#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Alibaba Cloud Linux Security Advisory ALINUX3-SA-2022:0017.
##
include('compat.inc');
if (description)
{
script_id(236421);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/15");
script_cve_id(
"CVE-2019-0190",
"CVE-2019-0196",
"CVE-2019-0197",
"CVE-2019-0211",
"CVE-2019-0215",
"CVE-2019-0217",
"CVE-2019-0220",
"CVE-2019-9511",
"CVE-2019-9516",
"CVE-2019-9517",
"CVE-2019-10082",
"CVE-2019-10092",
"CVE-2019-10097",
"CVE-2019-10098",
"CVE-2020-1927",
"CVE-2020-1934",
"CVE-2020-9490",
"CVE-2020-11984",
"CVE-2020-11993",
"CVE-2021-26690",
"CVE-2021-30641",
"CVE-2021-34798",
"CVE-2021-39275",
"CVE-2021-44790"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_xref(name:"CEA-ID", value:"CEA-2021-0025");
script_xref(name:"CEA-ID", value:"CEA-2019-0203");
script_xref(name:"CEA-ID", value:"CEA-2021-0004");
script_xref(name:"CEA-ID", value:"CEA-2019-0643");
script_name(english:"Alibaba Cloud Linux 3 : 0017: httpd:2.4 (ALINUX3-SA-2022:0017)");
script_set_attribute(attribute:"synopsis", value:
"The remote Alibaba Cloud Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced
in the ALINUX3-SA-2022:0017 advisory.
Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:
CVE-2019-0190:
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully
crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be
only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an
interaction in changes to handling of renegotiation attempts.
CVE-2019-0196:
A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2
request handling could be made to access freed memory in string comparison when determining the method of
a request and thus process the request incorrectly.
CVE-2019-0197:
A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host
or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not
the first request on a connection could lead to a misconfiguration and crash. Server that never enabled
the h2 protocol or that only enabled it for https: and did not set H2Upgrade on are unaffected by this
issue.
CVE-2019-0211:
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in
less-privileged child processes or threads (including scripts executed by an in-process scripting
interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by
manipulating the scoreboard. Non-Unix systems are not affected.
CVE-2019-0215:
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client
certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.
CVE-2019-0217:
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a
threaded server could allow a user with valid credentials to authenticate using another username,
bypassing configured access control restrictions.
CVE-2019-0220:
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL
contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account
for duplicates in regular expressions while other aspects of the servers processing will implicitly
collapse them.
CVE-2019-10082:
In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made
to read memory after being freed, during connection shutdown.
CVE-2019-10092:
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the
mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point
to a page of their choice. This would only be exploitable where a server was set up with proxying enabled
but was misconfigured in such a way that the Proxy Error page was displayed.
CVE-2019-10097:
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy
server using the PROXY protocol, a specially crafted PROXY header could trigger a stack buffer overflow
or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by
untrusted HTTP clients.
CVE-2019-10098:
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be
self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the
request URL.
CVE-2019-9511:
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization
manipulation, potentially leading to a denial of service. The attacker requests a large amount of data
from a specified resource over multiple streams. They manipulate window size and stream priority to force
the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can
consume excess CPU, memory, or both.
CVE-2019-9516:
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.
The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally
Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and
keep the allocation alive until the session dies. This can consume excess memory.
CVE-2019-9517:
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to
a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint;
however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the
wire. The attacker then sends a stream of requests for a large response object. Depending on how the
servers queue the responses, this can consume excess memory, CPU, or both.
CVE-2020-11984:
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
CVE-2020-11993:
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on
certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent
use of memory pools. Configuring the LogLevel of mod_http2 above info will mitigate this vulnerability
for unpatched servers.
CVE-2020-1927:
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be
self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within
the request URL.
CVE-2020-1934:
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a
malicious FTP server.
CVE-2020-9490:
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a
HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource
afterwards. Configuring the HTTP/2 feature via H2Push off will mitigate this vulnerability for unpatched
servers.
CVE-2021-26690:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can
cause a NULL pointer dereference and crash, leading to a possible Denial Of Service
CVE-2021-30641:
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
CVE-2021-34798:
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP
Server 2.4.48 and earlier.
CVE-2021-39275:
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules
pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache
HTTP Server 2.4.48 and earlier.
CVE-2021-44790:
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser
(r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the
vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and
earlier.
Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20220017.xml");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-44790");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/22");
script_set_attribute(attribute:"patch_publication_date", value:"2022/03/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/05/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:httpd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:httpd-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:httpd-debugsource");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:httpd-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:httpd-filesystem");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:httpd-manual");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:httpd-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:httpd-tools-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_http2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_http2-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_http2-debugsource");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_ldap");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_ldap-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_proxy_html");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_proxy_html-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_session");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_session-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_ssl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:mod_ssl-debuginfo");
script_set_attribute(attribute:"cpe", value:"cpe:/o:alibabacloud:alibaba_cloud_linux_3");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Alibaba Cloud Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Alibaba/release", "Host/Alibaba/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Alibaba/release');
if (isnull(os_release) || 'Alibaba Cloud Linux' >!< os_release) audit(AUDIT_OS_NOT, 'Alibaba Cloud Linux');
var os_ver = pregmatch(pattern: "Alibaba Cloud Linux release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Alibaba Cloud Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Alibaba Cloud Linux 3.x', 'Alibaba Cloud Linux ' + os_ver);
if (!get_kb_item('Host/Alibaba/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Alibaba Cloud Linux', cpu);
var pkgs = [
{'reference':'httpd-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-debugsource-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-debugsource-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-devel-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-devel-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-filesystem-2.4.37-43.0.1.al8.2', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-manual-2.4.37-43.0.1.al8.2', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-tools-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-tools-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-tools-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'httpd-tools-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_http2-1.15.7-3.1.al8', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_http2-1.15.7-3.1.al8', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_http2-debuginfo-1.15.7-3.1.al8', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_http2-debuginfo-1.15.7-3.1.al8', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_http2-debugsource-1.15.7-3.1.al8', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_http2-debugsource-1.15.7-3.1.al8', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_ldap-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_ldap-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_ldap-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_ldap-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_proxy_html-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_proxy_html-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_proxy_html-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_proxy_html-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_session-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_session-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_session-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_session-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_ssl-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_ssl-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_ssl-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'aarch64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'mod_ssl-debuginfo-2.4.37-43.0.1.al8.2', 'cpu':'x86_64', 'release':'3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'Alibaba Linux ' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'httpd / httpd-debuginfo / httpd-debugsource / httpd-devel / etc');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation