefork-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-example-pages", "p-cpe:/a:novell:suse_linux:apache2-utils-debuginfo", "p-cpe:/a:novell:suse_linux:apache2-utils", "p-cpe:/a:novell:suse_linux:apache2-debugsource", "p-cpe:/a:novell:suse_linux:apache2"], "id": "SUSE_SU-2018-0879-1.NASL", "href": "https://www.tenable.com/plugins/nessus/108876", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:0879-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108876);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/09/10 13:51:47\");\n\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n\n script_name(english:\"SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:0879-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for apache2 fixes the following issues :\n\n - CVE-2018-1283: when mod_session is configured to forward\n its session data to CGI applications (SessionEnv on, not\n the default), a remote user may influence their content\n by using a \\'Session\\' header leading to unexpected\n behavior [bsc#1086814].\n\n - CVE-2018-1301: due to an out of bound access after a\n size limit being reached by reading the HTTP header, a\n specially crafted request could lead to remote denial of\n service. [bsc#1086817]\n\n - CVE-2018-1303: a specially crafted HTTP request header\n could lead to crash due to an out of bound read while\n preparing data to be cached in shared\n memory.[bsc#1086813]\n\n - CVE-2017-15715: a regular expression could match '$' to\n a newline character in a malicious filename, rather than\n matching only the end of the filename. leading to\n corruption of uploaded files.[bsc#1086774]\n\n - CVE-2018-1312: when generating an HTTP Digest\n authentication challenge, the nonce sent to prevent\n reply attacks was not correctly generated using a\n pseudo-random seed. In a cluster of servers using a\n common Digest authentication configuration, HTTP\n requests could be replayed across servers by an attacker\n without detection. [bsc#1086775]\n\n - CVE-2017-15710: mod_authnz_ldap, if configured with\n AuthLDAPCharsetConfig, uses the Accept-Language header\n value to lookup the right charset encoding when\n verifying the user's credentials. If the header value is\n not present in the charset conversion table, a fallback\n mechanism is used to truncate it to a two characters\n value to allow a quick retry (for example, 'en-US' is\n truncated to 'en'). A header value of less than two\n characters forces an out of bound write of one NUL byte\n to a memory location that is not part of the string. In\n the worst case, quite unlikely, the process would crash\n which could be used as a Denial of Service attack. In\n the more likely case, this memory is already reserved\n for future use and the issue has no effect at all.\n [bsc#1086820]\n\n - gensslcert: fall back to 'localhost' as hostname\n [bsc#1057406]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1057406\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086774\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086813\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086814\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086817\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086820\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-15710/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-15715/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1283/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1301/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1303/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1312/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20180879-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5d1a9069\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 6:zypper in -t patch\nSUSE-OpenStack-Cloud-6-2018-593=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2018-593=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-593=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-2.4.16-20.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-debuginfo-2.4.16-20.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-debugsource-2.4.16-20.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-example-pages-2.4.16-20.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-prefork-2.4.16-20.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-prefork-debuginfo-2.4.16-20.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-utils-2.4.16-20.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-utils-debuginfo-2.4.16-20.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-worker-2.4.16-20.16.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-worker-debuginfo-2.4.16-20.16.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-26T09:19:57", "description": "According to its banner, the version of Apache running on the remote\nhost is 2.4.x prior to 2.4.33. It is, therefore, affected by \nmultiple vulnerabilities:\n\n - An out of bounds write vulnerability exists in mod_authnz_ldap\n with AuthLDAPCharsetConfig enabled. An unauthenticated, remote \n attacker can exploit this, via the Accept-Language header value, \n to cause the application to stop responding. (CVE-2017-15710)\n \n - An arbitrary file upload vulnerability exists in the FilesMatch\n component where a malicious filename can be crafted to match the\n expression check for a newline character. An unauthenticated, \n remote attacker can exploit this, via newline character, to \n upload arbitrary files on the remote host subject to the \n privileges of the user. (CVE-2017-15715)\n\n - A session management vulnerability exists in the \n mod_session component due to SessionEnv being enabled and \n forwarding it's session data to the CGI Application. An \n unauthenticated, remote attacker can exploit this, via \n tampering the HTTP_SESSION and using a session header, to \n influence content. (CVE-2018-1283)\n\n - An out of bounds access vulnerability exists when the size limit\n is reached. An unauthenticated, remote attacker can exploit this,\n to cause the Apache HTTP Server to crash. (CVE-2018-1301)\n\n - A write after free vulnerability exists in HTTP/2 stream due to \n a NULL pointer being written to an area of freed memory. An \n unauthenticated, remote attacker can exploit this to execute \n arbitrary code. (CVE-2018-1302)\n \n - An out of bounds read vulnerability exists in mod_cache_socache.\n An unauthenticated, remote attacker can exploit this, via a \n specially crafted HTTP request header to cause the application \n to stop responding. (CVE-2018-1303)\n\n - A weak digest vulnerability exists in the HTTP digest \n authentication challenge. An unauthenticated, remote attacker \n can exploit this in a cluster of servers configured to use a \n common digest authentication, to replay HTTP requests across \n servers without being detected. (CVE-2018-1312)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-02-08T00:00:00", "title": "Apache 2.4.x < 2.4.33 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1302", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "modified": "2019-02-08T00:00:00", "cpe": ["cpe:/a:apache:httpd", "cpe:/a:apache:http_server"], "id": "APACHE_2_4_33.NASL", "href": "https://www.tenable.com/plugins/nessus/122060", "sourceData": "\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122060);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/25\");\n\n script_cve_id(\n \"CVE-2017-15710\",\n \"CVE-2017-15715\",\n \"CVE-2018-1283\",\n \"CVE-2018-1301\",\n \"CVE-2018-1302\",\n \"CVE-2018-1303\",\n \"CVE-2018-1312\"\n );\n script_bugtraq_id(\n 103512,\n 103515,\n 103524,\n 103525,\n 103528,\n 104584,\n 106158\n );\n\n script_name(english:\"Apache 2.4.x < 2.4.33 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version in Server response header.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apache running on the remote\nhost is 2.4.x prior to 2.4.33. It is, therefore, affected by \nmultiple vulnerabilities:\n\n - An out of bounds write vulnerability exists in mod_authnz_ldap\n with AuthLDAPCharsetConfig enabled. An unauthenticated, remote \n attacker can exploit this, via the Accept-Language header value, \n to cause the application to stop responding. (CVE-2017-15710)\n \n - An arbitrary file upload vulnerability exists in the FilesMatch\n component where a malicious filename can be crafted to match the\n expression check for a newline character. An unauthenticated, \n remote attacker can exploit this, via newline character, to \n upload arbitrary files on the remote host subject to the \n privileges of the user. (CVE-2017-15715)\n\n - A session management vulnerability exists in the \n mod_session component due to SessionEnv being enabled and \n forwarding it's session data to the CGI Application. An \n unauthenticated, remote attacker can exploit this, via \n tampering the HTTP_SESSION and using a session header, to \n influence content. (CVE-2018-1283)\n\n - An out of bounds access vulnerability exists when the size limit\n is reached. An unauthenticated, remote attacker can exploit this,\n to cause the Apache HTTP Server to crash. (CVE-2018-1301)\n\n - A write after free vulnerability exists in HTTP/2 stream due to \n a NULL pointer being written to an area of freed memory. An \n unauthenticated, remote attacker can exploit this to execute \n arbitrary code. (CVE-2018-1302)\n \n - An out of bounds read vulnerability exists in mod_cache_socache.\n An unauthenticated, remote attacker can exploit this, via a \n specially crafted HTTP request header to cause the application \n to stop responding. (CVE-2018-1303)\n\n - A weak digest vulnerability exists in the HTTP digest \n authentication challenge. An unauthenticated, remote attacker \n can exploit this in a cluster of servers configured to use a \n common digest authentication, to replay HTTP requests across \n servers without being detected. (CVE-2018-1312)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://archive.apache.org/dist/httpd/CHANGES_2.4.33\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html#2.4.33\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache version 2.4.33 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1312\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:httpd\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"apache_http_version.nasl\", \"apache_http_server_nix_installed.nbin\", \"apache_httpd_win_installed.nbin\");\n script_require_keys(\"installed_sw/Apache\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:80);\n\napp_info = vcf::apache_http_server::combined_get_app_info(app:'Apache', port:port);\n\nconstraints = [\n { \"min_version\" : \"2.4.0\", \"fixed_version\" : \"2.4.33\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:19:44", "description": "Use-after-free on HTTP/2 stream shutdown\n\nWhen an HTTP/2 stream was destroyed after being handled, the Apache\nHTTP Server prior to version 2.4.30 could have written a NULL pointer\npotentially to an already freed memory. The memory pools maintained by\nthe server make this vulnerability hard to trigger in usual\nconfigurations, the reporter and the team could not reproduce it\noutside debug builds, so it is classified as low risk. (CVE-2018-1302)\n\nBypass with a trailing newline in the file name\n\nIn Apache httpd 2.4.0 to 2.4.29, the expression specified in\n<FilesMatch> could match '$' to a newline character in a malicious\nfilename, rather than matching only the end of the filename. This\ncould be exploited in environments where uploads of some files are are\nexternally blocked, but only by matching the trailing portion of the\nfilename. (CVE-2017-15715)\n\nOut of bounds read in mod_cache_socache can allow a remote attacker to\ncause a denial of service\n\nA specially crafted HTTP request header could have crashed the Apache\nHTTP Server prior to version 2.4.30 due to an out of bound read while\npreparing data to be cached in shared memory. It could be used as a\nDenial of Service attack against users of mod_cache_socache. The\nvulnerability is considered as low risk since mod_cache_socache is not\nwidely used, mod_cache_disk is not concerned by this vulnerability.\n(CVE-2018-1303)\n\nImproper handling of headers in mod_session can allow a remote user to\nmodify session data for CGI applications\n\nIt has been discovered that the mod_session module of Apache HTTP\nServer (httpd), through version 2.4.29, has an improper input\nvalidation flaw in the way it handles HTTP session headers in some\nconfigurations. A remote attacker may influence their content by using\na 'Session' header. (CVE-2018-1283)\n\nOut of bound write in mod_authnz_ldap when using too small\nAccept-Language values\n\nIn Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to\n2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig,\nuses the Accept-Language header value to lookup the right charset\nencoding when verifying the user's credentials. If the header value is\nnot present in the charset conversion table, a fallback mechanism is\nused to truncate it to a two characters value to allow a quick retry\n(for example, 'en-US' is truncated to 'en'). A header value of less\nthan two characters forces an out of bound write of one NUL byte to a\nmemory location that is not part of the string. In the worst case,\nquite unlikely, the process would crash which could be used as a\nDenial of Service attack. In the more likely case, this memory is\nalready reserved for future use and the issue has no effect at all.\n(CVE-2017-15710)\n\nOut of bound access after failure in reading the HTTP request\n\nA specially crafted request could have crashed the Apache HTTP Server\nprior to version 2.4.30, due to an out of bound access after a size\nlimit is reached by reading the HTTP header. This vulnerability is\nconsidered very hard if not impossible to trigger in non-debug mode\n(both log and build level), so it is classified as low risk for common\nserver usage. (CVE-2018-1301)\n\nWeak Digest auth nonce generation in mod_auth_digest\n\nIn Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest\nauthentication challenge, the nonce sent to prevent reply attacks was\nnot correctly generated using a pseudo-random seed. In a cluster of\nservers using a common Digest authentication configuration, HTTP\nrequests could be replayed across servers by an attacker without\ndetection. (CVE-2018-1312)", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-04T00:00:00", "title": "Amazon Linux AMI : httpd24 (ALAS-2018-1004)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1302", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:mod24_ssl", "p-cpe:/a:amazon:linux:httpd24-manual", "p-cpe:/a:amazon:linux:mod24_ldap", "p-cpe:/a:amazon:linux:mod24_proxy_html", "p-cpe:/a:amazon:linux:httpd24-tools", "p-cpe:/a:amazon:linux:httpd24-debuginfo", "p-cpe:/a:amazon:linux:mod24_md", "p-cpe:/a:amazon:linux:mod24_session", "p-cpe:/a:amazon:linux:httpd24-devel", "p-cpe:/a:amazon:linux:httpd24", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2018-1004.NASL", "href": "https://www.tenable.com/plugins/nessus/109555", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2018-1004.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109555);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/07/10 16:04:12\");\n\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\", \"CVE-2018-1302\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_xref(name:\"ALAS\", value:\"2018-1004\");\n\n script_name(english:\"Amazon Linux AMI : httpd24 (ALAS-2018-1004)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Use-after-free on HTTP/2 stream shutdown\n\nWhen an HTTP/2 stream was destroyed after being handled, the Apache\nHTTP Server prior to version 2.4.30 could have written a NULL pointer\npotentially to an already freed memory. The memory pools maintained by\nthe server make this vulnerability hard to trigger in usual\nconfigurations, the reporter and the team could not reproduce it\noutside debug builds, so it is classified as low risk. (CVE-2018-1302)\n\nBypass with a trailing newline in the file name\n\nIn Apache httpd 2.4.0 to 2.4.29, the expression specified in\n<FilesMatch> could match '$' to a newline character in a malicious\nfilename, rather than matching only the end of the filename. This\ncould be exploited in environments where uploads of some files are are\nexternally blocked, but only by matching the trailing portion of the\nfilename. (CVE-2017-15715)\n\nOut of bounds read in mod_cache_socache can allow a remote attacker to\ncause a denial of service\n\nA specially crafted HTTP request header could have crashed the Apache\nHTTP Server prior to version 2.4.30 due to an out of bound read while\npreparing data to be cached in shared memory. It could be used as a\nDenial of Service attack against users of mod_cache_socache. The\nvulnerability is considered as low risk since mod_cache_socache is not\nwidely used, mod_cache_disk is not concerned by this vulnerability.\n(CVE-2018-1303)\n\nImproper handling of headers in mod_session can allow a remote user to\nmodify session data for CGI applications\n\nIt has been discovered that the mod_session module of Apache HTTP\nServer (httpd), through version 2.4.29, has an improper input\nvalidation flaw in the way it handles HTTP session headers in some\nconfigurations. A remote attacker may influence their content by using\na 'Session' header. (CVE-2018-1283)\n\nOut of bound write in mod_authnz_ldap when using too small\nAccept-Language values\n\nIn Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to\n2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig,\nuses the Accept-Language header value to lookup the right charset\nencoding when verifying the user's credentials. If the header value is\nnot present in the charset conversion table, a fallback mechanism is\nused to truncate it to a two characters value to allow a quick retry\n(for example, 'en-US' is truncated to 'en'). A header value of less\nthan two characters forces an out of bound write of one NUL byte to a\nmemory location that is not part of the string. In the worst case,\nquite unlikely, the process would crash which could be used as a\nDenial of Service attack. In the more likely case, this memory is\nalready reserved for future use and the issue has no effect at all.\n(CVE-2017-15710)\n\nOut of bound access after failure in reading the HTTP request\n\nA specially crafted request could have crashed the Apache HTTP Server\nprior to version 2.4.30, due to an out of bound access after a size\nlimit is reached by reading the HTTP header. This vulnerability is\nconsidered very hard if not impossible to trigger in non-debug mode\n(both log and build level), so it is classified as low risk for common\nserver usage. (CVE-2018-1301)\n\nWeak Digest auth nonce generation in mod_auth_digest\n\nIn Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest\nauthentication challenge, the nonce sent to prevent reply attacks was\nnot correctly generated using a pseudo-random seed. In a cluster of\nservers using a common Digest authentication configuration, HTTP\nrequests could be replayed across servers by an attacker without\ndetection. (CVE-2018-1312)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2018-1004.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update httpd24' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_md\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-2.4.33-2.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-debuginfo-2.4.33-2.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-devel-2.4.33-2.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-manual-2.4.33-2.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-tools-2.4.33-2.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ldap-2.4.33-2.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_md-2.4.33-2.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_proxy_html-2.4.33-2.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_session-2.4.33-2.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ssl-2.4.33-2.78.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd24 / httpd24-debuginfo / httpd24-devel / httpd24-manual / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-07-04T18:55:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "Several vulnerabilities have been found in the Apache HTTPD server.\n\nCVE-2017-15710\nAlex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if\nconfigured with AuthLDAPCharsetConfig, could cause an of bound write\nif supplied with a crafted Accept-Language header. This could\npotentially be used for a Denial of Service attack.\n\nCVE-2017-15715\nElar Lang discovered that expression specified in could\nmatch ", "modified": "2019-07-04T00:00:00", "published": "2018-04-03T00:00:00", "id": "OPENVAS:1361412562310704164", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704164", "type": "openvas", "title": "Debian Security Advisory DSA 4164-1 (apache2 - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4164-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704164\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_name(\"Debian Security Advisory DSA 4164-1 (apache2 - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-03 00:00:00 +0200 (Tue, 03 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4164.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB[89]\");\n script_tag(name:\"affected\", value:\"apache2 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), these problems have been fixed\nin version 2.4.10-10+deb8u12.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.4.25-3+deb9u4.\n\nWe recommend that you upgrade your apache2 packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/apache2\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been found in the Apache HTTPD server.\n\nCVE-2017-15710\nAlex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if\nconfigured with AuthLDAPCharsetConfig, could cause an of bound write\nif supplied with a crafted Accept-Language header. This could\npotentially be used for a Denial of Service attack.\n\nCVE-2017-15715\nElar Lang discovered that expression specified in could\nmatch '$' to a newline character in a malicious filename, rather\nthan matching only the end of the filename. This could be exploited\nin environments where uploads of some files are are externally\nblocked, but only by matching the trailing portion of the filename.\n\nCVE-2018-1283When mod_session is configured to forward its session data to CGI\napplications (SessionEnv on, not the default), a remote user could\ninfluence their content by using a Session\nheader.\n\nCVE-2018-1301\nRobert Swiecki reported that a specially crafted request could have\ncrashed the Apache HTTP Server, due to an out of bound access after\na size limit is reached by reading the HTTP header.\n\nCVE-2018-1303\nRobert Swiecki reported that a specially crafted HTTP request header\ncould have crashed the Apache HTTP Server if using\nmod_cache_socache, due to an out of bound read while preparing data\nto be cached in shared memory.\n\nCVE-2018-1312\nNicolas Daniels discovered that when generating an HTTP Digest\nauthentication challenge, the nonce sent by mod_auth_digest to\nprevent reply attacks was not correctly generated using a\npseudo-random seed. In a cluster of servers using a common Digest\nauthentication configuration, HTTP requests could be replayed across\nservers by an attacker without detection.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"apache2\", ver:\"2.4.25-3+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.25-3+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-data\", ver:\"2.4.25-3+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.4.25-3+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-dev\", ver:\"2.4.25-3+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.4.25-3+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-ssl-dev\", ver:\"2.4.25-3+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.4.25-3+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-suexec-pristine\", ver:\"2.4.25-3+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.4.25-3+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-data\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-dev\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-suexec-pristine\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libapache2-mod-macro\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libapache2-mod-proxy-html\", ver:\"2.4.10-10+deb8u12\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2018-04-20T00:00:00", "id": "OPENVAS:1361412562310843505", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843505", "type": "openvas", "title": "Ubuntu Update for apache2 USN-3627-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3627_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for apache2 USN-3627-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843505\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-20 09:13:25 +0200 (Fri, 20 Apr 2018)\");\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\",\n \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for apache2 USN-3627-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Alex Nichols and Jakob Hirsch discovered\n that the Apache HTTP Server mod_authnz_ldap module incorrectly handled missing\n charset encoding headers. A remote attacker could possibly use this issue to\n cause the server to crash, resulting in a denial of service. (CVE-2017-15710)\n Elar Lang discovered that the Apache HTTP Server incorrectly handled certain\n characters specified in FilesMatch . A remote attacker could possibly use this\n issue to upload certain files, contrary to expectations. (CVE-2017-15715) It was\n discovered that the Apache HTTP Server mod_session module incorrectly handled\n certain headers. A remote attacker could possibly use this issue to influence\n session data. (CVE-2018-1283) Robert Swiecki discovered that the Apache HTTP\n Server incorrectly handled certain requests. A remote attacker could possibly\n use this issue to cause the server to crash, leading to a denial of service.\n (CVE-2018-1301) Robert Swiecki discovered that the Apache HTTP Server\n mod_cache_socache module incorrectly handled certain headers. A remote attacker\n could possibly use this issue to cause the server to crash, leading to a denial\n of service. (CVE-2018-1303) Nicolas Daniels discovered that the Apache HTTP\n Server incorrectly generated the nonce when creating HTTP Digest authentication\n challenges. A remote attacker could possibly use this issue to replay HTTP\n requests across a cluster of servers. (CVE-2018-1312)\");\n script_tag(name:\"affected\", value:\"apache2 on Ubuntu 17.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3627-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3627-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.10|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.7-1ubuntu4.20\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.27-2ubuntu4.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.18-2ubuntu3.8\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310874332", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874332", "type": "openvas", "title": "Fedora Update for httpd FEDORA-2018-375e3244b6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_375e3244b6_httpd_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for httpd FEDORA-2018-375e3244b6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874332\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-06 10:09:42 +0200 (Fri, 06 Apr 2018)\");\n script_cve_id(\"CVE-2018-1303\", \"CVE-2018-1301\", \"CVE-2018-1312\", \"CVE-2017-15715\",\n \"CVE-2017-15710\", \"CVE-2018-1283\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for httpd FEDORA-2018-375e3244b6\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"httpd on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-375e3244b6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI6EGGXO5YNXZUSMCPLOXKNPWQPCNTP\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.33~2.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2018-05-08T00:00:00", "id": "OPENVAS:1361412562310843516", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843516", "type": "openvas", "title": "Ubuntu Update for apache2 USN-3627-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3627_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for apache2 USN-3627-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843516\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-08 09:25:09 +0200 (Tue, 08 May 2018)\");\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1283\", \"CVE-2018-1301\",\n \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for apache2 USN-3627-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3627-1 fixed vulnerabilities in Apache HTTP Server. This update\nprovides the corresponding updates for Ubuntu 18.04 LTS.\n\nOriginal advisory details:\n\nAlex Nichols and Jakob Hirsch discovered that the Apache HTTP Server\nmod_authnz_ldap module incorrectly handled missing charset encoding\nheaders. A remote attacker could possibly use this issue to cause the\nserver to crash, resulting in a denial of service. (CVE-2017-15710)\nElar Lang discovered that the Apache HTTP Server incorrectly handled\ncertain characters specified in FilesMatch . A remote attacker could\npossibly use this issue to upload certain files, contrary to expectations.\n(CVE-2017-15715)\nIt was discovered that the Apache HTTP Server mod_session module\nincorrectly handled certain headers. A remote attacker could possibly use\nthis issue to influence session data. (CVE-2018-1283)\nRobert Swiecki discovered that the Apache HTTP Server incorrectly handled\ncertain requests. A remote attacker could possibly use this issue to cause\nthe server to crash, leading to a denial of service. (CVE-2018-1301)\nRobert Swiecki discovered that the Apache HTTP Server mod_cache_socache\nmodule incorrectly handled certain headers. A remote attacker could\npossibly use this issue to cause the server to crash, leading to a denial\nof service. (CVE-2018-1303)\nNicolas Daniels discovered that the Apache HTTP Server incorrectly\ngenerated the nonce when creating HTTP Digest authentication challenges.\nA remote attacker could possibly use this issue to replay HTTP requests\nacross a cluster of servers. (CVE-2018-1312)\");\n script_tag(name:\"affected\", value:\"apache2 on Ubuntu 18.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3627-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3627-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU18\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.29-1ubuntu4.1\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1283"], "description": "The host is installed with Apache HTTP server\n and is prone to multiple vulnerabilities.", "modified": "2019-05-03T00:00:00", "published": "2018-04-04T00:00:00", "id": "OPENVAS:1361412562310812844", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812844", "type": "openvas", "title": "Apache HTTP Server Multiple Vulnerabilities Apr18 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache HTTP Server Multiple Vulnerabilities Apr18 (Linux)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:http_server\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812844\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-1312\", \"CVE-2018-1283\", \"CVE-2017-15715\", \"CVE-2017-15710\",\n \"CVE-2018-1301\");\n script_bugtraq_id(103524, 103520, 103525, 103512, 103515);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-04 15:09:39 +0530 (Wed, 04 Apr 2018)\");\n script_name(\"Apache HTTP Server Multiple Vulnerabilities Apr18 (Linux)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Apache HTTP server\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Apache HTTP Server fails to correctly generate the nonce sent to prevent\n reply attacks.\n\n - Misconfigured mod_session variable, HTTP_SESSION.\n\n - Apache HTTP Server fails to sanitize the expression specified in '<FilesMatch>'.\n\n - An error in Apache HTTP Server 'mod_authnz_ldap' when configured with\n AuthLDAPCharsetConfig.\n\n - Apache HTTP Server fails to sanitize against a specially crafted request.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to replay HTTP requests across servers without detection, influence the user\n content, upload a malicious file, crash the Apache HTTP Server and perform\n denial of service attack.\");\n\n script_tag(name:\"affected\", value:\"Apache HTTP server versions from 2.4.1 to\n 2.4.4, 2.4.6, 2.4.7, 2.4.9, 2.4.10, 2.4.12, 2.4.16 to 2.4.18, 2.4.20, 2.4.23,\n 2.4.25 to 2.4.29 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 2.4.30 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_xref(name:\"URL\", value:\"https://httpd.apache.org/download.cgi\");\n script_xref(name:\"URL\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_apache_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"Host/runs_unixoide\", \"apache/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!hport = get_app_port(cpe: CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:hport, exit_no_version:TRUE)) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nnot_affected = make_list(\"2.4.5\", \"2.4.8\", \"2.4.11\", \"2.4.13\", \"2.4.14\", \"2.4.15\", \"2.4.19\", \"2.4.21\", \"2.4.22\", \"2.4.24\");\n\nif(version_in_range(version:vers, test_version:\"2.4.1\", test_version2:\"2.4.29\"))\n{\n foreach version (not_affected){\n if(vers == version){\n exit(0);\n }\n }\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.4.30\" , install_path:path);\n security_message(port:hport, data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1283"], "description": "The host is installed with Apache HTTP server\n and is prone to multiple vulnerabilities.", "modified": "2019-05-03T00:00:00", "published": "2018-04-04T00:00:00", "id": "OPENVAS:1361412562310812846", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812846", "type": "openvas", "title": "Apache HTTP Server Multiple Vulnerabilities Apr18 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache HTTP Server Multiple Vulnerabilities Apr18 (Windows)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:http_server\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812846\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-1312\", \"CVE-2018-1283\", \"CVE-2017-15715\", \"CVE-2017-15710\",\n \"CVE-2018-1301\");\n script_bugtraq_id(103524, 103520, 103525, 103512, 103515);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-04 15:09:39 +0530 (Wed, 04 Apr 2018)\");\n script_name(\"Apache HTTP Server Multiple Vulnerabilities Apr18 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Apache HTTP server\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Apache HTTP Server fails to correctly generate the nonce sent to prevent\n reply attacks.\n\n - Misconfigured mod_session variable, HTTP_SESSION.\n\n - Apache HTTP Server fails to sanitize the expression specified in '<FilesMatch>'.\n\n - An error in Apache HTTP Server 'mod_authnz_ldap' when configured with\n AuthLDAPCharsetConfig.\n\n - Apache HTTP Server fails to sanitize against a specially crafted request.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to replay HTTP requests across servers without detection, influence the user\n content, upload a malicious file, crash the Apache HTTP Server and perform\n denial of service attack.\");\n\n script_tag(name:\"affected\", value:\"Apache HTTP server versions from 2.4.1 to\n 2.4.4, 2.4.6, 2.4.7, 2.4.9, 2.4.10, 2.4.12, 2.4.16 to 2.4.18, 2.4.20, 2.4.23,\n 2.4.25 to 2.4.29 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 2.4.30 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"https://httpd.apache.org/download.cgi\");\n script_xref(name:\"URL\", value:\"https://httpd.apache.org/security/vulnerabilities_24.html\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_apache_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"Host/runs_windows\", \"apache/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!hport = get_app_port(cpe: CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:hport, exit_no_version:TRUE)) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nnot_affected = make_list(\"2.4.5\", \"2.4.8\", \"2.4.11\", \"2.4.13\", \"2.4.14\", \"2.4.15\", \"2.4.19\", \"2.4.21\", \"2.4.22\", \"2.4.24\");\nif(version_in_range(version:vers, test_version:\"2.4.1\", test_version2:\"2.4.29\"))\n{\n foreach version (not_affected){\n if(vers == version){\n exit(0);\n }\n }\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.4.30\" , install_path:path);\n security_message(port:hport, data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9798", "CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-05-13T00:00:00", "id": "OPENVAS:1361412562310874436", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874436", "type": "openvas", "title": "Fedora Update for httpd FEDORA-2018-e6d9251471", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_e6d9251471_httpd_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for httpd FEDORA-2018-e6d9251471\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874436\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-13 05:47:20 +0200 (Sun, 13 May 2018)\");\n script_cve_id(\"CVE-2018-1303\", \"CVE-2018-1301\", \"CVE-2018-1312\", \"CVE-2017-15715\",\n \"CVE-2017-15710\", \"CVE-2018-1283\", \"CVE-2017-9798\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for httpd FEDORA-2018-e6d9251471\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"httpd on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-e6d9251471\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7YAANMOCNKDAROWX2LFUGFMRSDIRUENO\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.33~4.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:33:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191015", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191015", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2019-1015)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1015\");\n script_version(\"2020-01-23T11:27:19+0000\");\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:27:19 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:27:19 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2019-1015)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-2\\.5\\.1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1015\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1015\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'httpd' package(s) announced via the EulerOS-SA-2019-1015 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.(CVE-2018-1303)\n\nIn Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.(CVE-2017-15710)\n\n\nIn Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.(CVE-2017-15715)\n\nIn Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.(CVE-2018-1312)\");\n\n script_tag(name:\"affected\", value:\"'httpd' package(s) on Huawei EulerOS Virtualization 2.5.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-2.5.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.6~40.4.h6\", rls:\"EULEROSVIRT-2.5.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.4.6~40.4.h6\", rls:\"EULEROSVIRT-2.5.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:35:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181213", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181213", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2018-1213)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1213\");\n script_version(\"2020-01-23T11:17:43+0000\");\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1303\", \"CVE-2018-1312\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:17:43 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:17:43 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2018-1213)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1213\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1213\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'httpd' package(s) announced via the EulerOS-SA-2018-1213 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.(CVE-2017-15710)\n\nIn Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.(CVE-2017-15715)\n\nIn Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.(CVE-2018-1312)\n\nA specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.(CVE-2018-1303)\");\n\n script_tag(name:\"affected\", value:\"'httpd' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.6~45.0.1.4.h10\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.4.6~45.0.1.4.h10\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.4.6~45.0.1.4.h10\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.4.6~45.0.1.4.h10\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.4.6~45.0.1.4.h10\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:34:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181151", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181151", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2018-1151)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1151\");\n script_version(\"2020-01-23T11:15:19+0000\");\n script_cve_id(\"CVE-2017-15710\", \"CVE-2017-15715\", \"CVE-2018-1312\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:15:19 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:15:19 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2018-1151)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1151\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1151\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'httpd' package(s) announced via the EulerOS-SA-2018-1151 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.(CVE-2017-15710)\n\nIn Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.(CVE-2017-15715)\n\nIn Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.(CVE-2018-1312)\");\n\n script_tag(name:\"affected\", value:\"'httpd' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.6~45.0.1.4.h11\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.4.6~45.0.1.4.h11\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.4.6~45.0.1.4.h11\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.4.6~45.0.1.4.h11\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.4.6~45.0.1.4.h11\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-12-09T20:13:25", "description": "In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.", "edition": 9, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-26T15:29:00", "title": "CVE-2017-15715", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15715"], "modified": "2019-08-15T09:15:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:apache:http_server:2.4.29", "cpe:/a:netapp:santricity_cloud_connector:-", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/a:netapp:storage_automation_store:-", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:6.0", "cpe:/a:netapp:storagegrid:-", "cpe:/o:netapp:clustered_data_ontap:-", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-15715", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15715", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-10-03T13:07:37", "description": "In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-03-26T15:29:00", "title": "CVE-2017-15710", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15710"], "modified": "2019-08-15T09:15:00", "cpe": ["cpe:/a:apache:http_server:2.4.28", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/a:apache:http_server:2.4.12", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:apache:http_server:2.4.29", "cpe:/a:apache:http_server:2.4.1", "cpe:/a:netapp:santricity_cloud_connector:-", "cpe:/a:apache:http_server:2.4.17", "cpe:/a:apache:http_server:2.4.20", "cpe:/a:apache:http_server:2.4.18", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/a:apache:http_server:2.4.10", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:apache:http_server:2.4.2", "cpe:/a:apache:http_server:2.4.3", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:apache:http_server:2.4.26", "cpe:/a:apache:http_server:2.4.9", "cpe:/a:apache:http_server:2.4.6", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/a:apache:http_server:2.4.16", "cpe:/a:apache:http_server:2.4.27", "cpe:/a:apache:http_server:2.4.23", "cpe:/a:apache:http_server:2.4.7", "cpe:/a:apache:http_server:2.4.4", "cpe:/a:apache:http_server:2.4.25", "cpe:/a:netapp:storage_automation_store:-", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:6.0", "cpe:/a:netapp:storagegrid:-", "cpe:/o:netapp:clustered_data_ontap:-", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-15710", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15710", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.27:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:34", "description": "In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.", "edition": 11, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-26T15:29:00", "title": "CVE-2018-1312", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1312"], "modified": "2019-07-29T19:15:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:apache:http_server:2.4.29", "cpe:/a:netapp:santricity_cloud_connector:-", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:apache:http_server:2.2.34", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/a:netapp:storage_automation_store:-", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:6.0", "cpe:/a:netapp:storagegrid:-", "cpe:/o:netapp:clustered_data_ontap:-", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-1312", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1312", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.34:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:34", "description": "A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.", "edition": 8, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-03-26T15:29:00", "title": "CVE-2018-1301", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1301"], "modified": "2019-08-15T09:15:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:apache:http_server:2.4.29", "cpe:/a:netapp:santricity_cloud_connector:-", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/a:netapp:storage_automation_store:-", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:6.0", "cpe:/a:netapp:storagegrid:-", "cpe:/o:netapp:clustered_data_ontap:-", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-1301", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1301", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:33", "description": "In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a \"Session\" header. This comes from the \"HTTP_SESSION\" variable name used by mod_session to forward its data to CGIs, since the prefix \"HTTP_\" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.", "edition": 9, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-03-26T15:29:00", "title": "CVE-2018-1283", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1283"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:apache:http_server:2.4.29", "cpe:/a:netapp:santricity_cloud_connector:-", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/a:netapp:storage_automation_store:-", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:6.0", "cpe:/a:netapp:storagegrid:-", "cpe:/o:netapp:clustered_data_ontap:-", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-1283", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1283", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:34", "description": "A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-03-26T15:29:00", "title": "CVE-2018-1303", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1303"], "modified": "2019-08-15T09:15:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:apache:http_server:2.4.29", "cpe:/a:netapp:santricity_cloud_connector:-", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:netapp:storage_automation_store:-", "cpe:/a:netapp:storagegrid:-", "cpe:/o:netapp:clustered_data_ontap:-", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-1303", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1303", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}], "amazon": [{"lastseen": "2020-11-10T12:36:48", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1301", "CVE-2018-1302", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "**Issue Overview:**\n\nUse-after-free on HTTP/2 stream shutdown \nWhen an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk. ([CVE-2018-1302 __](<https://access.redhat.com/security/cve/CVE-2018-1302>))\n\nBypass with a trailing newline in the file name \nIn Apache httpd 2.4.0 to 2.4.29, the expression specified in &lt;FilesMatch&gt; could match &#x27;$&#x27; to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. ([CVE-2017-15715 __](<https://access.redhat.com/security/cve/CVE-2017-15715>))\n\nOut of bounds read in mod_cache_socache can allow a remote attacker to cause a denial of service \nA specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability. ([CVE-2018-1303 __](<https://access.redhat.com/security/cve/CVE-2018-1303>))\n\nImproper handling of headers in mod_session can allow a remote user to modify session data for CGI applications \nIt has been discovered that the mod_session module of Apache HTTP Server (httpd), through version 2.4.29, has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a &quot;Session&quot; header. ([CVE-2018-1283 __](<https://access.redhat.com/security/cve/CVE-2018-1283>))\n\nOut of bound write in mod_authnz_ldap when using too small Accept-Language values \nIn Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user&#x27;s credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, &#x27;en-US&#x27; is truncated to &#x27;en&#x27;). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. ([CVE-2017-15710 __](<https://access.redhat.com/security/cve/CVE-2017-15710>))\n\nOut of bound access after failure in reading the HTTP request \nA specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. ([CVE-2018-1301 __](<https://access.redhat.com/security/cve/CVE-2018-1301>))\n\nWeak Digest auth nonce generation in mod_auth_digest \nIn Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. ([CVE-2018-1312 __](<https://access.redhat.com/security/cve/CVE-2018-1312>))\n\n \n**Affected Packages:** \n\n\nhttpd24\n\n \n**Issue Correction:** \nRun _yum update httpd24_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n httpd24-debuginfo-2.4.33-2.78.amzn1.i686 \n httpd24-2.4.33-2.78.amzn1.i686 \n mod24_session-2.4.33-2.78.amzn1.i686 \n mod24_md-2.4.33-2.78.amzn1.i686 \n mod24_ssl-2.4.33-2.78.amzn1.i686 \n httpd24-devel-2.4.33-2.78.amzn1.i686 \n httpd24-tools-2.4.33-2.78.amzn1.i686 \n mod24_proxy_html-2.4.33-2.78.amzn1.i686 \n mod24_ldap-2.4.33-2.78.amzn1.i686 \n \n noarch: \n httpd24-manual-2.4.33-2.78.amzn1.noarch \n \n src: \n httpd24-2.4.33-2.78.amzn1.src \n \n x86_64: \n httpd24-devel-2.4.33-2.78.amzn1.x86_64 \n httpd24-2.4.33-2.78.amzn1.x86_64 \n mod24_ssl-2.4.33-2.78.amzn1.x86_64 \n httpd24-debuginfo-2.4.33-2.78.amzn1.x86_64 \n mod24_ldap-2.4.33-2.78.amzn1.x86_64 \n mod24_proxy_html-2.4.33-2.78.amzn1.x86_64 \n mod24_session-2.4.33-2.78.amzn1.x86_64 \n mod24_md-2.4.33-2.78.amzn1.x86_64 \n httpd24-tools-2.4.33-2.78.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2018-05-03T16:29:00", "published": "2018-05-03T16:29:00", "id": "ALAS-2018-1004", "href": "https://alas.aws.amazon.com/ALAS-2018-1004.html", "title": "Medium: httpd24", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:31:57", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1301", "CVE-2018-1302", "CVE-2018-1312", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1303", "CVE-2018-1283"], "description": "\nThe Apache httpd reports:\n\nOut of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig\n\t enabled (CVE-2017-15710)\nmod_session: CGI-like applications that intend to read from\n\t mod_session's 'SessionEnv ON' could be fooled into reading\n\t user-supplied data instead. (CVE-2018-1283)\nmod_cache_socache: Fix request headers parsing to avoid a possible\n\t crash with specially crafted input data. (CVE-2018-1303)\ncore: Possible crash with excessively long HTTP request headers.\n\t Impractical to exploit with a production build and production\n\t LogLevel. (CVE-2018-1301)\ncore: Configure the regular expression engine to match '$' to the\n\t end of the input string only, excluding matching the end of any\n\t embedded newline characters. Behavior can be changed with new\n\t directive 'RegexDefaultOptions'. (CVE-2017-15715)\nmod_auth_digest: Fix generation of nonce values to prevent replay\n\t attacks across servers using a common Digest domain. This change\n\t may cause problems if used with round robin load balancers.\n\t (CVE-2018-1312)\nmod_http2: Potential crash w/ mod_http2. (CVE-2018-1302)\n\n", "edition": 7, "modified": "2018-03-27T00:00:00", "published": "2018-03-23T00:00:00", "id": "F38187E7-2F6E-11E8-8F07-B499BAEBFEAF", "href": "https://vuxml.freebsd.org/freebsd/f38187e7-2f6e-11e8-8f07-b499baebfeaf.html", "title": "apache -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:41", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15710", "CVE-2017-15715", "CVE-2018-1283", "CVE-2018-1301", "CVE-2018-1302", "CVE-2018-1303", "CVE-2018-1312"], "description": "Arch Linux Security Advisory ASA-201804-4\n=========================================\n\nSeverity: Medium\nDate : 2018-04-04\nCVE-ID : CVE-2017-15710 CVE-2017-15715 CVE-2018-1283 CVE-2018-1301\nCVE-2018-1302 CVE-2018-1303 CVE-2018-1312\nPackage : apache\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-664\n\nSummary\n=======\n\nThe package apache before version 2.4.33-1 is vulnerable to multiple\nissues including session hijacking, access restriction bypass, content\nspoofing and denial of service.\n\nResolution\n==========\n\nUpgrade to 2.4.33-1.\n\n# pacman -Syu \"apache>=2.4.33-1\"\n\nThe problems have been fixed upstream in version 2.4.33.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2017-15710 (denial of service)\n\nIn Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29,\nmod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the\nAccept-Language header value to lookup the right charset encoding when\nverifying the user's credentials. If the header value is not present in\nthe charset conversion table, a fallback mechanism is used to truncate\nit to a two characters value to allow a quick retry (for example, 'en-\nUS' is truncated to 'en'). A header value of less than two characters\nforces an out of bound write of one NUL byte to a memory location that\nis not part of the string. In the worst case, quite unlikely, the\nprocess would crash which could be used as a Denial of Service attack.\nIn the more likely case, this memory is already reserved for future use\nand the issue has no effect at all.\n\n- CVE-2017-15715 (access restriction bypass)\n\nIn Apache httpd 2.4.0 before 2.4.30, the expression specified in\n<FilesMatch> could match '$' to a newline character in a malicious\nfilename, rather than matching only the end of the filename. This could\nbe exploited in environments where uploads of some files are externally\nblocked, but only by matching the trailing portion of the filename.\n\n- CVE-2018-1283 (session hijacking)\n\nIn Apache httpd 2.2.0 before 2.4.30, when mod_session is configured to\nforward its session data to CGI applications (SessionEnv on, not the\ndefault), a remote user may influence their content by using a\n\"Session\" header. This comes from the \"HTTP_SESSION\" variable name used\nby mod_session to forward its data to CGIs, since the prefix \"HTTP_\" is\nalso used by the Apache HTTP Server to pass HTTP header fields, per CGI\nspecifications.\n\n- CVE-2018-1301 (denial of service)\n\nA specially crafted request could have crashed the Apache HTTP Server\nprior to version 2.4.30, due to an out of bound access after a size\nlimit is reached by reading the HTTP header. This vulnerability is\nconsidered very hard if not impossible to trigger in non-debug mode\n(both log and build level), so it is classified as low risk for common\nserver usage.\n\n- CVE-2018-1302 (denial of service)\n\nWhen an HTTP/2 stream was destroyed after being handled, the Apache\nHTTP Server prior to version 2.4.30 could have written a NULL pointer\npotentially to an already freed memory. The memory pools maintained by\nthe server make this vulnerability hard to trigger in usual\nconfigurations, the reporter and the team could not reproduce it\noutside debug builds, so it is classified as low risk.\n\n- CVE-2018-1303 (denial of service)\n\nA specially crafted HTTP request header could have crashed the Apache\nHTTP Server prior to version 2.4.30 due to an out of bound read while\npreparing data to be cached in shared memory. It could be used as a\nDenial of Service attack against users of mod_cache_socache.\n\n- CVE-2018-1312 (content spoofing)\n\nIn Apache httpd 2.2.0 before 2.4.30, when generating an HTTP Digest\nauthentication challenge, the nonce sent to prevent reply attacks was\nnot correctly generated using a pseudo-random seed. In a cluster of\nservers using a common Digest authentication configuration, HTTP\nrequests could be replayed across servers by an attacker without\ndetection.\n\nImpact\n======\n\nA remote attacker is able to crash a server, hijack a user session,\nupload arbitrary files or spoof requests by providing a crafted\nrequest.\n\nReferences\n==========\n\nhttps://httpd.apache.org/security/vulnerabilities_24.html\nhttps://security.archlinux.org/CVE-2017-15710\nhttps://security.archlinux.org/CVE-2017-15715\nhttps://security.archlinux.org/CVE-2018-1283\nhttps://security.archlinux.org/CVE-2018-1301\nhttps://security.archlinux.org/CVE-2018-1302\nhttps://security.archlinux.org/CVE-2018-1303\nhttps://security.archlinux.org/CVE-2018-1312", "modified": "2018-04-04T00:00:00", "published": "2018-04-04T00:00:00", "id": "ASA-201804-4", "href": "https://security.archlinux.org/ASA-201804-4", "type": "archlinux", "title": "[ASA-201804-4] apache: multiple issues", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2019-10-03T16:28:09", "bulletinFamily": "software", "cvelist": ["CVE-2017-15710"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-03-30T23:12:00", "published": "2018-03-30T22:51:00", "id": "F5:K14027805", "href": "https://support.f5.com/csp/article/K14027805", "title": "Apache vulnerability CVE-2017-15710", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-10-09T00:29:38", "bulletinFamily": "software", "cvelist": ["CVE-2017-15715"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-04-05T23:34:00", "published": "2018-04-05T23:34:00", "id": "F5:K27757011", "href": "https://support.f5.com/csp/article/K27757011", "title": "Apache HTTPD vulnerability CVE-2017-15715", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-06T22:40:07", "bulletinFamily": "software", "cvelist": ["CVE-2018-1301"], "description": "\nF5 Product Development has assigned ID 714238 (BIG-IP), ID 714373 (Enterprise Manager), and ID 431234 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H78131906 on the **Diagnostics** &gt; **Identified** &gt; **Low** page.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 14.x | 14.0.0 - 14.1.2 | None | Low | [3.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L>) | httpd \n13.x | 13.0.0 - 13.1.0 | None \n12.x | 12.1.0 - 12.1.3 | None \n11.x | 11.2.1 - 11.6.3 | None \nARX | 6.x | 6.2.0 - 6.4.0 | None | Low | [3.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L>) | httpd \nEnterprise Manager | 3.x | 3.1.1 | None | Low | [3.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L>) | httpd \nBIG-IQ Centralized Management | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \nBIG-IQ Cloud and Orchestration | 1.x | None | Not applicable | Not vulnerable | None | None \nF5 iWorkflow | 2.x | None | Not applicable | Not vulnerable | None | None \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Low | [3.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L>) | httpd \n4.x | 4.0.5 - 4.4.0 | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nThere is no mitigation. However, this vulnerability is considered very hard if not impossible to trigger in non-debug mode. If debug log level is required for **httpd**, F5 recommends that you enable it only during active troubleshooting and do not leave debug logging enabled in production on a normal basis.\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2020-02-10T10:10:00", "published": "2018-04-11T23:33:00", "id": "F5:K78131906", "href": "https://support.f5.com/csp/article/K78131906", "title": "Apache HTTPD vulnerability CVE-2018-1301", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-10-10T20:29:51", "bulletinFamily": "software", "cvelist": ["CVE-2018-1312"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-04-09T20:54:00", "published": "2018-04-09T20:54:00", "id": "F5:K22902581", "href": "https://support.f5.com/csp/article/K22902581", "title": "Apache mod_auth_digest vulnerability CVE-2018-1312", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-10T02:30:08", "bulletinFamily": "software", "cvelist": ["CVE-2018-1283"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-04-06T08:40:00", "published": "2018-04-06T08:40:00", "id": "F5:K94597539", "href": "https://support.f5.com/csp/article/K94597539", "title": "Apache httpd vulnerability CVE-2018-1283", "type": "f5", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-10-03T20:28:47", "bulletinFamily": "software", "cvelist": ["CVE-2018-1303"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-04-02T19:06:00", "published": "2018-04-02T19:06:00", "id": "F5:K20623215", "href": "https://support.f5.com/csp/article/K20623215", "title": "Apache mod_cache_socache vulnerability CVE-2018-1303", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:22:02", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1301", "CVE-2018-1312", "CVE-2017-15710"], "description": "Package : apache2\nVersion : 2.2.22-13+deb7u13\nCVE ID : CVE-2017-15710 CVE-2018-1301 CVE-2018-1312\nDebian Bug : \n\n\nSeveral vulnerabilities have been found in the Apache HTTPD server.\n\nCVE-2017-15710\n\n Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if\n configured with AuthLDAPCharsetConfig, could cause an of bound write\n if supplied with a crafted Accept-Language header. This could\n potentially be used for a Denial of Service attack.\n\nCVE-2018-1301\n\n Robert Swiecki reported that a specially crafted request could have\n crashed the Apache HTTP Server, due to an out of bound access after\n a size limit is reached by reading the HTTP header.\nCVE-2018-1312\n\n Nicolas Daniels discovered that when generating an HTTP Digest\n authentication challenge, the nonce sent by mod_auth_digest to\n prevent reply attacks was not correctly generated using a\n pseudo-random seed. In a cluster of servers using a common Digest\n authentication configuration, HTTP requests could be replayed across\n servers by an attacker without detection.\n\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n2.2.22-13+deb7u13.\n\nWe recommend that you upgrade your apache2 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2018-05-30T13:25:03", "published": "2018-05-30T13:25:03", "id": "DEBIAN:DLA-1389-1:75ED8", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201805/msg00020.html", "title": "[SECURITY] [DLA 1389-1] apache2 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:44:35", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15710", "CVE-2017-15715", "CVE-2018-0739", "CVE-2018-1000168", "CVE-2018-11759", "CVE-2018-11763", "CVE-2018-1283", "CVE-2018-1301", "CVE-2018-1302", "CVE-2018-1303", "CVE-2018-1312", "CVE-2018-1333"], "description": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Service Pack 1 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.29, and includes bug fixes for CVEs which are linked to in the References section.\n\nSecurity Fixes:\n\n* httpd: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)\n\n* httpd: Weak Digest auth nonce generation in mod_auth_digest\n(CVE-2018-1312)\n\n* httpd: Out of bound access after failure in reading the HTTP request\n(CVE-2018-1301)\n\n* httpd: Use-after-free on HTTP/2 stream shutdown (CVE-2018-1302)\n\n* httpd: <FilesMatch> bypass with a trailing newline in the file name\n(CVE-2017-15715)\n\n* httpd: Out of bound write in mod_authnz_ldap when using too small\nAccept-Language values (CVE-2017-15710)\n\n* httpd: Out of bounds read in mod_cache_socache can allow a remote\nattacker to cause a denial of service (CVE-2018-1303)\n\n* httpd: Improper handling of headers in mod_session can allow a remote\nuser to modify session data for CGI applications (CVE-2018-1283)\n\n* httpd: mod_http2: too much time allocated to workers, possibly leading to\nDoS (CVE-2018-1333)\n\n* mod_jk: connector path traversal due to mishandled HTTP requests in httpd\n(CVE-2018-11759)\n\n* nghttp2: Null pointer dereference when too large ALTSVC frame is received\n(CVE-2018-1000168)\n\n* openssl: Handling of crafted recursive ASN.1 structures can cause a stack\noverflow and resulting denial of service (CVE-2018-0739)\n\nDetails around each issue, including information about the CVE, severity of\nthe issue, and the CVSS score, can be found on the CVE pages listed in the\nReference section below.", "modified": "2019-02-18T21:49:34", "published": "2019-02-18T21:47:10", "id": "RHSA-2019:0367", "href": "https://access.redhat.com/errata/RHSA-2019:0367", "type": "redhat", "title": "(RHSA-2019:0367) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T14:35:37", "bulletinFamily": "unix", "cvelist": ["CVE-2017-10140", "CVE-2017-15710", "CVE-2017-15715", "CVE-2018-0739", "CVE-2018-1000168", "CVE-2018-11759", "CVE-2018-11763", "CVE-2018-1283", "CVE-2018-1301", "CVE-2018-1302", "CVE-2018-1303", "CVE-2018-1312", "CVE-2018-1333"], "description": "This release adds the new Apache HTTP Server 2.4.29 Service Pack 1 packages that are part\nof the JBoss Core Services offering.\n\nThis release serves as a replacement for Red Hat JBoss Core Services\nApache HTTP Server 2.4.29, and includes bug fixes and enhancements. Refer\nto the Release Notes for information on the most significant bug fixes,\nenhancements and component upgrades included in this release.\n\nSecurity Fix(es):\n\n* db4: libdb: Reads DB_CONFIG from the current working directory (CVE-2017-10140)\n* httpd: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)\n* httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)\n* httpd: Out of bound access after failure in reading the HTTP request (CVE-2018-1301)\n* httpd: Use-after-free on HTTP/2 stream shutdown (CVE-2018-1302)\n* httpd: <FilesMatch> bypass with a trailing newline in the file name (CVE-2017-15715)\n* httpd: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)\n* httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause a denial of service (CVE-2018-1303)\n* httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications (CVE-2018-1283)\n* httpd: mod_http2: too much time allocated to workers, possibly leading to DoS (CVE-2018-1333)\n* mod_jk: connector path traversal due to mishandled HTTP requests in httpd (CVE-2018-11759)\n* nghttp2: Null pointer dereference when too large ALTSVC frame is received (CVE-2018-1000168)\n* openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service (CVE-2018-0739)\n\nDetails around this issue, including information about the CVE, severity of\nthe issue, and the CVSS score can be found on the CVE page listed in the\nReference section below.\n\nThe CVE-2018-1000168 issue was discovered by The Nghttp2 Project.", "modified": "2019-02-18T21:45:48", "published": "2019-02-18T21:45:31", "id": "RHSA-2019:0366", "href": "https://access.redhat.com/errata/RHSA-2019:0366", "type": "redhat", "title": "(RHSA-2019:0366) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP1 security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-07T18:05:07", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15715", "CVE-2018-1283", "CVE-2018-1303", "CVE-2019-10098", "CVE-2020-1927", "CVE-2020-1934"], "description": "The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n* httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications (CVE-2018-1283)\n\n* httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause DoS (CVE-2018-1303)\n\n* httpd: mod_rewrite configurations vulnerable to open redirect (CVE-2020-1927)\n\n* httpd: <FilesMatch> bypass with a trailing newline in the file name (CVE-2017-15715)\n\n* httpd: mod_rewrite potential open redirect (CVE-2019-10098)\n\n* httpd: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.", "modified": "2020-09-29T13:41:44", "published": "2020-09-29T11:46:42", "id": "RHSA-2020:3958", "href": "https://access.redhat.com/errata/RHSA-2020:3958", "type": "redhat", "title": "(RHSA-2020:3958) Moderate: httpd security, bug fix, and enhancement update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-02T17:39:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15710", "CVE-2018-1301", "CVE-2018-17199"], "description": "The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n* httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)\n\n* httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)\n\n* httpd: Out of bounds access after failure in reading the HTTP request (CVE-2018-1301)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.", "modified": "2020-03-31T14:09:22", "published": "2020-03-31T13:21:40", "id": "RHSA-2020:1121", "href": "https://access.redhat.com/errata/RHSA-2020:1121", "type": "redhat", "title": "(RHSA-2020:1121) Moderate: httpd security, bug fix, and enhancement update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "symantec": [{"lastseen": "2020-12-24T10:40:20", "bulletinFamily": "software", "cvelist": ["CVE-2017-12171", "CVE-2017-15710", "CVE-2017-15715", "CVE-2017-9788", "CVE-2017-9789", "CVE-2017-9798", "CVE-2018-11763", "CVE-2018-1283", "CVE-2018-1301", "CVE-2018-1302", "CVE-2018-1303", "CVE-2018-1312", "CVE-2018-1333", "CVE-2018-8011"], "description": "### SUMMARY \n\nSymantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities. A remote attacker can obtain sensitive information, bypass intended security restrictions, modify session information in CGI applications, replay authenticated HTTP requests, and cause denial of service.\n\n \n\n### AFFECTED PRODUCTS \n\n**Content Analysis (CA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2017-9788 | 1.3, 2.1 | Not vulnerable \n2.2 | Upgrade to later version with fixes. \n2.3 and later | Not vulnerable, fixed in 2.3.1.1 \nCVE-2018-1301, CVE-2018-1303 | 1.3, 2.1 | Not vulnerable \n2.2 | Upgrade to later version with fixes. \n2.3, 2.4, 3.0, 3.1 | Not available at this time \n \n \n\nDirector \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2017-9788, CVE-2017-9798, \nCVE-2017-15710, CVE-2018-1301, \nCVE-2018-1302, CVE-2018-1303, \nCVE-2018-1312 | 6.1 | Upgrade to a version of MC with the fixes. \n \n \n\n**Malware Analysis (MA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2018-1301 | 4.2 | Upgrade to 4.2.12. \n \n \n\nSecurity Analytics (SA) \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2018-1301 | 7.1, 7.3, 8.0 | Upgrade to later version with fixes. \n7.2 | Not available at this time \n8.1 | Not vulnerable, fixed in 8.1.1 \nCVE-2018-1303 | 7.1, 7.2 | Not vulnerable \n7.3, 8.0 | Upgrade to later version with fixes. \n8.1 | Not vulnerable, fixed in 8.1.1 \n \n \n\n### ADDITIONAL PRODUCT INFORMATION \n\nThe following products are not vulnerable: \n**Advanced Secure Gateway \nAuthConnector \nBCAAA \nCacheFlow \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nGeneral Auth Connector Login Application \nHSM Agent for the Luna SP \nIntelligenceCenter \nIntelligenceCenter Data Collector \nMail Threat Defense \nManagement Center \nNorman Shark Industrial Control System Protection \nPacketShaper \nPacketShaper S-Series \nPolicyCenter \nPolicyCenter S-Series \nProxyAV \nProxyAV ConLog and ConLogXP \nProxySG \nReporter \nSSL Visibility \nUnified Agent \nWeb Isolation \nWSS Mobile Agent \nX-Series XOS**\n\n \n\n### ISSUES\n\nCVE-2017-9788 \n--- \n**Severity / CVSSv3** | Critical / 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) \n**References** | SecurityFocus: [BID 99569](<https://www.securityfocus.com/bid/99569>) / NVD: [CVE-2017-9788](<https://nvd.nist.gov/vuln/detail/CVE-2017-9788>) \n**Impact** | Denial of service \n**Description** | A flaw in authorization header handling allows a remote attacker to send HTTP requests with crafted authorization headers and obtain sensitive information from server memory or cause denial of service. \n \n \n\nCVE-2017-9789 \n--- \n**Severity / CVSSv3** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References** | SecurityFocus: [BID 99568](<https://www.securityfocus.com/bid/99568>) / NVD: [CVE-2017-9789](<https://nvd.nist.gov/vuln/detail/CVE-2017-9789>) \n**Impact** | Unspecified \n**Description** | A flaw in HTTP/2 handling allows a remote attacker to cause the server, while closing many connections under stress, to behave erratically and have unspecified impact. \n \n \n\nCVE-2017-9798 \n--- \n**Severity / CVSSv3** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n**References** | SecurityFocus: [BID 100872](<https://www.securityfocus.com/bid/100872>) / NVD: [CVE-2017-9798](<https://nvd.nist.gov/vuln/detail/CVE-2017-9798>) \n**Impact** | Denial of service \n**Description** | A flaw in HTTP method handling allows a remote attacker to send OPTIONS requests and obtain sensitive information from server memory or cause denial of service. \n \n \n\nCVE-2017-12171 \n--- \n**Severity / CVSSv3** | Medium / 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n**References** | SecurityFocus: [BID 101516](<https://www.securityfocus.com/bid/101516>) / NVD: [CVE-2017-12171](<https://nvd.nist.gov/vuln/detail/CVE-2017-12171>) \n**Impact** | Information disclosure \n**Description** | A flaw in configuration parsing allows a web administrator to unintentionally grant access to a restricted HTTP resource to any client. \n \n \n\nCVE-2017-15710 \n--- \n**Severity / CVSSv3** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References** | SecurityFocus: [BID 103512](<https://www.securityfocus.com/bid/103512>) / NVD: [CVE-2017-15710](<https://nvd.nist.gov/vuln/detail/CVE-2017-15710>) \n**Impact** | Denial of service \n**Description** | A flaw in request handling allows a remote attacker to send HTTP requests with crafted Accept-Language headers and cause denial-of-service. \n \n \n\nCVE-2017-15715 \n--- \n**Severity / CVSSv3** | High / 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n**References** | SecurityFocus: [BID 103525](<https://www.securityfocus.com/bid/103525>) / NVD: [CVE-2017-15715](<https://nvd.nist.gov/vuln/detail/CVE-2017-15715>) \n**Impact** | Security control bypass \n**Description** | A flaw in filename matching allows a remote attacker to upload files with crafted filenames and bypass intended security restrictions. \n \n \n\nCVE-2018-1283 \n--- \n**Severity / CVSSv3** | Medium / 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N) \n**References** | SecurityFocus: [BID 103520](<https://www.securityfocus.com/bid/103520>) / NVD: [CVE-2018-1283](<https://nvd.nist.gov/vuln/detail/CVE-2018-1283>) \n**Impact** | Unauthorized modification of information \n**Description** | A flaw in request header handling that allows a remote attacker to modify session information shared from mod_session to CGI applications. \n \n \n\nCVE-2018-1301 \n--- \n**Severity / CVSSv3** | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References** | SecurityFocus: [BID 103515](<https://www.securityfocus.com/bid/103515>) / NVD: [CVE-2018-1301](<https://nvd.nist.gov/vuln/detail/CVE-2018-1301>) \n**Impact** | Denial of service \n**Description** | A flaw in request header handling that allows a remote attacker to send crafted HTTP requests and cause an application crash, resulting in denial of service. \n \n \n\nCVE-2018-1302 \n--- \n**Severity / CVSSv3** | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References** | SecurityFocus: [BID 103528](<https://www.securityfocus.com/bid/103528>) / NVD: [CVE-2018-1302](<https://nvd.nist.gov/vuln/detail/CVE-2018-1302>) \n**Impact** | Denial of service \n**Description** | A flaw in HTTP/2 connection handling allows a remote attacker to send HTTP/2 requests and cause an application crash, resulting in denial of service. \n \n \n\nCVE-2018-1303 \n--- \n**Severity / CVSSv3** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References** | SecurityFocus: [BID 103522](<https://www.securityfocus.com/bid/103522>) / NVD: [CVE-2018-1303](<https://nvd.nist.gov/vuln/detail/CVE-2018-1303>) \n**Impact** | Denial of service \n**Description** | A flaw in HTTP request handling allows a remote attacker to send crafted HTTP requests and cause an application crash, resulting in denial of service. \n \n \n\nCVE-2018-1312 \n--- \n**Severity / CVSSv3** | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n**References** | SecurityFocus: [BID 103524](<https://www.securityfocus.com/bid/103524>) / NVD: [CVE-2018-1312](<https://nvd.nist.gov/vuln/detail/CVE-2018-1312>) \n**Impact** | Authentication bypass \n**Description** | A flaw in nonce generation for HTTP Digest authentication challenges allows a remote attacker to replay HTTP requests between servers in the same cluster. \n \n \n\nCVE-2018-1333 \n--- \n**Severity / CVSSv3** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References** | NVD: [CVE-2018-1333](<https://nvd.nist.gov/vuln/detail/CVE-2018-1333>) \n**Impact** | Denial of service \n**Description** | A flaw in worker allocation allows a remote attacker to send crafted HTTP/2 requests and cause worker exhaustion, resulting in denial of service. \n \n \n\nCVE-2018-8011 \n--- \n**Severity / CVSSv3** | High / 7.5 ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References** | NVD: [CVE-2018-8011](<https://nvd.nist.gov/vuln/detail/CVE-2018-8011>) \n**Impact** | Denial of service \n**Description** | A flaw in request handling allows a remote attacker to send crafted HTTP requests and cause denial-of-service. \n \n \n\nCVE-2018-11763 \n--- \n**Severity / CVSSv3** | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References** | SecurityFocus: [BID 105414](<https://www.securityfocus.com/bid/105414>) / NVD: [CVE-2018-11763](<https://nvd.nist.gov/vuln/detail/CVE-2018-11763>) \n**Impact** | Denial of service \n**Description** | A flaw in HTTP/2 connection handling allows a remote attacker to send continuous large SETTINGS frames and cause denial-of-service. \n \n \n\n### REFERENCES\n\nApache HTTP Server 2.2 vulnerabilities - <https://httpd.apache.org/security/vulnerabilities_22.html> \nApache HTTP Server 2.4 vulnerabilities - <https://httpd.apache.org/security/vulnerabilities_24.html>\n\n \n\n### REVISION \n\n2020-11-18 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. \n2020-11-12 Content Analysis 3.1 is vulnerable to CVE-2018-1301 and CVE-2018-1303. \n2020-04-08 Content Analysis 2.4 and 3.0 are vulnerable to CVE-2018-1301 and CVE-2018-1303. Security Analytics 8.1 is not vulnerable because a fix is available in 8.1.1. \n2020-01-19 A fix for MA 4.2 is available in 4.2.12. \n2019-10-03 Web Isolation is not vulnerable. \n2019-09-04 Security Analytics 7.3 and 8.0 are vulnerable to CVE-2018-1303. IntelligenceCenter and IntelligenceCenter Data Collector are not vulnerable. \n2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. Added remaining CVSS v3 base scores from NVD. \n2019-01-21 Security Analytics 8.0 is vulnerable to CVE-2018-1301. \n2018-11-14 Security Analytics 7.1, 7.2, and 7.3 are vulnerable to CVE-2018-1301. \n2018-11-07 initial public release\n", "modified": "2020-12-22T02:17:34", "published": "2018-11-07T08:01:01", "id": "SMNTC-1457", "href": "", "type": "symantec", "title": "Apache HTTP Server Vulnerabilities Jul 2017 - Sep 2018", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2020-10-20T23:11:33", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1927", "CVE-2019-10098", "CVE-2017-15715", "CVE-2018-1303", "CVE-2020-1934", "CVE-2018-1283"], "description": "**CentOS Errata and Security Advisory** CESA-2020:3958\n\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n* httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications (CVE-2018-1283)\n\n* httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause DoS (CVE-2018-1303)\n\n* httpd: mod_rewrite configurations vulnerable to open redirect (CVE-2020-1927)\n\n* httpd: <FilesMatch> bypass with a trailing newline in the file name (CVE-2017-15715)\n\n* httpd: mod_rewrite potential open redirect (CVE-2019-10098)\n\n* httpd: mod_proxy_ftp use of uninitialized value (CVE-2020-1934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-October/012727.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ldap\nmod_proxy_html\nmod_session\nmod_ssl\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-10-20T18:13:33", "published": "2020-10-20T18:13:33", "id": "CESA-2020:3958", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2020-October/012727.html", "title": "httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-08T22:42:03", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1301", "CVE-2017-15710", "CVE-2018-17199"], "description": "**CentOS Errata and Security Advisory** CESA-2020:1121\n\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n* httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199)\n\n* httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)\n\n* httpd: Out of bounds access after failure in reading the HTTP request (CVE-2018-1301)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2020-April/012463.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ldap\nmod_proxy_html\nmod_session\nmod_ssl\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-04-08T18:07:48", "published": "2020-04-08T18:07:48", "id": "CESA-2020:1121", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2020-April/012463.html", "title": "httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "oraclelinux": [{"lastseen": "2020-10-07T06:47:29", "bulletinFamily": "unix", "cvelist": ["CVE-2020-1927", "CVE-2019-10098", "CVE-2017-15715", "CVE-2018-1303", "CVE-2020-1934", "CVE-2018-1283"], "description": "[2.4.6-95.0.1]\n- replace index.html with Oracles index page oracle_index.html\n[2.4.6-95]\n- Resolves: #1823262 - CVE-2020-1934 httpd: mod_proxy_ftp use of uninitialized\n value\n[2.4.6-94]\n- Resolves: #1565491 - CVE-2017-15715 httpd: \n bypass with a trailing\n newline in the file name\n- Resolves: #1747283 - CVE-2019-10098 httpd: mod_rewrite potential open redirect\n- Resolves: #1724879 - httpd terminates all SSL connections using an abortive\n shutdown\n- Resolves: #1715981 - Backport of SessionExpiryUpdateInterval directive\n- Resolves: #1565457 - CVE-2018-1303 httpd: Out of bounds read in\n mod_cache_socache can allow a remote attacker to cause a denial of service\n- Resolves: #1566531 - CVE-2018-1283 httpd: Improper handling of headers in\n mod_session can allow a remote user to modify session data for CGI applications", "edition": 1, "modified": "2020-10-06T00:00:00", "published": "2020-10-06T00:00:00", "id": "ELSA-2020-3958", "href": "http://linux.oracle.com/errata/ELSA-2020-3958.html", "title": "httpd security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-09T02:44:25", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1301", "CVE-2017-15710", "CVE-2018-17199"], "description": "[2.4.6-93.0.1]\n- replace index.html with Oracles index page oracle_index.html\n[2.4.6-93]\n- Resolves: #1677496 - CVE-2018-17199 httpd: mod_session_cookie does not respect\n expiry time\n[2.4.6-92]\n- htpasswd: add SHA-2 crypt() support (#1486889)\n[2.4.6-91]\n- Resolves: #1630886 - scriptlet can fail if hostname is not installed\n- Resolves: #1565465 - CVE-2017-15710 httpd: Out of bound write in\n mod_authnz_ldap when using too small Accept-Language values\n- Resolves: #1568298 - CVE-2018-1301 httpd: Out of bounds access after\n failure in reading the HTTP request\n- Resolves: #1673457 - Apache child process crashes because ScriptAliasMatch\n directive\n- Resolves: #1633152 - mod_session missing apr-util-openssl\n- Resolves: #1649470 - httpd response contains garbage in Content-Type header\n- Resolves: #1724034 - Unexpected OCSP in proxy SSL connection", "edition": 1, "modified": "2020-04-06T00:00:00", "published": "2020-04-06T00:00:00", "id": "ELSA-2020-1121", "href": "http://linux.oracle.com/errata/ELSA-2020-1121.html", "title": "httpd security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "httpd": [{"lastseen": "2020-12-24T14:26:49", "bulletinFamily": "software", "cvelist": ["CVE-2017-15715"], "description": "\nThe expression specified in <FilesMatch> could match '$' to a newline character\nin a malicious filename, rather than matching only the end of the filename.\nThis could be exploited in environments where uploads of some files are are\nexternally blocked, but only by matching the trailing portion of the filename.\n", "edition": 6, "modified": "2018-03-21T00:00:00", "published": "2017-11-24T00:00:00", "id": "HTTPD:13B5FCC9676077F8FD08063C83511140", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: <FilesMatch> bypass with a trailing newline in the file name", "type": "httpd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-03-26T01:36:27", "bulletinFamily": "software", "cvelist": ["CVE-2017-15715"], "description": "\nThe expression specified in <FilesMatch> could match '$' to a newline character\nin a malicious filename, rather than matching only the end of the filename.\nThis could be exploited in environments where uploads of some files are are\nexternally blocked, but only by matching the trailing portion of the filename.\n", "edition": 1, "modified": "2018-03-21T00:00:00", "published": "2017-11-24T00:00:00", "href": "https://httpd.apache.org/security_report.html", "id": "HTTPD:94C27BCF50CA81A222019B9F06735AA1", "type": "httpd", "title": "Apache Httpd < 2.4.30: <FilesMatch> bypass with a trailing newline in the file name", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-26T01:36:27", "bulletinFamily": "software", "cvelist": ["CVE-2017-15710"], "description": "\nmod_authnz_ldap, if configured with AuthLDAPCharsetConfig,\nuses the Accept-Language header value to lookup the right charset encoding\nwhen verifying the user's credentials.\nIf the header value is not present in the charset conversion\ntable, a fallback mechanism is used to truncate it to a two\ncharacters value to allow a quick retry (for example, 'en-US' is truncated\nto 'en'). A header value of less than two characters forces an out of bound\nwrite of one NUL byte to a memory location that is not part of the string.\nIn the worst case, quite unlikely, the process would crash which could\nbe used as a Denial of Service attack. In the more likely case, this memory is\nalready reserved for future use and the issue has no effect at all.\n", "edition": 1, "modified": "2018-03-21T00:00:00", "published": "2017-12-07T00:00:00", "href": "https://httpd.apache.org/security_report.html", "id": "HTTPD:55F8C86BB4FE80544B301C6F772E1F21", "type": "httpd", "title": "Apache Httpd < 2.4.30: Out of bound write in mod_authnz_ldap when using too small Accept-Language values", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-12-24T14:26:49", "bulletinFamily": "software", "cvelist": ["CVE-2017-15710"], "description": "\nmod_authnz_ldap, if configured with AuthLDAPCharsetConfig,\nuses the Accept-Language header value to lookup the right charset encoding\nwhen verifying the user's credentials.\nIf the header value is not present in the charset conversion\ntable, a fallback mechanism is used to truncate it to a two\ncharacters value to allow a quick retry (for example, 'en-US' is truncated\nto 'en'). A header value of less than two characters forces an out of bound\nwrite of one NUL byte to a memory location that is not part of the string.\nIn the worst case, quite unlikely, the process would crash which could\nbe used as a Denial of Service attack. In the more likely case, this memory is\nalready reserved for future use and the issue has no effect at all.\n", "edition": 6, "modified": "2018-03-21T00:00:00", "published": "2017-12-07T00:00:00", "id": "HTTPD:E05CACB9D575871BA1E3088D02930266", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: Out of bound write in mod_authnz_ldap when using too small Accept-Language values", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-24T14:26:49", "bulletinFamily": "software", "cvelist": ["CVE-2018-1301"], "description": "\nA specially crafted request could have crashed the Apache HTTP Server prior to\nversion 2.4.33, due to an out of bound access after a size limit is reached by\nreading the HTTP header. This vulnerability is considered very hard if not\nimpossible to trigger in non-debug mode (both log and build level), so it is\nclassified as low risk for common server usage.\n", "edition": 7, "modified": "2018-03-21T00:00:00", "published": "2018-01-23T00:00:00", "id": "HTTPD:D26FFC4C8AA598C5F130A0223836644E", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: Possible out of bound access after failure in reading the HTTP request", "type": "httpd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-03-26T01:36:27", "bulletinFamily": "software", "cvelist": ["CVE-2018-1301"], "description": "\nA specially crafted request could have crashed the Apache HTTP Server prior to\nversion 2.4.30, due to an out of bound access after a size limit is reached by\nreading the HTTP header. This vulnerability is considered very hard if not\nimpossible to trigger in non-debug mode (both log and build level), so it is\nclassified as low risk for common server usage.\n", "edition": 1, "modified": "2018-03-21T00:00:00", "published": "2018-01-23T00:00:00", "href": "https://httpd.apache.org/security_report.html", "id": "HTTPD:B6CF5630624F83951A477D36DC8FD634", "type": "httpd", "title": "Apache Httpd < 2.4.30: Possible out of bound access after failure in reading the HTTP request", "cvss": {"score": 0.0, "vector": "NONE"}}]}