Search...

F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)

2015-07-24T00:00:00

ID F5_BIGIP_SOL16907.NASL
Type nessus
Reporter Tenable
Modified 2019-01-04T00:00:00

Description

Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from F5 Networks BIG-IP Solution SOL16907.
#
# The text description of this plugin is (C) F5 Networks.
#

include("compat.inc");

if (description)
{
  script_id(84966);
  script_version("2.7");
  script_cvs_date("Date: 2019/01/04 10:03:40");

  script_cve_id("CVE-2011-3607");
  script_bugtraq_id(50494);

  script_name(english:"F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)");
  script_summary(english:"Checks the BIG-IP version.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Integer overflow in the ap_pregsub function in server/util.c in the
Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when
the mod_setenvif module is enabled, allows local users to gain
privileges via a .htaccess file with a crafted SetEnvIf directive, in
conjunction with a crafted HTTP request header, leading to a
heap-based buffer overflow."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://support.f5.com/csp/article/K16907"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution SOL16907."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_wan_optimization_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip_protocol_security_manager");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/23");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/24");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"F5 Networks Local Security Checks");

  script_dependencies("f5_bigip_detect.nbin");
  script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport");

  exit(0);
}


include("f5_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/BIG-IP/version");
if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");

sol = "SOL16907";
vmatrix = make_array();

if (report_paranoia &lt; 2) audit(AUDIT_PARANOID);

# APM
vmatrix["APM"] = make_array();
vmatrix["APM"]["affected"  ] = make_list("11.0.0-11.1.0","10.1.0-10.2.4");
vmatrix["APM"]["unaffected"] = make_list("11.2.0-11.6.0","10.2.4HF12");

# ASM
vmatrix["ASM"] = make_array();
vmatrix["ASM"]["affected"  ] = make_list("11.0.0-11.1.0","10.1.0-10.2.4");
vmatrix["ASM"]["unaffected"] = make_list("11.2.0-11.6.0","10.2.4HF12");

# AVR
vmatrix["AVR"] = make_array();
vmatrix["AVR"]["affected"  ] = make_list("11.0.0-11.1.0");
vmatrix["AVR"]["unaffected"] = make_list("11.2.0-11.6.0");

# GTM
vmatrix["GTM"] = make_array();
vmatrix["GTM"]["affected"  ] = make_list("11.0.0-11.1.0","10.1.0-10.2.4");
vmatrix["GTM"]["unaffected"] = make_list("11.2.0-11.6.0","10.2.4HF12");

# LC
vmatrix["LC"] = make_array();
vmatrix["LC"]["affected"  ] = make_list("11.0.0-11.1.0","10.1.0-10.2.4");
vmatrix["LC"]["unaffected"] = make_list("11.2.0-11.6.0","10.2.4HF12");

# LTM
vmatrix["LTM"] = make_array();
vmatrix["LTM"]["affected"  ] = make_list("11.0.0-11.1.0","10.1.0-10.2.4");
vmatrix["LTM"]["unaffected"] = make_list("11.2.0-11.6.0","10.2.4HF12");

# PSM
vmatrix["PSM"] = make_array();
vmatrix["PSM"]["affected"  ] = make_list("11.0.0-11.1.0","10.1.0-10.2.4");
vmatrix["PSM"]["unaffected"] = make_list("11.2.0-11.4.1","10.2.4HF12");

# WAM
vmatrix["WAM"] = make_array();
vmatrix["WAM"]["affected"  ] = make_list("11.0.0-11.1.0","10.1.0-10.2.4");
vmatrix["WAM"]["unaffected"] = make_list("11.2.0-11.3.0","10.2.4HF12");

# WOM
vmatrix["WOM"] = make_array();
vmatrix["WOM"]["affected"  ] = make_list("11.0.0-11.1.0","10.1.0-10.2.4");
vmatrix["WOM"]["unaffected"] = make_list("11.2.0-11.3.0","10.2.4HF12");


if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
{
  if (report_verbosity &gt; 0) security_warning(port:0, extra:bigip_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = bigip_get_tested_modules();
  audit_extra = "For BIG-IP module(s) " + tested + ",";
  if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
  else audit(AUDIT_HOST_NOT, "running any of the affected modules");
}

JSON Vulners Source

Initial Source

{"id": "F5_BIGIP_SOL16907.NASL", "bulletinFamily": "scanner", "title": "F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)", "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.", "published": "2015-07-24T00:00:00", "modified": "2019-01-04T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84966", "reporter": "Tenable", "references": ["https://support.f5.com/csp/article/K16907"], "cvelist": ["CVE-2011-3607"], "type": "nessus", "lastseen": "2019-02-21T01:24:41", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2011-3607"], "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.", "edition": 2, "enchantments": {}, "hash": "61b4263cc5b41c3ef2a8d520e4552dcc4bdcdc5fd0cdf3e7c81fe18080937d3c", "hashmap": [{"hash": "37224b82cfe3e55637ca5c1702ca9789", "key": "modified"}, {"hash": "b6bc4ef153cd2344eda269f1d571a6c8", "key": "href"}, {"hash": "eb6e116b552934e85c0ed568fa5cbf88", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "b5663802287f7a831112ee8dec0147a2", "key": "cvss"}, {"hash": "59f069b87e9781da056e1e509caee021", "key": "references"}, {"hash": "5551e3ba26cc1e1b90cdfbd531f2b84d", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c5cd9049085c70f9fd9d9e150333ab6f", "key": "pluginID"}, {"hash": "fb2005932145ec17d153900a05862b6d", "key": "naslFamily"}, {"hash": "2d3cfcd452f2a6b03e3338a148b3b9f4", "key": "description"}, {"hash": "4728cbda453a6df229fdc5942b30ab99", "key": "title"}, {"hash": "c1c7a2fc9b1372b3875c5bcf18007086", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84966", "id": "F5_BIGIP_SOL16907.NASL", "lastseen": "2016-10-31T21:27:03", "modified": "2016-10-31T00:00:00", "naslFamily": "F5 Networks Local Security Checks", "objectVersion": "1.2", "pluginID": "84966", "published": "2015-07-24T00:00:00", "references": ["http://www.nessus.org/u?023df301"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL16907.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84966);\n script_version(\"$Revision: 2.5 $\");\n script_cvs_date(\"$Date: 2016/10/31 13:45:42 $\");\n\n script_cve_id(\"CVE-2011-3607\");\n script_bugtraq_id(50494);\n script_osvdb_id(76744);\n\n script_name(english:\"F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Integer overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow.\"\n );\n # http://support.f5.com/kb/en-us/solutions/public/16000/900/sol16907.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?023df301\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL16907.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL16907\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.2.0-11.4.1\",\"10.2.4HF12\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "title": "F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)", "type": "nessus", "viewCount": 4}, "differentElements": ["cpe"], "edition": 2, "lastseen": "2016-10-31T21:27:03"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "cvelist": ["CVE-2011-3607"], "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Integer overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow.", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-01-16T20:22:04", "references": [{"idList": ["CESA-2012:0128"], "type": "centos"}, {"idList": ["ELSA-2012-0323", "ELSA-2012-0128", "ELSA-2013-0512"], "type": "oraclelinux"}, {"idList": ["ALAS-2012-046"], "type": "amazon"}, {"idList": ["OPENVAS:1361412562310840900", "OPENVAS:1361412562310123980", "OPENVAS:831523", "OPENVAS:1361412562310123992", "OPENVAS:1361412562310870571", "OPENVAS:1361412562310831523", "OPENVAS:881089", "OPENVAS:840900", "OPENVAS:1361412562310120253", "OPENVAS:870571"], "type": "openvas"}, {"idList": ["USN-1368-1"], "type": "ubuntu"}, {"idList": ["4B7DBFAB-4C6B-11E1-BC16-0023AE8E59F0"], "type": "freebsd"}, {"idList": ["HTTPD:19058D084C7C00E6FB6A3AD068C9416B", "HTTPD:560EB66BD0C9D4921E114954F57484F0", "HTTPD:CD3865BDB48B91719A525A87DFA73750"], "type": "httpd"}, {"idList": ["EDB-ID:41769"], "type": "exploitdb"}, {"idList": ["SECURITYVULNS:DOC:27611", "SECURITYVULNS:VULN:12166", "SECURITYVULNS:DOC:28577", "SECURITYVULNS:VULN:12139", "SECURITYVULNS:VULN:14233"], "type": "securityvulns"}, {"idList": ["REDHAT-RHSA-2012-0128.NASL", "CENTOS_RHSA-2012-0128.NASL", "SUSE_11_3_APACHE2-111205.NASL", "SUSE_APACHE2-7882.NASL", "UBUNTU_USN-1368-1.NASL", "SL_20120221_HTTPD_ON_SL5_X.NASL", "SUSE_11_4_APACHE2-111205.NASL", "OPENSUSE-2012-132.NASL", "MANDRIVA_MDVSA-2012-003.NASL", "ORACLELINUX_ELSA-2012-0128.NASL"], "type": "nessus"}, {"idList": ["F5:K16908", "SOL16908", "SOL16907", "F5:K16907"], "type": "f5"}, {"idList": ["SSV:23169"], "type": "seebug"}, {"idList": ["RHSA-2012:0323", "RHSA-2012:0542", "RHSA-2012:0128"], "type": "redhat"}, {"idList": ["CVE-2011-3607"], "type": "cve"}, {"idList": ["KLA10065"], "type": "kaspersky"}, {"idList": ["GLSA-201206-25"], "type": "gentoo"}, {"idList": ["1337DAY-ID-27473"], "type": "zdt"}, {"idList": ["SSA-2012-041-01"], "type": "slackware"}, {"idList": ["ORACLE:CPUJUL2012-392727", "ORACLE:CPUJAN2015-1972971"], "type": "oracle"}, {"idList": ["DEBIAN:DSA-2405-1:AE657"], "type": "debian"}]}, "score": {"value": 7.2, "vector": "NONE"}}, "hash": "7704a450c1ad0b7db71c2ed7502d09b8779fda15a9cfd3e6e85f2514210fb950", "hashmap": [{"hash": "25de582cb00cf3d674747ce27d84359e", "key": "references"}, {"hash": "b6bc4ef153cd2344eda269f1d571a6c8", "key": "href"}, {"hash": "eb6e116b552934e85c0ed568fa5cbf88", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "b5663802287f7a831112ee8dec0147a2", "key": "cvss"}, {"hash": "bcba1ab6c7fa7477df7d75b0930176f1", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "20b353d8ba2a98b2825be3dfb021c6d5", "key": "modified"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c5cd9049085c70f9fd9d9e150333ab6f", "key": "pluginID"}, {"hash": "fb2005932145ec17d153900a05862b6d", "key": "naslFamily"}, {"hash": "4728cbda453a6df229fdc5942b30ab99", "key": "title"}, {"hash": "c1c7a2fc9b1372b3875c5bcf18007086", "key": "cvelist"}, {"hash": "a83e45d42f5b7c396d826a1a0e274a3d", "key": "cpe"}, {"hash": "46b19ce2f16b6fd05d923b4d4ddb4a7d", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84966", "id": "F5_BIGIP_SOL16907.NASL", "lastseen": "2019-01-16T20:22:04", "modified": "2019-01-04T00:00:00", "naslFamily": "F5 Networks Local Security Checks", "objectVersion": "1.3", "pluginID": "84966", "published": "2015-07-24T00:00:00", "references": ["https://support.f5.com/csp/article/K16907"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL16907.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84966);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2011-3607\");\n script_bugtraq_id(50494);\n\n script_name(english:\"F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Integer overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K16907\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL16907.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL16907\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.2.0-11.4.1\",\"10.2.4HF12\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "title": "F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)", "type": "nessus", "viewCount": 4}, "differentElements": ["description"], "edition": 8, "lastseen": "2019-01-16T20:22:04"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "cvelist": ["CVE-2011-3607"], "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.", "edition": 3, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "1dab266157c09857a0b43ad7a90d7bd0846c2f52df2f8e534de1da194db7846a", "hashmap": [{"hash": "37224b82cfe3e55637ca5c1702ca9789", "key": "modified"}, {"hash": "b6bc4ef153cd2344eda269f1d571a6c8", "key": "href"}, {"hash": "eb6e116b552934e85c0ed568fa5cbf88", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "b5663802287f7a831112ee8dec0147a2", "key": "cvss"}, {"hash": "59f069b87e9781da056e1e509caee021", "key": "references"}, {"hash": "5551e3ba26cc1e1b90cdfbd531f2b84d", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c5cd9049085c70f9fd9d9e150333ab6f", "key": "pluginID"}, {"hash": "fb2005932145ec17d153900a05862b6d", "key": "naslFamily"}, {"hash": "2d3cfcd452f2a6b03e3338a148b3b9f4", "key": "description"}, {"hash": "4728cbda453a6df229fdc5942b30ab99", "key": "title"}, {"hash": "c1c7a2fc9b1372b3875c5bcf18007086", "key": "cvelist"}, {"hash": "a83e45d42f5b7c396d826a1a0e274a3d", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84966", "id": "F5_BIGIP_SOL16907.NASL", "lastseen": "2017-10-29T13:45:00", "modified": "2016-10-31T00:00:00", "naslFamily": "F5 Networks Local Security Checks", "objectVersion": "1.3", "pluginID": "84966", "published": "2015-07-24T00:00:00", "references": ["http://www.nessus.org/u?023df301"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL16907.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84966);\n script_version(\"$Revision: 2.5 $\");\n script_cvs_date(\"$Date: 2016/10/31 13:45:42 $\");\n\n script_cve_id(\"CVE-2011-3607\");\n script_bugtraq_id(50494);\n script_osvdb_id(76744);\n\n script_name(english:\"F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Integer overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow.\"\n );\n # http://support.f5.com/kb/en-us/solutions/public/16000/900/sol16907.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?023df301\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL16907.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL16907\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.2.0-11.4.1\",\"10.2.4HF12\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "title": "F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)", "type": "nessus", "viewCount": 4}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2017-10-29T13:45:00"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "cvelist": ["CVE-2011-3607"], "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.", "edition": 7, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "d9803a90a01d61ff55d66c5fcf2992c96ad80e9de4ce414594a6c403bcfa7a48", "hashmap": [{"hash": "25de582cb00cf3d674747ce27d84359e", "key": "references"}, {"hash": "b6bc4ef153cd2344eda269f1d571a6c8", "key": "href"}, {"hash": "eb6e116b552934e85c0ed568fa5cbf88", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "b5663802287f7a831112ee8dec0147a2", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "20b353d8ba2a98b2825be3dfb021c6d5", "key": "modified"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c5cd9049085c70f9fd9d9e150333ab6f", "key": "pluginID"}, {"hash": "fb2005932145ec17d153900a05862b6d", "key": "naslFamily"}, {"hash": "2d3cfcd452f2a6b03e3338a148b3b9f4", "key": "description"}, {"hash": "4728cbda453a6df229fdc5942b30ab99", "key": "title"}, {"hash": "c1c7a2fc9b1372b3875c5bcf18007086", "key": "cvelist"}, {"hash": "a83e45d42f5b7c396d826a1a0e274a3d", "key": "cpe"}, {"hash": "46b19ce2f16b6fd05d923b4d4ddb4a7d", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84966", "id": "F5_BIGIP_SOL16907.NASL", "lastseen": "2019-01-05T02:33:46", "modified": "2019-01-04T00:00:00", "naslFamily": "F5 Networks Local Security Checks", "objectVersion": "1.3", "pluginID": "84966", "published": "2015-07-24T00:00:00", "references": ["https://support.f5.com/csp/article/K16907"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL16907.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84966);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2011-3607\");\n script_bugtraq_id(50494);\n\n script_name(english:\"F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Integer overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K16907\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL16907.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL16907\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.2.0-11.4.1\",\"10.2.4HF12\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "title": "F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)", "type": "nessus", "viewCount": 4}, "differentElements": ["description"], "edition": 7, "lastseen": "2019-01-05T02:33:46"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2011-3607"], "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.", "edition": 1, "hash": "11482f87ffd46ceae1b7d5a274219382b7b6dd350c46b8bc0f4b9fdf7362e334", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b6bc4ef153cd2344eda269f1d571a6c8", "key": "href"}, {"hash": "3269de6f99022dda9cbd547c5339d80d", "key": "cvss"}, {"hash": "eb6e116b552934e85c0ed568fa5cbf88", "key": "published"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2d5b44735d470318a5fbc22d7068d5ca", "key": "modified"}, {"hash": "337c980688184a8240d6c64aad622fb1", "key": "sourceData"}, {"hash": "59f069b87e9781da056e1e509caee021", "key": "references"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c5cd9049085c70f9fd9d9e150333ab6f", "key": "pluginID"}, {"hash": "fb2005932145ec17d153900a05862b6d", "key": "naslFamily"}, {"hash": "2d3cfcd452f2a6b03e3338a148b3b9f4", "key": "description"}, {"hash": "4728cbda453a6df229fdc5942b30ab99", "key": "title"}, {"hash": "c1c7a2fc9b1372b3875c5bcf18007086", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84966", "id": "F5_BIGIP_SOL16907.NASL", "lastseen": "2016-09-26T17:26:30", "modified": "2016-05-05T00:00:00", "naslFamily": "F5 Networks Local Security Checks", "objectVersion": "1.2", "pluginID": "84966", "published": "2015-07-24T00:00:00", "references": ["http://www.nessus.org/u?023df301"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL16907.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84966);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2016/05/05 16:01:13 $\");\n\n script_cve_id(\"CVE-2011-3607\");\n script_bugtraq_id(50494);\n script_osvdb_id(76744);\n\n script_name(english:\"F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Integer overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow.\"\n );\n # http://support.f5.com/kb/en-us/solutions/public/16000/900/sol16907.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?023df301\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL16907.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:protocol_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:web_accelerator_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL16907\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.2.0-11.4.1\",\"10.2.4HF12\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "title": "F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:26:30"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "cvelist": ["CVE-2011-3607"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.", "edition": 5, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "d3ff0e9d7a94cf06affc0bb4d15c4833538a84f93d9f9754b53e69c28c0fb4da", "hashmap": [{"hash": "b6bc4ef153cd2344eda269f1d571a6c8", "key": "href"}, {"hash": "eb6e116b552934e85c0ed568fa5cbf88", "key": "published"}, {"hash": "126aa6199253ddc5259666d479153208", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "59f069b87e9781da056e1e509caee021", "key": "references"}, {"hash": "3b2890b635e12e0db33c5674837cdbc6", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c5cd9049085c70f9fd9d9e150333ab6f", "key": "pluginID"}, {"hash": "fb2005932145ec17d153900a05862b6d", "key": "naslFamily"}, {"hash": "2d3cfcd452f2a6b03e3338a148b3b9f4", "key": "description"}, {"hash": "4728cbda453a6df229fdc5942b30ab99", "key": "title"}, {"hash": "c1c7a2fc9b1372b3875c5bcf18007086", "key": "cvelist"}, {"hash": "a83e45d42f5b7c396d826a1a0e274a3d", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84966", "id": "F5_BIGIP_SOL16907.NASL", "lastseen": "2018-08-30T19:56:39", "modified": "2018-07-10T00:00:00", "naslFamily": "F5 Networks Local Security Checks", "objectVersion": "1.3", "pluginID": "84966", "published": "2015-07-24T00:00:00", "references": ["http://www.nessus.org/u?023df301"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL16907.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84966);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2018/07/10 14:27:32\");\n\n script_cve_id(\"CVE-2011-3607\");\n script_bugtraq_id(50494);\n\n script_name(english:\"F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Integer overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow.\"\n );\n # http://support.f5.com/kb/en-us/solutions/public/16000/900/sol16907.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?023df301\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL16907.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL16907\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.2.0-11.4.1\",\"10.2.4HF12\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "title": "F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)", "type": "nessus", "viewCount": 4}, "differentElements": ["cvss"], "edition": 5, "lastseen": "2018-08-30T19:56:39"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "cvelist": ["CVE-2011-3607"], "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.", "edition": 4, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "38590f6f61b9cc415d4f0a2f60b06538aa477b4b3865628ed8bde0644354e7ba", "hashmap": [{"hash": "b6bc4ef153cd2344eda269f1d571a6c8", "key": "href"}, {"hash": "eb6e116b552934e85c0ed568fa5cbf88", "key": "published"}, {"hash": "126aa6199253ddc5259666d479153208", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "b5663802287f7a831112ee8dec0147a2", "key": "cvss"}, {"hash": "59f069b87e9781da056e1e509caee021", "key": "references"}, {"hash": "3b2890b635e12e0db33c5674837cdbc6", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c5cd9049085c70f9fd9d9e150333ab6f", "key": "pluginID"}, {"hash": "fb2005932145ec17d153900a05862b6d", "key": "naslFamily"}, {"hash": "2d3cfcd452f2a6b03e3338a148b3b9f4", "key": "description"}, {"hash": "4728cbda453a6df229fdc5942b30ab99", "key": "title"}, {"hash": "c1c7a2fc9b1372b3875c5bcf18007086", "key": "cvelist"}, {"hash": "a83e45d42f5b7c396d826a1a0e274a3d", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84966", "id": "F5_BIGIP_SOL16907.NASL", "lastseen": "2018-07-12T18:22:30", "modified": "2018-07-10T00:00:00", "naslFamily": "F5 Networks Local Security Checks", "objectVersion": "1.3", "pluginID": "84966", "published": "2015-07-24T00:00:00", "references": ["http://www.nessus.org/u?023df301"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL16907.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84966);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2018/07/10 14:27:32\");\n\n script_cve_id(\"CVE-2011-3607\");\n script_bugtraq_id(50494);\n\n script_name(english:\"F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Integer overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow.\"\n );\n # http://support.f5.com/kb/en-us/solutions/public/16000/900/sol16907.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?023df301\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL16907.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL16907\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.2.0-11.4.1\",\"10.2.4HF12\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "title": "F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)", "type": "nessus", "viewCount": 4}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-07-12T18:22:30"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "cvelist": ["CVE-2011-3607"], "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.", "edition": 6, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "38590f6f61b9cc415d4f0a2f60b06538aa477b4b3865628ed8bde0644354e7ba", "hashmap": [{"hash": "b6bc4ef153cd2344eda269f1d571a6c8", "key": "href"}, {"hash": "eb6e116b552934e85c0ed568fa5cbf88", "key": "published"}, {"hash": "126aa6199253ddc5259666d479153208", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "b5663802287f7a831112ee8dec0147a2", "key": "cvss"}, {"hash": "59f069b87e9781da056e1e509caee021", "key": "references"}, {"hash": "3b2890b635e12e0db33c5674837cdbc6", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c5cd9049085c70f9fd9d9e150333ab6f", "key": "pluginID"}, {"hash": "fb2005932145ec17d153900a05862b6d", "key": "naslFamily"}, {"hash": "2d3cfcd452f2a6b03e3338a148b3b9f4", "key": "description"}, {"hash": "4728cbda453a6df229fdc5942b30ab99", "key": "title"}, {"hash": "c1c7a2fc9b1372b3875c5bcf18007086", "key": "cvelist"}, {"hash": "a83e45d42f5b7c396d826a1a0e274a3d", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=84966", "id": "F5_BIGIP_SOL16907.NASL", "lastseen": "2018-09-02T00:08:00", "modified": "2018-07-10T00:00:00", "naslFamily": "F5 Networks Local Security Checks", "objectVersion": "1.3", "pluginID": "84966", "published": "2015-07-24T00:00:00", "references": ["http://www.nessus.org/u?023df301"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL16907.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84966);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2018/07/10 14:27:32\");\n\n script_cve_id(\"CVE-2011-3607\");\n script_bugtraq_id(50494);\n\n script_name(english:\"F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Integer overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow.\"\n );\n # http://support.f5.com/kb/en-us/solutions/public/16000/900/sol16907.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?023df301\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL16907.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL16907\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.2.0-11.4.1\",\"10.2.4HF12\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "title": "F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)", "type": "nessus", "viewCount": 4}, "differentElements": ["references", "modified", "sourceData"], "edition": 6, "lastseen": "2018-09-02T00:08:00"}], "edition": 9, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "a83e45d42f5b7c396d826a1a0e274a3d"}, {"key": "cvelist", "hash": "c1c7a2fc9b1372b3875c5bcf18007086"}, {"key": "cvss", "hash": "b5663802287f7a831112ee8dec0147a2"}, {"key": "description", "hash": "2d3cfcd452f2a6b03e3338a148b3b9f4"}, {"key": "href", "hash": "b6bc4ef153cd2344eda269f1d571a6c8"}, {"key": "modified", "hash": "20b353d8ba2a98b2825be3dfb021c6d5"}, {"key": "naslFamily", "hash": "fb2005932145ec17d153900a05862b6d"}, {"key": "pluginID", "hash": "c5cd9049085c70f9fd9d9e150333ab6f"}, {"key": "published", "hash": "eb6e116b552934e85c0ed568fa5cbf88"}, {"key": "references", "hash": "25de582cb00cf3d674747ce27d84359e"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "46b19ce2f16b6fd05d923b4d4ddb4a7d"}, {"key": "title", "hash": "4728cbda453a6df229fdc5942b30ab99"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "d9803a90a01d61ff55d66c5fcf2992c96ad80e9de4ce414594a6c403bcfa7a48", "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-3607"]}, {"type": "f5", "idList": ["F5:K16907", "SOL16907", "F5:K16908", "SOL16908"]}, {"type": "httpd", "idList": ["HTTPD:560EB66BD0C9D4921E114954F57484F0", "HTTPD:CD3865BDB48B91719A525A87DFA73750", "HTTPD:19058D084C7C00E6FB6A3AD068C9416B"]}, {"type": "seebug", "idList": ["SSV:23169"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12139", "SECURITYVULNS:DOC:27611", "SECURITYVULNS:VULN:12166", "SECURITYVULNS:DOC:28577", "SECURITYVULNS:VULN:14233"]}, {"type": "zdt", "idList": ["1337DAY-ID-27473"]}, {"type": "exploitdb", "idList": ["EDB-ID:41769"]}, {"type": "nessus", "idList": ["MANDRIVA_MDVSA-2012-003.NASL", "SUSE_11_3_APACHE2-111205.NASL", "SUSE_11_4_APACHE2-111205.NASL", "FEDORA_2012-1598.NASL", "SL_20120221_HTTPD_ON_SL5_X.NASL", "ALA_ALAS-2012-46.NASL", "SOLARIS11_APACHE_20120420.NASL", "ORACLELINUX_ELSA-2012-0323.NASL", "SUSE_APACHE2-7882.NASL", "REDHAT-RHSA-2012-0128.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310831523", "OPENVAS:831523", "OPENVAS:870571", "OPENVAS:840900", "OPENVAS:1361412562310123992", "OPENVAS:1361412562310870571", "OPENVAS:1361412562310120253", "OPENVAS:1361412562310123980", "OPENVAS:1361412562310840900", "OPENVAS:1361412562310863759"]}, {"type": "redhat", "idList": ["RHSA-2012:0323", "RHSA-2012:0128", "RHSA-2012:0542", "RHSA-2012:0543"]}, {"type": "ubuntu", "idList": ["USN-1368-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2012-0323", "ELSA-2012-0128", "ELSA-2013-0512"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2405-1:AE657"]}, {"type": "slackware", "idList": ["SSA-2012-041-01"]}, {"type": "centos", "idList": ["CESA-2012:0128"]}, {"type": "freebsd", "idList": ["4B7DBFAB-4C6B-11E1-BC16-0023AE8E59F0"]}, {"type": "amazon", "idList": ["ALAS-2012-046"]}, {"type": "kaspersky", "idList": ["KLA10065"]}, {"type": "gentoo", "idList": ["GLSA-201206-25"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2012-392727", "ORACLE:CPUJAN2015-1972971"]}], "modified": "2019-02-21T01:24:41"}, "score": {"value": 6.5, "vector": "NONE", "modified": "2019-02-21T01:24:41"}, "vulnersScore": 6.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL16907.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84966);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2011-3607\");\n script_bugtraq_id(50494);\n\n script_name(english:\"F5 Networks BIG-IP : Apache HTTPD vulnerability (SOL16907)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Integer overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K16907\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL16907.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL16907\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.2.0-11.6.0\",\"10.2.4HF12\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.2.0-11.4.1\",\"10.2.4HF12\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.1.0\",\"10.1.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.2.0-11.3.0\",\"10.2.4HF12\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "naslFamily": "F5 Networks Local Security Checks", "pluginID": "84966", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:11:21", "bulletinFamily": "NVD", "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.", "modified": "2018-01-09T02:29:00", "id": "CVE-2011-3607", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3607", "published": "2011-11-08T11:55:00", "title": "CVE-2011-3607", "type": "cve", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2017-10-12T02:11:05", "bulletinFamily": "software", "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. ([CVE-2011-3607](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607>))\n\nImpact\n\nA local attacker may be able to gain privileges by way of an **a .htaccess** file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and restrict command line access for affected systems to the trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-01-09T02:22:00", "published": "2015-07-23T22:22:00", "href": "https://support.f5.com/csp/article/K16907", "id": "F5:K16907", "title": "Apache HTTPD vulnerability CVE-2011-3607", "type": "f5", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:07", "bulletinFamily": "software", "description": "Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. ([CVE-2011-3607](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607>))\n", "modified": "2015-12-22T00:00:00", "published": "2015-07-23T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/900/sol16907.html", "id": "SOL16907", "title": "SOL16907 - Apache HTTPD vulnerability CVE-2011-3607", "type": "f5", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-12T02:11:06", "bulletinFamily": "software", "description": " \n\n\nThe ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the \"len +=\" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607. ([CVE-2011-4415](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415>)) \n\n\nImpact \n\n\nA local attacker may be able to cause a denial-of-service (DoS). \n\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability, you should permit access to F5 products only over a secure network, and limit login access to trusted users. For additional information, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2016-01-09T02:22:00", "published": "2015-07-23T22:59:00", "href": "https://support.f5.com/csp/article/K16908", "id": "F5:K16908", "title": "Apache HTTPD vulnerability CVE-2011-4415", "type": "f5", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:09:47", "bulletinFamily": "software", "description": "**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.\n\nRecommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, you should permit access to F5 products only over a secure network, and limit login access to trusted users. For additional information, refer to SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2015-07-23T00:00:00", "published": "2015-07-23T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/900/sol16908.html", "id": "SOL16908", "title": "SOL16908 - Apache HTTPD vulnerability CVE-2011-4415", "type": "f5", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "httpd": [{"lastseen": "2019-05-29T19:19:11", "bulletinFamily": "software", "description": "\nAn integer overflow flaw was found which, when the mod_setenvif module\nis enabled, could allow local users to gain privileges via a .htaccess\nfile.\n\n", "modified": "2011-11-02T00:00:00", "published": "2011-10-04T00:00:00", "id": "HTTPD:560EB66BD0C9D4921E114954F57484F0", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: mod_setenvif .htaccess privilege escalation", "type": "httpd", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nAn integer overflow flaw was found which, when the mod_setenvif module\nis enabled, could allow local users to gain privileges via a .htaccess\nfile.\n\n", "modified": "2013-07-22T00:00:00", "published": "2011-10-04T00:00:00", "id": "HTTPD:CD3865BDB48B91719A525A87DFA73750", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.0.65: mod_setenvif .htaccess privilege escalation", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nAn integer overflow flaw was found which, when the mod_setenvif module\nis enabled, could allow local users to gain privileges via a .htaccess\nfile.\n\n", "modified": "2012-01-31T00:00:00", "published": "2011-10-04T00:00:00", "id": "HTTPD:19058D084C7C00E6FB6A3AD068C9416B", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.2.22: mod_setenvif .htaccess privilege escalation", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T17:58:42", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 50494\r\nCVE ID: CVE-2011-3607\r\n\r\nApache HTTP Server\u662fApache\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5f00\u653e\u6e90\u4ee3\u7801\u7684\u7f51\u9875\u670d\u52a1\u5668\uff0c\u53ef\u4ee5\u5728\u5927\u591a\u6570\u7535\u8111\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u8fd0\u884c\uff0c\u7531\u4e8e\u5176\u8de8\u5e73\u53f0\u548c\u5b89\u5168\u6027\u88ab\u5e7f\u6cdb\u4f7f\u7528\uff0c\u662f\u6700\u6d41\u884c\u7684Web\u670d\u52a1\u5668\u7aef\u8f6f\u4ef6\u4e4b\u4e00\u3002\r\n\r\nApache HTTP Server\u5728"ap_pregsub()"\u51fd\u6570\u7684\u5b9e\u73b0\u4e0a\u5b58\u5728\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u4ee5\u63d0\u5347\u7684\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\r\n\u8981\u89e6\u53d1\u6b64\u6f0f\u6d1e\uff0c\u9700\u8981\u542f\u7528mod_setenvif\uff0c\u5e76\u4e14\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u53d7\u5f71\u54cd\u670d\u52a1\u5668\u4e2d\u653e\u7f6e\u6076\u610f\u7684.htaccess\u6587\u4ef6\u3002\u6b64\u6f0f\u6d1e\u6e90\u4e8e "ap_pregsub()" \u51fd\u6570 (server/utils.c) \u4e2d\u7684\u6574\u6570\u6ea2\u51fa\u9519\u8bef\uff0c\u901a\u8fc7\u7279\u5236\u7684.htaccess\u6587\u4ef6\u53ef\u9020\u6210\u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u3002\r\n\n\nApache HTTP Server 2.2.x\r\nApache HTTP Server 2.0.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nApache Group\r\n------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://httpd.apache.org/", "modified": "2011-11-04T00:00:00", "published": "2011-11-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-23169", "id": "SSV:23169", "title": "Apache HTTP Server "ap_pregsub()"\u51fd\u6570\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "securityvulns": [{"lastseen": "2018-08-31T11:09:45", "bulletinFamily": "software", "description": "Privilege escalation with SetEnvIf in conjunction with crafted HTTP headers.", "modified": "2012-01-11T00:00:00", "published": "2012-01-11T00:00:00", "id": "SECURITYVULNS:VULN:12139", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12139", "title": "Apache privilege escalation", "type": "securityvulns", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:46", "bulletinFamily": "software", "description": "Information leakage, filtering bypass, privilege escalation, DoS.", "modified": "2012-02-03T00:00:00", "published": "2012-02-03T00:00:00", "id": "SECURITYVULNS:VULN:12166", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12166", "title": "Apache multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:43", "bulletinFamily": "software", "description": " Apache HTTP Server 2.2.22 Released\r\n\r\n The Apache Software Foundation and the Apache HTTP Server Project are\r\n pleased to announce the release of version 2.2.22 of the Apache HTTP\r\n Server ("Apache"). This version of Apache is principally a security\r\n and bug fix release, including the following significant security fixes:\r\n\r\n * SECURITY: CVE-2011-3368 (cve.mitre.org)\r\n Reject requests where the request-URI does not match the HTTP\r\n specification, preventing unexpected expansion of target URLs in\r\n some reverse proxy configurations.\r\n\r\n * SECURITY: CVE-2011-3607 (cve.mitre.org)\r\n Fix integer overflow in ap_pregsub() which, when the mod_setenvif module\r\n is enabled, could allow local users to gain privileges via a .htaccess\r\n file.\r\n\r\n * SECURITY: CVE-2011-4317 (cve.mitre.org)\r\n Resolve additional cases of URL rewriting with ProxyPassMatch or\r\n RewriteRule, where particular request-URIs could result in undesired\r\n backend network exposure in some configurations.\r\n\r\n * SECURITY: CVE-2012-0021 (cve.mitre.org)\r\n mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format\r\n string is in use and a client sends a nameless, valueless cookie, causing\r\n a denial of service. The issue existed since version 2.2.17.\r\n\r\n * SECURITY: CVE-2012-0031 (cve.mitre.org)\r\n Fix scoreboard issue which could allow an unprivileged child process\r\n could cause the parent to crash at shutdown rather than terminate\r\n cleanly.\r\n\r\n * SECURITY: CVE-2012-0053 (cve.mitre.org)\r\n Fixed an issue in error responses that could expose "httpOnly" cookies\r\n when no custom ErrorDocument is specified for status code 400.\r\n\r\n The Apache HTTP Project thanks halfdog, Context Information Security Ltd,\r\n Prutha Parikh of Qualys, and Norman Hippert for bringing these issues to\r\n the attention of the security team.\r\n\r\n We consider this release to be the best version of Apache available, and\r\n encourage users of all prior versions to upgrade.\r\n\r\n Apache HTTP Server 2.2.22 is available for download from:\r\n\r\n http://httpd.apache.org/download.cgi\r\n\r\n Please see the CHANGES_2.2 file, linked from the download page, for a\r\n full list of changes. A condensed list, CHANGES_2.2.22 includes only\r\n those changes introduced since the prior 2.2 release. A summary of all\r\n of the security vulnerabilities addressed in this and earlier releases\r\n is available:\r\n\r\n http://httpd.apache.org/security/vulnerabilities_22.html\r\n\r\n This release includes the Apache Portable Runtime (APR) version 1.4.5\r\n and APR Utility Library (APR-util) version 1.4.2, bundled with the tar\r\n and zip distributions. The APR libraries libapr and libaprutil (and\r\n on Win32, libapriconv version 1.2.1) must all be updated to ensure\r\n binary compatibility and address many known security and platform bugs.\r\n APR-util version 1.4 represents a minor version upgrade from earlier\r\n httpd source distributions, which previously included version 1.3.\r\n\r\n Apache 2.2 offers numerous enhancements, improvements, and performance\r\n boosts over the 2.0 codebase. For an overview of new features\r\n introduced since 2.0 please see:\r\n\r\n http://httpd.apache.org/docs/2.2/new_features_2_2.html\r\n\r\n This release builds on and extends the Apache 2.0 API. Modules written\r\n for Apache 2.0 will need to be recompiled in order to run with Apache\r\n 2.2, and require minimal or no source code changes.\r\n\r\n http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING\r\n\r\n When upgrading or installing this version of Apache, please bear in mind\r\n that if you intend to use Apache with one of the threaded MPMs (other\r\n than the Prefork MPM), you must ensure that any modules you will be\r\n using (and the libraries they depend on) are thread-safe.\r\n", "modified": "2012-02-03T00:00:00", "published": "2012-02-03T00:00:00", "id": "SECURITYVULNS:DOC:27611", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27611", "title": "[Announce] Apache HTTP Server 2.2.22 Released", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nAPPLE-SA-2012-09-19-2 OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and\r\nSecurity Update 2012-004\r\n\r\nOS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update\r\n2012-004 are now available and address the following:\r\n\r\nApache\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: Multiple vulnerabilities in Apache\r\nDescription: Apache is updated to version 2.2.22 to address several\r\nvulnerabilities, the most serious of which may lead to a denial of\r\nservice. Further information is available via the Apache web site at\r\nhttp://httpd.apache.org/. This issue does not affect OS X Mountain\r\nLion systems.\r\nCVE-ID\r\nCVE-2011-3368\r\nCVE-2011-3607\r\nCVE-2011-4317\r\nCVE-2012-0021\r\nCVE-2012-0031\r\nCVE-2012-0053\r\n\r\nBIND\r\nAvailable for: OS X Lion v10.7 to v10.7.4,\r\nOS X Lion Server v10.7 to v10.7.4\r\nImpact: A remote attacker may be able to cause a denial of service\r\nin systems configured to run BIND as a DNS nameserver\r\nDescription: A reachable assertion issue existed in the handling of\r\nDNS records. This issue was addressed by updating to BIND 9.7.6-P1.\r\nThis issue does not affect OS X Mountain Lion systems.\r\nCVE-ID\r\nCVE-2011-4313\r\n\r\nBIND\r\nAvailable for: OS X Lion v10.7 to v10.7.4,\r\nOS X Lion Server v10.7 to v10.7.4,\r\nOS X Mountain Lion v10.8 and v10.8.1\r\nImpact: A remote attacker may be able to cause a denial of service,\r\ndata corruption, or obtain sensitive information from process memory\r\nin systems configured to run BIND as a DNS nameserver\r\nDescription: A memory management issue existed in the handling of\r\nDNS records. This issue was addressed by updating to BIND 9.7.6-P1 on\r\nOS X Lion systems, and BIND 9.8.3-P1 on OS X Mountain Lion systems.\r\nCVE-ID\r\nCVE-2012-1667\r\n\r\nCoreText\r\nAvailable for: OS X Lion v10.7 to v10.7.4,\r\nOS X Lion Server v10.7 to v10.7.4\r\nImpact: Applications that use CoreText may be vulnerable to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A bounds checking issue existed in the handling of text\r\nglyphs, which may lead to out of bounds memory reads or writes. This\r\nissue was addressed through improved bounds checking. This issue does\r\nnot affect Mac OS X v10.6 or OS X Mountain Lion systems.\r\nCVE-ID\r\nCVE-2012-3716 : Jesse Ruderman of Mozilla Corporation\r\n\r\nData Security\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4,\r\nOS X Mountain Lion v10.8 and v10.8.1\r\nImpact: An attacker with a privileged network position may intercept\r\nuser credentials or other sensitive information\r\nDescription: TrustWave, a trusted root CA, has issued, and\r\nsubsequently revoked, a sub-CA certificate from one of its trusted\r\nanchors. This sub-CA facilitated the interception of communications\r\nsecured by Transport Layer Security (TLS). This update adds the\r\ninvolved sub-CA certificate to OS X's list of untrusted certificates.\r\n\r\nDirectoryService\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8\r\nImpact: If the DirectoryService Proxy is used, a remote attacker may\r\ncause a denial of service or arbitrary code execution\r\nDescription: A buffer overflow existed in the DirectoryService\r\nProxy. This issue was addressed through improved bounds checking.\r\nThis issue does not affect OS X Lion and Mountain Lion systems.\r\nCVE-ID\r\nCVE-2012-0650 : aazubel working with HP's Zero Day Initiative\r\n\r\nImageIO\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: Viewing a maliciously crafted PNG image may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Multiple memory corruption issues existed in libpng's\r\nhandling of PNG images. These issues were addressed through improved\r\nvalidation of PNG images. These issues do not affect OS X Mountain\r\nLion systems.\r\nCVE-ID\r\nCVE-2011-3026 : Juri Aedla\r\nCVE-2011-3048\r\n\r\nImageIO\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: Viewing a maliciously crafted TIFF image may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: An integer overflow issue existed in libTIFF's handling\r\nof TIFF images. This issue was addressed through improved validation\r\nof TIFF images. This issue does not affect OS X Mountain Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2012-1173 : Alexander Gavrun working with HP's Zero Day\r\nInitiative\r\n\r\nInstaller\r\nAvailable for: OS X Lion v10.7 to v10.7.4,\r\nOS X Lion Server v10.7 to v10.7.4\r\nImpact: Remote admins and persons with physical access to the system\r\nmay obtain account information\r\nDescription: The fix for CVE-2012-0652 in OS X Lion 10.7.4 prevented\r\nuser passwords from being recorded in the system log, but did not\r\nremove the old log entries. This issue was addressed by deleting log\r\nfiles that contained passwords. This issue does not affect Mac OS X\r\n10.6 or OS X Mountain Lion systems.\r\nCVE-ID\r\nCVE-2012-0652\r\n\r\nInternational Components for Unicode\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: Applications that use ICU may be vulnerable to an unexpected\r\napplication termination or arbitrary code execution\r\nDescription: A stack buffer overflow existed in the handling of ICU\r\nlocale IDs. This issue was addressed through improved bounds\r\nchecking. This issue does not affect OS X Mountain Lion systems.\r\nCVE-ID\r\nCVE-2011-4599\r\n\r\nKernel\r\nAvailable for: OS X Lion v10.7 to v10.7.4,\r\nOS X Lion Server v10.7 to v10.7.4\r\nImpact: A malicious program could bypass sandbox restrictions\r\nDescription: A logic issue existed in the handling of debug system\r\ncalls. This may allow a malicious program to gain code execution in\r\nother programs with the same user privileges. This issue was\r\naddressed by disabling handling of addresses in PT_STEP and\r\nPT_CONTINUE. This issue does not affect OS X Mountain Lion systems.\r\nCVE-ID\r\nCVE-2012-0643 : iOS Jailbreak Dream Team\r\n\r\nLoginWindow\r\nAvailable for: OS X Mountain Lion v10.8 and v10.8.1\r\nImpact: A local user may be able to obtain other user's login\r\npasswords\r\nDescription: A user-installed input method could intercept password\r\nkeystrokes from Login Window or Screen Saver Unlock. This issue was\r\naddressed by preventing user-installed methods from being used when\r\nthe system is handling login information.\r\nCVE-ID\r\nCVE-2012-3718 : An anonymous researcher\r\n\r\nMail\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: Viewing an e-mail message may lead to execution of web\r\nplugins\r\nDescription: An input validation issue existed in Mail's handling of\r\nembedded web plugins. This issue was addressed by disabling third-\r\nparty plug-ins in Mail. This issue does not affect OS X Mountain Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2012-3719 : Will Dormann of the CERT/CC\r\n\r\nMobile Accounts\r\nAvailable for: OS X Mountain Lion v10.8 and v10.8.1\r\nImpact: A user with access to the contents of a mobile account may\r\nobtain the account password\r\nDescription: Creating a mobile account saved a hash of the password\r\nin the account, which was used to login when the mobile account was\r\nused as an external account. The password hash could be used to\r\ndetermine the user's password. This issue was addressed by creating\r\nthe password hash only if external accounts are enabled on the system\r\nwhere the mobile account is created.\r\nCVE-ID\r\nCVE-2012-3720 : Harald Wagener of Google, Inc.\r\n\r\nPHP\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4,\r\nOS X Mountain Lion v10.8 and v10.8.1\r\nImpact: Multiple vulnerabilities in PHP\r\nDescription: >PHP is updated to version 5.3.15 to address multiple\r\nvulnerabilities, the most serious of which may lead to arbitrary code\r\nexecution. Further information is available via the PHP web site at\r\nhttp://www.php.net\r\nCVE-ID\r\nCVE-2012-0831\r\nCVE-2012-1172\r\nCVE-2012-1823\r\nCVE-2012-2143\r\nCVE-2012-2311\r\nCVE-2012-2386\r\nCVE-2012-2688\r\n\r\nPHP\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: PHP scripts which use libpng may be vulnerable to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the handling of\r\nPNG files. This issue was addressed by updating PHP's copy of libpng\r\nto version 1.5.10. This issue does not affect OS X Mountain Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2011-3048\r\n\r\nProfile Manager\r\nAvailable for: OS X Lion Server v10.7 to v10.7.4\r\nImpact: An unauthenticated user could enumerate managed devices\r\nDescription: An authentication issue existed in the Device\r\nManagement private interface. This issue was addressed by removing\r\nthe interface. This issue does not affect OS X Mountain Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2012-3721 : Derick Cassidy of XEquals Corporation\r\n\r\nQuickLook\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: Viewing a maliciously crafted .pict file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the handling of\r\n.pict files. This issue was addressed through improved validation of\r\n.pict files. This issue does not affect OS X Mountain Lion systems.\r\nCVE-ID\r\nCVE-2012-0671 : Rodrigo Rubira Branco (twitter.com/bsdaemon) from the\r\nQualys Vulnerability & Malware Research Labs (VMRL)\r\n\r\nQuickTime\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: An integer overflow existed in QuickTime's handling of\r\nsean atoms. This issue was addressed through improved bounds\r\nchecking. This issue does not affect OS X Mountain Lion systems.\r\nCVE-ID\r\nCVE-2012-0670 : Tom Gallagher (Microsoft) and Paul Bates (Microsoft)\r\nworking with HP's Zero Day Initiative\r\n\r\nQuickTime\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: An uninitialized memory access existed in the handling\r\nof Sorenson encoded movie files. This issue was addressed through\r\nimproved memory initialization. This issue does not affect OS X\r\nMountain Lion systems.\r\nCVE-ID\r\nCVE-2012-3722 : Will Dormann of the CERT/CC\r\n\r\nQuickTime\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A buffer overflow existed in the handling of RLE\r\nencoded movie files. This issue was addressed through improved bounds\r\nchecking. This issue does not affect OS X Mountain Lion systems.\r\nCVE-ID\r\nCVE-2012-0668 : Luigi Auriemma working with HP's Zero Day Initiative\r\n\r\nRuby\r\nAvailable for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,\r\nOS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4\r\nImpact: An attacker may be able to decrypt data protected by SSL\r\nDescription: There are known attacks on the confidentiality of SSL\r\n3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.\r\nThe Ruby OpenSSL module disabled the 'empty fragment' countermeasure\r\nwhich prevented these attacks. This issue was addressed by enabling\r\nempty fragments. This issue does not affect OS X Mountain Lion\r\nsystems.\r\nCVE-ID\r\nCVE-2011-3389\r\n\r\nUSB\r\nAvailable for: OS X Lion v10.7 to v10.7.4,\r\nOS X Lion Server v10.7 to v10.7.4\r\nImpact: Attaching a USB device may lead to an unexpected system\r\ntermination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the handling of\r\nUSB hub descriptors. This issue was addressed through improved\r\nhandling of the bNbrPorts descriptor field. This issue does not\r\naffect OS X Mountain Lion systems.\r\nCVE-ID\r\nCVE-2012-3723 : Andy Davis of NGS Secure\r\n\r\nNote: OS X Mountain Lion v10.8.2 includes the content of\r\nSafari 6.0.1. For further details see "About the security content\r\nof Safari 6.0.1" at http://http//support.apple.com/kb/HT5502\r\n\r\n\r\nOS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update\r\n2012-004 may be obtained from the Software Update pane in System\r\nPreferences, or Apple's Software Downloads web site:\r\nhttp://www.apple.com/support/downloads/\r\n\r\nThe Software Update utility will present the update that applies\r\nto your system configuration. Only one is needed, either\r\nOS X Mountain Lion v10.8.2, OS X Lion v10.7.5 or Security Update\r\n2012-004.\r\n\r\nFor OS X Mountain Lion v10.8.1\r\nThe download file is named: OSXUpd10.8.2.dmg\r\nIts SHA-1 digest is: d6779e1cc748b78af0207499383b1859ffbebe33\r\n\r\nFor OS X Mountain Lion v10.8\r\nThe download file is named: OSXUpdCombo10.8.2.dmg\r\nIts SHA-1 digest is: b08f10233d362e39f20b69f91d1d73f5e7b68a2c\r\n\r\nFor OS X Lion v10.7.4\r\nThe download file is named: MacOSXUpd10.7.5.dmg\r\nIts SHA-1 digest is: e0a9582cce9896938a7a541bd431862d93893532\r\n\r\nFor OS X Lion v10.7 and v10.7.3\r\nThe download file is named: MacOSXUpdCombo10.7.5.dmg\r\nIts SHA-1 digest is: f7a26b164fa10dae4fe646e57b01c34a619c8d9b\r\n\r\nFor OS X Lion Server v10.7.4\r\nThe download file is named: MacOSXServerUpd10.7.5.dmg\r\nIts SHA-1 digest is: a891b03bfb4eecb745c0c39a32f39960fdb6796a\r\n\r\nFor OS X Lion Server v10.7 and v10.7.3\r\nThe download file is named: MacOSXServerUpdCombo10.7.5.dmg\r\nIts SHA-1 digest is: df6e1748ab0a3c9e05c890be49d514673efd965e\r\n\r\nFor Mac OS X v10.6.8\r\nThe download file is named: SecUpd2012-004.dmg\r\nIts SHA-1 digest is: 5b136e29a871d41012f0c6ea1362d6210c8b4fb7\r\n\r\nFor Mac OS X Server v10.6.8\r\nThe download file is named: SecUpdSrvr2012-004.dmg\r\nIts SHA-1 digest is: 9b24496be15078e58a88537700f2f39c112e3b28\r\n\r\nInformation will also be posted to the Apple Security Updates\r\nweb site: http://support.apple.com/kb/HT1222\r\n\r\nThis message is signed with Apple's Product Security PGP key,\r\nand details are available at:\r\nhttps://www.apple.com/support/security/pgp/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG/MacGPG2 v2.0.17 (Darwin)\r\nComment: GPGTools - http://gpgtools.org\r\n\r\niQIcBAEBAgAGBQJQWhlbAAoJEPefwLHPlZEwwjwQAKrpQlZh1B2mkSTLxR7QZg6e\r\nQm7SmIZL9sjl5gQkTxoAvOGxJ8uRdYPlJ1IpyU/MbK0GqO53KmFSeKkwCnvLKMaW\r\npc6tiFaQ4zV4LEAwBAFEuqCsMyPEJqKDhYXl2cHQmWfAlrLCyCKfzGLy2mY2UnkE\r\nDQC2+ys70DChFv2GzyXlibBXAGMKDygJ5dVKynsi1ceZLYWbUJoGwlUtXPylBpnO\r\nQyGWXmEloPbhK6HJbKMNacuDdVcb26pvIeFiivkTSxPVlZ3ns2tAwEyvHrzA9O4n\r\n7rQ6jvfDbguOZmM5sPFvVKBw2GVDBNU+G3T8ouIXhk6Pjhr4in8VFCb8MIMLb8hm\r\n7YYn2z1TzKTNmUuYbwe6ukQvf57cPuW0bAvslbl6PgrzqorlNPU4rDoSvPrJx/RO\r\nBOYkcxfirevHDGibfkeqXPjL3h+bVrb1USZpAv+ZOAy0M89SHFcvMtpAhxnoGiV5\r\nw4EyKB+9Yi/CSAk2Ne3Y5kHH7/v3pWV68aJwhVirya7ex3vnJ+M+lRLKSm2BUjL3\r\n+9fykrJBDujFDXoCmK5CN5Wx36DSVZ4VO1h635crotudtcvd+LQ2VHma/Chav5wK\r\nq5SSllf4KEownpx6o/qTxpg5tcC4lvgTcsDHlYcNq2s8KTTjmOden8ar4h7M7QD2\r\nxyBfrQfG/dsif6jGHaot\r\n=8joH\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2012-09-24T00:00:00", "published": "2012-09-24T00:00:00", "id": "SECURITYVULNS:DOC:28577", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28577", "title": "APPLE-SA-2012-09-19-2 OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:58", "bulletinFamily": "software", "description": "Over 150 vulnerabilities in different applications are closed in auqrterly update.", "modified": "2015-01-25T00:00:00", "published": "2015-01-25T00:00:00", "id": "SECURITYVULNS:VULN:14233", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14233", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2017-03-29T15:16:57", "bulletinFamily": "exploit", "description": "Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow. CVE-2011-3607,CVE-2011-4415. Dos exploit for Linux platform", "modified": "2011-11-02T00:00:00", "published": "2011-11-02T00:00:00", "id": "EDB-ID:41769", "href": "https://www.exploit-db.com/exploits/41769/", "type": "exploitdb", "title": "Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow", "sourceData": "Source: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/\r\n\r\n## Background\r\n\r\nThe Apache HTTP Server is an open-source HTTP server for modern operating systems including UNIX, Microsoft Windows, Mac OS/X and Netware. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services observing the current HTTP standards. Apache has been the most popular web server on the Internet since April of 1996.\r\n\r\n## Problem Description\r\n\r\nDuring routine testing, an integer overflow was found in apache2-mpm-worker 2.2.19 in the function ap_pregsub called from mod-setenvif. The issue affects all versions from 2.0.x to 2.0.64 and 2.2.x to 2.2.21, not depending on the mode of operation (worker, prefork, ..). When a header field is mangled using SetEnvIf, the new environment variable data can be multiples of the size of the submitted header field. When ap_pregsub from server/util.c calculates the buffer size using\r\n\r\n else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {\r\n len += pmatch[no].rm_eo - pmatch[no].rm_so;\r\n }\r\n\r\nthe length value overflows and is used in a subsequent allocation call of buffer too small:\r\n\r\n\r\n dest = dst = apr_pcalloc(p, len + 1);\r\n\r\nThe subsequent filling of the buffer with user-supplied data leads to buffer overflow. Even without overflowing, the allocation of significant amounts of server memory for excessivly large environment variables should be considered a problem also.\r\n\r\n## Impact\r\n\r\nDepending on the input data, exploitation of this issue leads to:\r\n\r\n- allocation of large quantities of server memory, killing processes due to out-of-memory conditions or reducing system performance to crawl due to massive swapping.\r\n- invalid memory access when copying more than 4GB of data into the much smaller buffer. Since the loop copying the data uses only stack and libc-heap, not the apr pool, for source and destination addresses, copy process is linear, starting at low address and pool is separated by unaccessible memory pages for protection on linux. Usually this will only cause termination of the apache process, which is restarted automatically. The impact is increased system load and DOS-condition while under attack.\r\n- At least with multi-threaded server (worker), arbitrary code execution is proven, on single-threaded varians, the use of crafted stop-sequences might allow code execution even on these systems. On many systems ASLR will reduce the efficiency of the attack, but even with ASLR enabled, the automatic restart of processes allows to probe for all possible mappings of libc. An attacker, that has already access to another account on the machen, might be able to use ApacheNoFollowSymlinkTimerace to learn the memory map of the process, thus having the posibility to reach nearly 100% efficiency.\r\n\r\nTo trigger this issue, mod_setenvif must be enabled and the attacker has to be able to place a crafted .htaccess file on the server. Since the triggering of the exploit might depend on a magic header field, the malicious .htaccess might be placed as backdoor in web-content .zip files or could be stored dormant on the server until activation by the corresponding magic request.\r\n\r\n\r\n\r\n\r\n\r\n\r\nSource: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html\r\n\r\n## Starting Point\r\n\r\nDuring routine testing, an integer overflow in apache2-mpm-worker 2.2.19 mod-setenvif was found. The crash occured when mangling request headers using a crafted .htaccess-file (http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/SingleThread-htaccess). The broken code was ap_pregsub in server/util.c, where the buffer size of a new header field could overflow, the value was then used for memory allocation. When copying data to the buffer an, overwrite of the an apr (apache portable runtime) memory-pool boundaries occured, similar to standard heap buffer overflows.\r\n\r\n## Outline of Exploit\r\n\r\nThe main goals creating the exploit were:\r\n\r\n- Exploit has to be triggerable via HTTP GET requests only\r\n- Exploit data has to be 0-byte free to have valid HTTP-protocol\r\n- No alternative way of heap-spraying is used, e.g. GET + content-length. All variants I knew of had much too low efficiency\r\n- Use libc for ROP, although all libc-addresses start with 0-byte, which cannot be sent via HTTP\r\n- Rely only on libc address guess, but not heap/stack address guess, unless guess could be made nearly 100% reliable\r\n- Use the already open HTTP-connections and turn them into command connections on the fly\r\n- Have exploit in less than 256 bytes\r\n\r\nTwo different exploit layouts were developed. The first one used multiple threads, so that one was overwriting the data of the second thread before hitting the end of the memory area. Precise timing was essential to get shell access.\r\n\r\nThe second one used a more crafted substitution expression, stopping the copy in a single thread by modifying the regular expression currently processed in the thread. Since there is race condition involved, this exploit was far more reliable than the first one.", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/41769/"}], "zdt": [{"lastseen": "2018-03-02T19:47:40", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2017-03-29T00:00:00", "published": "2017-03-29T00:00:00", "href": "https://0day.today/exploit/description/27473", "id": "1337DAY-ID-27473", "title": "Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow Vulnerability", "type": "zdt", "sourceData": "Source: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/\r\n \r\n## Background\r\n \r\nThe Apache HTTP Server is an open-source HTTP server for modern operating systems including UNIX, Microsoft Windows, Mac OS/X and Netware. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services observing the current HTTP standards. Apache has been the most popular web server on the Internet since April of 1996.\r\n \r\n## Problem Description\r\n \r\nDuring routine testing, an integer overflow was found in apache2-mpm-worker 2.2.19 in the function ap_pregsub called from mod-setenvif. The issue affects all versions from 2.0.x to 2.0.64 and 2.2.x to 2.2.21, not depending on the mode of operation (worker, prefork, ..). When a header field is mangled using SetEnvIf, the new environment variable data can be multiples of the size of the submitted header field. When ap_pregsub from server/util.c calculates the buffer size using\r\n \r\n else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {\r\n len += pmatch[no].rm_eo - pmatch[no].rm_so;\r\n }\r\n \r\nthe length value overflows and is used in a subsequent allocation call of buffer too small:\r\n \r\n \r\n dest = dst = apr_pcalloc(p, len + 1);\r\n \r\nThe subsequent filling of the buffer with user-supplied data leads to buffer overflow. Even without overflowing, the allocation of significant amounts of server memory for excessivly large environment variables should be considered a problem also.\r\n \r\n## Impact\r\n \r\nDepending on the input data, exploitation of this issue leads to:\r\n \r\n- allocation of large quantities of server memory, killing processes due to out-of-memory conditions or reducing system performance to crawl due to massive swapping.\r\n- invalid memory access when copying more than 4GB of data into the much smaller buffer. Since the loop copying the data uses only stack and libc-heap, not the apr pool, for source and destination addresses, copy process is linear, starting at low address and pool is separated by unaccessible memory pages for protection on linux. Usually this will only cause termination of the apache process, which is restarted automatically. The impact is increased system load and DOS-condition while under attack.\r\n- At least with multi-threaded server (worker), arbitrary code execution is proven, on single-threaded varians, the use of crafted stop-sequences might allow code execution even on these systems. On many systems ASLR will reduce the efficiency of the attack, but even with ASLR enabled, the automatic restart of processes allows to probe for all possible mappings of libc. An attacker, that has already access to another account on the machen, might be able to use ApacheNoFollowSymlinkTimerace to learn the memory map of the process, thus having the posibility to reach nearly 100% efficiency.\r\n \r\nTo trigger this issue, mod_setenvif must be enabled and the attacker has to be able to place a crafted .htaccess file on the server. Since the triggering of the exploit might depend on a magic header field, the malicious .htaccess might be placed as backdoor in web-content .zip files or could be stored dormant on the server until activation by the corresponding magic request.\r\n \r\n \r\n \r\n \r\n \r\n \r\nSource: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html\r\n \r\n## Starting Point\r\n \r\nDuring routine testing, an integer overflow in apache2-mpm-worker 2.2.19 mod-setenvif was found. The crash occured when mangling request headers using a crafted .htaccess-file (http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/SingleThread-htaccess). The broken code was ap_pregsub in server/util.c, where the buffer size of a new header field could overflow, the value was then used for memory allocation. When copying data to the buffer an, overwrite of the an apr (apache portable runtime) memory-pool boundaries occured, similar to standard heap buffer overflows.\r\n \r\n## Outline of Exploit\r\n \r\nThe main goals creating the exploit were:\r\n \r\n- Exploit has to be triggerable via HTTP GET requests only\r\n- Exploit data has to be 0-byte free to have valid HTTP-protocol\r\n- No alternative way of heap-spraying is used, e.g. GET + content-length. All variants I knew of had much too low efficiency\r\n- Use libc for ROP, although all libc-addresses start with 0-byte, which cannot be sent via HTTP\r\n- Rely only on libc address guess, but not heap/stack address guess, unless guess could be made nearly 100% reliable\r\n- Use the already open HTTP-connections and turn them into command connections on the fly\r\n- Have exploit in less than 256 bytes\r\n \r\nTwo different exploit layouts were developed. The first one used multiple threads, so that one was overwriting the data of the second thread before hitting the end of the memory area. Precise timing was essential to get shell access.\r\n \r\nThe second one used a more crafted substitution expression, stopping the copy in a single thread by modifying the regular expression currently processed in the thread. Since there is race condition involved, this exploit was far more reliable than the first one.\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/27473"}], "nessus": [{"lastseen": "2019-02-21T01:15:50", "bulletinFamily": "scanner", "description": "Multiple vulnerabilities has been found and corrected in apache :\n\nInteger overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow (CVE-2011-3607).\n\nThe mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an \\@ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368 (CVE-2011-4317).\n\nThe updated packages have been patched to correct these issues.", "modified": "2019-01-02T00:00:00", "id": "MANDRIVA_MDVSA-2012-003.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=57480", "published": "2012-01-11T00:00:00", "title": "Mandriva Linux Security Advisory : apache (MDVSA-2012:003)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2012:003. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(57480);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/01/02 16:37:54\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-4317\");\n script_bugtraq_id(50494, 50802);\n script_xref(name:\"MDVSA\", value:\"2012:003\");\n\n script_name(english:\"Mandriva Linux Security Advisory : apache (MDVSA-2012:003)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities has been found and corrected in apache :\n\nInteger overflow in the ap_pregsub function in server/util.c in the\nApache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when\nthe mod_setenvif module is enabled, allows local users to gain\nprivileges via a .htaccess file with a crafted SetEnvIf directive, in\nconjunction with a crafted HTTP request header, leading to a\nheap-based buffer overflow (CVE-2011-3607).\n\nThe mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42,\n2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision\n1179239 patch is in place, does not properly interact with use of (1)\nRewriteRule and (2) ProxyPassMatch pattern matches for configuration\nof a reverse proxy, which allows remote attackers to send requests to\nintranet servers via a malformed URI containing an \\@ (at sign)\ncharacter and a : (colon) character in invalid positions. NOTE: this\nvulnerability exists because of an incomplete fix for CVE-2011-3368\n(CVE-2011-4317).\n\nThe updated packages have been patched to correct these issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-htcacheclean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_authn_dbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_dav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_dbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_deflate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_disk_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_file_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_mem_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_proxy_ajp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_proxy_scgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_reqtimeout\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_userdir\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-event\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-peruser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2010.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2011\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-base-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-devel-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-htcacheclean-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_authn_dbd-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_cache-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_dav-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_dbd-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_deflate-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_disk_cache-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_file_cache-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_ldap-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_mem_cache-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_proxy-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_proxy_ajp-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_proxy_scgi-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_reqtimeout-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_ssl-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mod_userdir-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-modules-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mpm-event-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mpm-itk-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mpm-peruser-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mpm-prefork-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-mpm-worker-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.1\", reference:\"apache-source-2.2.15-3.6mdv2010.2\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2011\", reference:\"apache-base-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-devel-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-htcacheclean-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_authn_dbd-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_cache-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_dav-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_dbd-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_deflate-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_disk_cache-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_file_cache-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_ldap-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_mem_cache-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_proxy-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_proxy_ajp-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_proxy_scgi-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_reqtimeout-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_ssl-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mod_userdir-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-modules-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mpm-event-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mpm-itk-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mpm-peruser-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mpm-prefork-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-mpm-worker-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2011\", reference:\"apache-source-2.2.21-0.4-mdv2011.0\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:21:39", "bulletinFamily": "scanner", "description": "This update fixes several security issues in the Apache2 webserver.\n\nCVE-2011-3368, CVE-2011-4317: This update also includes several fixes for a mod_proxy reverse exposure via RewriteRule or ProxyPassMatch directives.\n\nCVE-2011-3607: Integer overflow in ap_pregsub function resulting in a heap based buffer overflow could potentially allow local attackers to gain privileges\n\nIn addition to that the following changes were made :\n\n - new template file:\n /etc/apache2/vhosts.d/vhost-ssl.template allow TLSv1 only, browser match stuff commented out.\n\n - rc script /etc/init.d/apache2: handle reload with deleted binaries by message to stdout only, but refrain from sending signals.\n\n- httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff: make non-ascii eg UTF8 passwords work with mod_authnz_ldap.\n[bnc#727071]", "modified": "2018-11-10T00:00:00", "id": "SUSE_11_3_APACHE2-111205.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75427", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : apache2 (openSUSE-SU-2012:0248-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update apache2-5519.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75427);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/10 11:49:59\");\n\n script_cve_id(\"CVE-2011-3368\", \"CVE-2011-3607\", \"CVE-2011-4317\");\n\n script_name(english:\"openSUSE Security Update : apache2 (openSUSE-SU-2012:0248-1)\");\n script_summary(english:\"Check for the apache2-5519 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes several security issues in the Apache2 webserver.\n\nCVE-2011-3368, CVE-2011-4317: This update also includes several fixes\nfor a mod_proxy reverse exposure via RewriteRule or ProxyPassMatch\ndirectives.\n\nCVE-2011-3607: Integer overflow in ap_pregsub function resulting in a\nheap based buffer overflow could potentially allow local attackers to\ngain privileges\n\nIn addition to that the following changes were made :\n\n - new template file:\n /etc/apache2/vhosts.d/vhost-ssl.template allow TLSv1\n only, browser match stuff commented out.\n\n - rc script /etc/init.d/apache2: handle reload with\n deleted binaries by message to stdout only, but refrain\n from sending signals.\n\n- httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff: make\nnon-ascii eg UTF8 passwords work with mod_authnz_ldap.\n[bnc#727071]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=722545\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=727071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=729181\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-02/msg00044.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-certificates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-2.2.15-4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-devel-2.2.15-4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-example-certificates-2.2.15-4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-example-pages-2.2.15-4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-itk-2.2.15-4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-prefork-2.2.15-4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-utils-2.2.15-4.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"apache2-worker-2.2.15-4.9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2 / apache2-devel / apache2-example-certificates / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:21:48", "bulletinFamily": "scanner", "description": "This update fixes several security issues in the Apache2 webserver.\n\nCVE-2011-3368, CVE-2011-4317: This update also includes several fixes for a mod_proxy reverse exposure via RewriteRule or ProxyPassMatch directives.\n\nCVE-2011-3607: Integer overflow in ap_pregsub function resulting in a heap based buffer overflow could potentially allow local attackers to gain privileges\n\nIn addition to that the following changes were made :\n\n - new template file:\n /etc/apache2/vhosts.d/vhost-ssl.template allow TLSv1 only, browser match stuff commented out.\n\n - rc script /etc/init.d/apache2: handle reload with deleted binaries by message to stdout only, but refrain from sending signals.", "modified": "2018-11-10T00:00:00", "id": "SUSE_11_4_APACHE2-111205.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75788", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : apache2 (openSUSE-SU-2012:0212-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update apache2-5520.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75788);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/10 11:49:59\");\n\n script_cve_id(\"CVE-2011-3368\", \"CVE-2011-3607\", \"CVE-2011-4317\");\n\n script_name(english:\"openSUSE Security Update : apache2 (openSUSE-SU-2012:0212-1)\");\n script_summary(english:\"Check for the apache2-5520 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes several security issues in the Apache2 webserver.\n\nCVE-2011-3368, CVE-2011-4317: This update also includes several fixes\nfor a mod_proxy reverse exposure via RewriteRule or ProxyPassMatch\ndirectives.\n\nCVE-2011-3607: Integer overflow in ap_pregsub function resulting in a\nheap based buffer overflow could potentially allow local attackers to\ngain privileges\n\nIn addition to that the following changes were made :\n\n - new template file:\n /etc/apache2/vhosts.d/vhost-ssl.template allow TLSv1\n only, browser match stuff commented out.\n\n - rc script /etc/init.d/apache2: handle reload with\n deleted binaries by message to stdout only, but refrain\n from sending signals.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=722545\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=729181\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-02/msg00014.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-certificates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-itk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-debuginfo-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-debugsource-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-devel-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-example-certificates-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-example-pages-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-itk-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-itk-debuginfo-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-prefork-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-prefork-debuginfo-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-utils-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-utils-debuginfo-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-worker-2.2.17-4.11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-worker-debuginfo-2.2.17-4.11.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2 / apache2-devel / apache2-example-certificates / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:17:21", "bulletinFamily": "scanner", "description": "The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via a previous update) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "modified": "2018-12-31T00:00:00", "id": "SL_20120221_HTTPD_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=61261", "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : httpd on SL5.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61261);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/12/31 11:35:00\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n\n script_name(english:\"Scientific Linux Security Update : httpd on SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via a\nprevious update) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1203&L=scientific-linux-errata&T=0&P=874\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?99d5fd4b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"httpd-2.2.3-63.sl5.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-debuginfo-2.2.3-63.sl5.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-devel-2.2.3-63.sl5.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-manual-2.2.3-63.sl5.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"mod_ssl-2.2.3-63.sl5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:19:57", "bulletinFamily": "scanner", "description": "It was discovered that the fix for CVE-2011-3368 did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially crafted URI. (CVE-2011-3639 , CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)", "modified": "2018-04-18T00:00:00", "id": "ALA_ALAS-2012-46.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69653", "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : httpd (ALAS-2012-46)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2012-46.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69653);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/04/18 15:09:34\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_xref(name:\"ALAS\", value:\"2012-46\");\n script_xref(name:\"RHSA\", value:\"2012:0128\");\n\n script_name(english:\"Amazon Linux AMI : httpd (ALAS-2012-46)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the fix for CVE-2011-3368 did not completely\naddress the problem. An attacker could bypass the fix and make a\nreverse proxy connect to an arbitrary server not directly accessible\nto the attacker by sending an HTTP version 0.9 request, or by using a\nspecially crafted URI. (CVE-2011-3639 , CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2012-46.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update httpd' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd-2.2.22-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-debuginfo-2.2.22-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-devel-2.2.22-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-manual-2.2.22-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-tools-2.2.22-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod_ssl-2.2.22-1.23.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:16:07", "bulletinFamily": "scanner", "description": "This update contains the latest stable release of the Apace HTTP Server, version 2.2.22. This release fixes various bugs, and the following security issues :\n\n - Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations.\n (CVE-2011-3368)\n\n - Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. (CVE-2011-3607)\n\n - Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. (CVE-2011-4317)\n\n - mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. (CVE-2012-0021)\n\n - Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. (CVE-2012-0031)\n\n - Fixed an issue in error responses that could expose 'httpOnly' cookies when no custom ErrorDocument is specified for status code 400. (CVE-2012-0053)\n\nhttp://www.apache.org/dist/httpd/CHANGES_2.2.22\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-28T00:00:00", "id": "FEDORA_2012-1598.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=58050", "published": "2012-02-21T00:00:00", "title": "Fedora 16 : httpd-2.2.22-1.fc16 (2012-1598)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-1598.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58050);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/11/28 22:47:44\");\n\n script_cve_id(\"CVE-2011-3368\", \"CVE-2011-3607\", \"CVE-2012-0021\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(49957, 50494, 51407, 51705, 51706);\n script_xref(name:\"FEDORA\", value:\"2012-1598\");\n\n script_name(english:\"Fedora 16 : httpd-2.2.22-1.fc16 (2012-1598)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update contains the latest stable release of the Apace HTTP\nServer, version 2.2.22. This release fixes various bugs, and the\nfollowing security issues :\n\n - Reject requests where the request-URI does not match the\n HTTP specification, preventing unexpected expansion of\n target URLs in some reverse proxy configurations.\n (CVE-2011-3368)\n\n - Fix integer overflow in ap_pregsub() which, when the\n mod_setenvif module is enabled, could allow local users\n to gain privileges via a .htaccess file. (CVE-2011-3607)\n\n - Resolve additional cases of URL rewriting with\n ProxyPassMatch or RewriteRule, where particular\n request-URIs could result in undesired backend network\n exposure in some configurations. (CVE-2011-4317)\n\n - mod_log_config: Fix segfault (crash) when the\n '%{cookiename}C' log format string is in use and a\n client sends a nameless, valueless cookie, causing a\n denial of service. The issue existed since version\n 2.2.17. (CVE-2012-0021)\n\n - Fix scoreboard issue which could allow an unprivileged\n child process could cause the parent to crash at\n shutdown rather than terminate cleanly. (CVE-2012-0031)\n\n - Fixed an issue in error responses that could expose\n 'httpOnly' cookies when no custom ErrorDocument is\n specified for status code 400. (CVE-2012-0053)\n\nhttp://www.apache.org/dist/httpd/CHANGES_2.2.22\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.apache.org/dist/httpd/CHANGES_2.2.22\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=785070\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-February/073489.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ec1cc0a9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/02/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"httpd-2.2.22-1.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:17:21", "bulletinFamily": "scanner", "description": "The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released in a previous update) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "modified": "2018-12-31T00:00:00", "id": "SL_20120213_HTTPD_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=61245", "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : httpd on SL6.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61245);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/12/31 11:35:00\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n\n script_name(english:\"Scientific Linux Security Update : httpd on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released in a\nprevious update) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1202&L=scientific-linux-errata&T=0&P=2220\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5ddbd264\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"httpd-2.2.15-15.el6_2.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-debuginfo-2.2.15-15.el6_2.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-devel-2.2.15-15.el6_2.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-manual-2.2.15-15.el6_2.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-tools-2.2.15-15.el6_2.1\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"mod_ssl-2.2.15-15.el6_2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:19:35", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1392) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "modified": "2018-07-18T00:00:00", "id": "ORACLELINUX_ELSA-2012-0323.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68488", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 : httpd (ELSA-2012-0323)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:0323 and \n# Oracle Linux Security Advisory ELSA-2012-0323 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68488);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50322, 50494, 51407, 51706, 51869);\n script_xref(name:\"RHSA\", value:\"2012:0323\");\n\n script_name(english:\"Oracle Linux 5 : httpd (ELSA-2012-0323)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:0323 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request. (CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-March/002683.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"httpd-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-devel-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-manual-2.2.3-63.0.1.el5_8.1\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mod_ssl-2.2.3-63.0.1.el5_8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / mod_ssl\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:23:13", "bulletinFamily": "scanner", "description": "The remote Solaris system is missing necessary patches to address security updates :\n\n - Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. (CVE-2011-3607)\n\n - The mod_proxy module in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368.\n (CVE-2011-4317)\n\n - scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function. (CVE-2012-0031)\n\n - protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script. (CVE-2012-0053)", "modified": "2018-11-15T00:00:00", "id": "SOLARIS11_APACHE_20120420.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80582", "published": "2015-01-19T00:00:00", "title": "Oracle Solaris Third-Party Patch Update : apache (cve_2011_3607_buffer_overflow)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80582);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : apache (cve_2011_3607_buffer_overflow)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - Integer overflow in the ap_pregsub function in\n server/util.c in the Apache HTTP Server 2.0.x through\n 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif\n module is enabled, allows local users to gain privileges\n via a .htaccess file with a crafted SetEnvIf directive,\n in conjunction with a crafted HTTP request header,\n leading to a heap-based buffer overflow. (CVE-2011-3607)\n\n - The mod_proxy module in the Apache HTTP Server 2.0.x\n through 2.0.64, and 2.2.x through 2.2.21, when the\n Revision 1179239 patch is in place, does not properly\n interact with use of (1) RewriteRule and (2)\n ProxyPassMatch pattern matches for configuration of a\n reverse proxy, which allows remote attackers to send\n requests to intranet servers via a malformed URI\n containing an @ (at sign) character and a : (colon)\n character in invalid positions. NOTE: this vulnerability\n exists because of an incomplete fix for CVE-2011-3368.\n (CVE-2011-4317)\n\n - scoreboard.c in the Apache HTTP Server 2.2.21 and\n earlier might allow local users to cause a denial of\n service (daemon crash during shutdown) or possibly have\n unspecified other impact by modifying a certain type\n field within a scoreboard shared memory segment, leading\n to an invalid call to the free function. (CVE-2012-0031)\n\n - protocol.c in the Apache HTTP Server 2.2.x through\n 2.2.21 does not properly restrict header information\n during construction of Bad Request (aka 400) error\n documents, which allows remote attackers to obtain the\n values of HTTPOnly cookies via vectors involving a (1)\n long or (2) malformed header in conjunction with crafted\n web script. (CVE-2012-0053)\"\n );\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a913f44\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2011-3607-buffer-overflow-vulnerability-in-apache-http-server\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?40ebbd75\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2011-4317-improper-input-validation-vulnerability-in-apache-http-server\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ed03d708\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2012-0031-resource-management-errors-vulnerability-in-apache-http-server\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cc400cae\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2012-0053-information-disclosure-vulnerability-in-apache-http-server\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?90df36e7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11/11 SRU 6.6.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:apache\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^apache-2\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.0.6.0.6.0\", sru:\"SRU 6.6\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : apache\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_warning(port:0, extra:error_extra);\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"apache\");\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:16:02", "bulletinFamily": "scanner", "description": "Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1391) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a '.htaccess' file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "modified": "2018-12-20T00:00:00", "id": "REDHAT-RHSA-2012-0128.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=57931", "published": "2012-02-14T00:00:00", "title": "RHEL 6 : httpd (RHSA-2012:0128)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0128. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(57931);\n script_version (\"1.20\");\n script_cvs_date(\"Date: 2018/12/20 11:08:45\");\n\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_bugtraq_id(50494, 50802, 51407, 51706, 51869);\n script_xref(name:\"RHSA\", value:\"2012:0128\");\n\n script_name(english:\"RHEL 6 : httpd (RHSA-2012:0128)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker\ncould bypass the fix and make a reverse proxy connect to an arbitrary\nserver not directly accessible to the attacker by sending an HTTP\nversion 0.9 request, or by using a specially crafted URI.\n(CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default\nerror page generated when receiving an excessively long or malformed\nheader. Malicious JavaScript running in the server's domain context\ncould use this flaw to gain access to httpOnly cookies.\n(CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions.\nAn attacker able to set certain httpd settings, such as a user\npermitted to override the httpd configuration for a specific directory\nusing a '.htaccess' file, could use this flaw to crash the httpd child\nprocess or, possibly, execute arbitrary code with the privileges of\nthe 'apache' user. (CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status\ninformation. A malicious program running with httpd child process\nprivileges (such as a PHP or CGI script) could use this flaw to cause\nthe parent httpd process to crash during httpd service shutdown.\n(CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-3607\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-3639\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-4317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-0031\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-0053\"\n );\n # https://rhn.redhat.com/errata/RHSA-2011-1391.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:1391\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2012:0128\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-410\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/02/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2012:0128\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"httpd-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"httpd-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"httpd-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-debuginfo-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-devel-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-manual-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"httpd-tools-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"httpd-tools-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"httpd-tools-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"mod_ssl-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"mod_ssl-2.2.15-15.el6_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"mod_ssl-2.2.15-15.el6_2.1\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n }\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-05-29T18:38:59", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2012-01-13T00:00:00", "id": "OPENVAS:1361412562310831523", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310831523", "title": "Mandriva Update for apache MDVSA-2012:003 (apache)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for apache MDVSA-2012:003 (apache)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2012:003\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.831523\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-01-13 10:49:33 +0530 (Fri, 13 Jan 2012)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name:\"MDVSA\", value:\"2012:003\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3368\", \"CVE-2011-4317\");\n script_name(\"Mandriva Update for apache MDVSA-2012:003 (apache)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\", re:\"ssh/login/release=MNDK_(2011\\.0|mes5\\.2|2010\\.1)\");\n script_tag(name:\"affected\", value:\"apache on Mandriva Linux 2011.0,\n Mandriva Enterprise Server 5.2,\n Mandriva Linux 2010.1\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name : \"insight\", value : \"Multiple vulnerabilities has been found and corrected in apache:\n Integer overflow in the ap_pregsub function in server/util.c in the\n Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21,\n when the mod_setenvif module is enabled, allows local users to gain\n privileges via a .htaccess file with a crafted SetEnvIf directive,\n in conjunction with a crafted HTTP request header, leading to a\n heap-based buffer overflow (CVE-2011-3607).\n\n The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42,\n 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision\n 1179239 patch is in place, does not properly interact with use of (1)\n RewriteRule and (2) ProxyPassMatch pattern matches for configuration\n of a reverse proxy, which allows remote attackers to send requests\n to intranet servers via a malformed URI containing an \\@ (at sign)\n character and a : (colon) character in invalid positions. NOTE: this\n vulnerability exists because of an incomplete fix for CVE-2011-3368\n (CVE-2011-4317).\n\n The updated packages have been patched to correct these issues.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MNDK_2011.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-base\", rpm:\"apache-base~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-devel\", rpm:\"apache-devel~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-htcacheclean\", rpm:\"apache-htcacheclean~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_authn_dbd\", rpm:\"apache-mod_authn_dbd~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_cache\", rpm:\"apache-mod_cache~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dav\", rpm:\"apache-mod_dav~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dbd\", rpm:\"apache-mod_dbd~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_deflate\", rpm:\"apache-mod_deflate~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_disk_cache\", rpm:\"apache-mod_disk_cache~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_file_cache\", rpm:\"apache-mod_file_cache~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ldap\", rpm:\"apache-mod_ldap~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_mem_cache\", rpm:\"apache-mod_mem_cache~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy\", rpm:\"apache-mod_proxy~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy_ajp\", rpm:\"apache-mod_proxy_ajp~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy_scgi\", rpm:\"apache-mod_proxy_scgi~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_reqtimeout\", rpm:\"apache-mod_reqtimeout~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ssl\", rpm:\"apache-mod_ssl~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-modules\", rpm:\"apache-modules~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_userdir\", rpm:\"apache-mod_userdir~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-event\", rpm:\"apache-mpm-event~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-itk\", rpm:\"apache-mpm-itk~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-peruser\", rpm:\"apache-mpm-peruser~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-prefork\", rpm:\"apache-mpm-prefork~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-worker\", rpm:\"apache-mpm-worker~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-source\", rpm:\"apache-source~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"MNDK_mes5.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-base\", rpm:\"apache-base~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-devel\", rpm:\"apache-devel~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-htcacheclean\", rpm:\"apache-htcacheclean~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_authn_dbd\", rpm:\"apache-mod_authn_dbd~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_cache\", rpm:\"apache-mod_cache~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dav\", rpm:\"apache-mod_dav~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dbd\", rpm:\"apache-mod_dbd~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_deflate\", rpm:\"apache-mod_deflate~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_disk_cache\", rpm:\"apache-mod_disk_cache~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_file_cache\", rpm:\"apache-mod_file_cache~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ldap\", rpm:\"apache-mod_ldap~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_mem_cache\", rpm:\"apache-mod_mem_cache~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy\", rpm:\"apache-mod_proxy~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy_ajp\", rpm:\"apache-mod_proxy_ajp~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ssl\", rpm:\"apache-mod_ssl~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-modules\", rpm:\"apache-modules~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_userdir\", rpm:\"apache-mod_userdir~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-event\", rpm:\"apache-mpm-event~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-itk\", rpm:\"apache-mpm-itk~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-peruser\", rpm:\"apache-mpm-peruser~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-prefork\", rpm:\"apache-mpm-prefork~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-worker\", rpm:\"apache-mpm-worker~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-source\", rpm:\"apache-source~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\nif(release == \"MNDK_2010.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-base\", rpm:\"apache-base~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-devel\", rpm:\"apache-devel~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-htcacheclean\", rpm:\"apache-htcacheclean~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_authn_dbd\", rpm:\"apache-mod_authn_dbd~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_cache\", rpm:\"apache-mod_cache~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dav\", rpm:\"apache-mod_dav~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dbd\", rpm:\"apache-mod_dbd~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_deflate\", rpm:\"apache-mod_deflate~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_disk_cache\", rpm:\"apache-mod_disk_cache~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_file_cache\", rpm:\"apache-mod_file_cache~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ldap\", rpm:\"apache-mod_ldap~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_mem_cache\", rpm:\"apache-mod_mem_cache~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy\", rpm:\"apache-mod_proxy~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy_ajp\", rpm:\"apache-mod_proxy_ajp~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy_scgi\", rpm:\"apache-mod_proxy_scgi~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_reqtimeout\", rpm:\"apache-mod_reqtimeout~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ssl\", rpm:\"apache-mod_ssl~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-modules\", rpm:\"apache-modules~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_userdir\", rpm:\"apache-mod_userdir~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-event\", rpm:\"apache-mpm-event~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-itk\", rpm:\"apache-mpm-itk~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-peruser\", rpm:\"apache-mpm-peruser~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-prefork\", rpm:\"apache-mpm-prefork~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-worker\", rpm:\"apache-mpm-worker~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-source\", rpm:\"apache-source~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2018-01-02T10:57:49", "bulletinFamily": "scanner", "description": "Check for the Version of apache", "modified": "2018-01-02T00:00:00", "published": "2012-01-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=831523", "id": "OPENVAS:831523", "title": "Mandriva Update for apache MDVSA-2012:003 (apache)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for apache MDVSA-2012:003 (apache)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities has been found and corrected in apache:\n Integer overflow in the ap_pregsub function in server/util.c in the\n Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21,\n when the mod_setenvif module is enabled, allows local users to gain\n privileges via a .htaccess file with a crafted SetEnvIf directive,\n in conjunction with a crafted HTTP request header, leading to a\n heap-based buffer overflow (CVE-2011-3607).\n\n The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42,\n 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision\n 1179239 patch is in place, does not properly interact with use of (1)\n RewriteRule and (2) ProxyPassMatch pattern matches for configuration\n of a reverse proxy, which allows remote attackers to send requests\n to intranet servers via a malformed URI containing an \\@ (at sign)\n character and a : (colon) character in invalid positions. NOTE: this\n vulnerability exists because of an incomplete fix for CVE-2011-3368\n (CVE-2011-4317).\n\n The updated packages have been patched to correct these issues.\";\n\ntag_affected = \"apache on Mandriva Linux 2011.0,\n Mandriva Enterprise Server 5.2,\n Mandriva Linux 2010.1\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2012:003\");\n script_id(831523);\n script_version(\"$Revision: 8267 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-02 07:29:17 +0100 (Tue, 02 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-01-13 10:49:33 +0530 (Fri, 13 Jan 2012)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"MDVSA\", value: \"2012:003\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3368\", \"CVE-2011-4317\");\n script_name(\"Mandriva Update for apache MDVSA-2012:003 (apache)\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of apache\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_2011.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-base\", rpm:\"apache-base~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-devel\", rpm:\"apache-devel~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-htcacheclean\", rpm:\"apache-htcacheclean~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_authn_dbd\", rpm:\"apache-mod_authn_dbd~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_cache\", rpm:\"apache-mod_cache~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dav\", rpm:\"apache-mod_dav~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dbd\", rpm:\"apache-mod_dbd~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_deflate\", rpm:\"apache-mod_deflate~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_disk_cache\", rpm:\"apache-mod_disk_cache~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_file_cache\", rpm:\"apache-mod_file_cache~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ldap\", rpm:\"apache-mod_ldap~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_mem_cache\", rpm:\"apache-mod_mem_cache~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy\", rpm:\"apache-mod_proxy~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy_ajp\", rpm:\"apache-mod_proxy_ajp~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy_scgi\", rpm:\"apache-mod_proxy_scgi~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_reqtimeout\", rpm:\"apache-mod_reqtimeout~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ssl\", rpm:\"apache-mod_ssl~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-modules\", rpm:\"apache-modules~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_userdir\", rpm:\"apache-mod_userdir~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-event\", rpm:\"apache-mpm-event~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-itk\", rpm:\"apache-mpm-itk~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-peruser\", rpm:\"apache-mpm-peruser~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-prefork\", rpm:\"apache-mpm-prefork~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-worker\", rpm:\"apache-mpm-worker~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-source\", rpm:\"apache-source~2.2.21~0.4\", rls:\"MNDK_2011.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_mes5.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-base\", rpm:\"apache-base~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-devel\", rpm:\"apache-devel~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-htcacheclean\", rpm:\"apache-htcacheclean~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_authn_dbd\", rpm:\"apache-mod_authn_dbd~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_cache\", rpm:\"apache-mod_cache~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dav\", rpm:\"apache-mod_dav~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dbd\", rpm:\"apache-mod_dbd~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_deflate\", rpm:\"apache-mod_deflate~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_disk_cache\", rpm:\"apache-mod_disk_cache~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_file_cache\", rpm:\"apache-mod_file_cache~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ldap\", rpm:\"apache-mod_ldap~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_mem_cache\", rpm:\"apache-mod_mem_cache~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy\", rpm:\"apache-mod_proxy~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy_ajp\", rpm:\"apache-mod_proxy_ajp~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ssl\", rpm:\"apache-mod_ssl~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-modules\", rpm:\"apache-modules~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_userdir\", rpm:\"apache-mod_userdir~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-event\", rpm:\"apache-mpm-event~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-itk\", rpm:\"apache-mpm-itk~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-peruser\", rpm:\"apache-mpm-peruser~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-prefork\", rpm:\"apache-mpm-prefork~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-worker\", rpm:\"apache-mpm-worker~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-source\", rpm:\"apache-source~2.2.9~12.15mdvmes5.2\", rls:\"MNDK_mes5.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\nif(release == \"MNDK_2010.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-base\", rpm:\"apache-base~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-devel\", rpm:\"apache-devel~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-htcacheclean\", rpm:\"apache-htcacheclean~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_authn_dbd\", rpm:\"apache-mod_authn_dbd~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_cache\", rpm:\"apache-mod_cache~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dav\", rpm:\"apache-mod_dav~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_dbd\", rpm:\"apache-mod_dbd~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_deflate\", rpm:\"apache-mod_deflate~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_disk_cache\", rpm:\"apache-mod_disk_cache~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_file_cache\", rpm:\"apache-mod_file_cache~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ldap\", rpm:\"apache-mod_ldap~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_mem_cache\", rpm:\"apache-mod_mem_cache~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy\", rpm:\"apache-mod_proxy~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy_ajp\", rpm:\"apache-mod_proxy_ajp~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_proxy_scgi\", rpm:\"apache-mod_proxy_scgi~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_reqtimeout\", rpm:\"apache-mod_reqtimeout~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_ssl\", rpm:\"apache-mod_ssl~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-modules\", rpm:\"apache-modules~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mod_userdir\", rpm:\"apache-mod_userdir~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-event\", rpm:\"apache-mpm-event~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-itk\", rpm:\"apache-mpm-itk~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-peruser\", rpm:\"apache-mpm-peruser~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-prefork\", rpm:\"apache-mpm-prefork~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-mpm-worker\", rpm:\"apache-mpm-worker~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"apache-source\", rpm:\"apache-source~2.2.15~3.6mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-12-04T11:20:42", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1368-1", "modified": "2017-12-01T00:00:00", "published": "2012-02-21T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=840900", "id": "OPENVAS:840900", "title": "Ubuntu Update for apache2 USN-1368-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1368_1.nasl 7960 2017-12-01 06:58:16Z santu $\n#\n# Ubuntu Update for apache2 USN-1368-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that the Apache HTTP Server incorrectly handled the\n SetEnvIf .htaccess file directive. An attacker having write access to a\n .htaccess file may exploit this to possibly execute arbitrary code.\n (CVE-2011-3607)\n\n Prutha Parikh discovered that the mod_proxy module did not properly\n interact with the RewriteRule and ProxyPassMatch pattern matches in the\n configuration of a reverse proxy. This could allow remote attackers to\n contact internal webservers behind the proxy that were not intended for\n external exposure. (CVE-2011-4317)\n\n Rainer Canavan discovered that the mod_log_config module incorrectly\n handled a certain format string when used with a threaded MPM. A remote\n attacker could exploit this to cause a denial of service via a specially-\n crafted cookie. This issue only affected Ubuntu 11.04 and 11.10.\n (CVE-2012-0021)\n\n It was discovered that the Apache HTTP Server incorrectly handled certain\n type fields within a scoreboard shared memory segment. A local attacker\n could exploit this to to cause a denial of service. (CVE-2012-0031)\n\n Norman Hippert discovered that the Apache HTTP Server incorrecly handled\n header information when returning a Bad Request (400) error page. A remote\n attacker could exploit this to obtain the values of certain HTTPOnly\n cookies. (CVE-2012-0053)\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1368-1\";\ntag_affected = \"apache2 on Ubuntu 11.04 ,\n Ubuntu 10.10 ,\n Ubuntu 10.04 LTS ,\n Ubuntu 8.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1368-1/\");\n script_id(840900);\n script_version(\"$Revision: 7960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:58:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-21 19:00:08 +0530 (Tue, 21 Feb 2012)\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-4317\", \"CVE-2012-0021\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"USN\", value: \"1368-1\");\n script_name(\"Ubuntu Update for apache2 USN-1368-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.16-1ubuntu3.5\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.14-5ubuntu8.8\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.17-1ubuntu1.5\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.8-1ubuntu0.23\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T10:57:25", "bulletinFamily": "scanner", "description": "Check for the Version of httpd", "modified": "2018-01-01T00:00:00", "published": "2012-02-27T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=870571", "id": "OPENVAS:870571", "title": "RedHat Update for httpd RHSA-2012:0323-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for httpd RHSA-2012:0323-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The Apache HTTP Server is a popular web server.\n\n It was discovered that the fix for CVE-2011-3368 (released via\n RHSA-2011:1392) did not completely address the problem. An attacker could\n bypass the fix and make a reverse proxy connect to an arbitrary server not\n directly accessible to the attacker by sending an HTTP version 0.9 request.\n (CVE-2011-3639)\n\n The httpd server included the full HTTP header line in the default error\n page generated when receiving an excessively long or malformed header.\n Malicious JavaScript running in the server's domain context could use this\n flaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\n An integer overflow flaw, leading to a heap-based buffer overflow, was\n found in the way httpd performed substitutions in regular expressions. An\n attacker able to set certain httpd settings, such as a user permitted to\n override the httpd configuration for a specific directory using a\n ".htaccess" file, could use this flaw to crash the httpd child process or,\n possibly, execute arbitrary code with the privileges of the "apache" user.\n (CVE-2011-3607)\n\n A flaw was found in the way httpd handled child process status information.\n A malicious program running with httpd child process privileges (such as a\n PHP or CGI script) could use this flaw to cause the parent httpd process to\n crash during httpd service shutdown. (CVE-2012-0031)\n\n All httpd users should upgrade to these updated packages, which contain\n backported patches to correct these issues. After installing the updated\n packages, the httpd daemon will be restarted automatically.\";\n\ntag_affected = \"httpd on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2012-February/msg00063.html\");\n script_id(870571);\n script_version(\"$Revision: 8265 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-01 07:29:23 +0100 (Mon, 01 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-27 11:17:07 +0530 (Mon, 27 Feb 2012)\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\",\n \"CVE-2012-0053\", \"CVE-2011-3368\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"RHSA\", value: \"2012:0323-01\");\n script_name(\"RedHat Update for httpd RHSA-2012:0323-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of httpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:36:22", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2012-0128", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123992", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123992", "title": "Oracle Linux Local Check: ELSA-2012-0128", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2012-0128.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123992\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:11:20 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2012-0128\");\n script_tag(name:\"insight\", value:\"ELSA-2012-0128 - httpd security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2012-0128\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2012-0128.html\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2011-4317\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~15.0.1.el6_2.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~15.0.1.el6_2.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~15.0.1.el6_2.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~15.0.1.el6_2.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~15.0.1.el6_2.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:18", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120253", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120253", "title": "Amazon Linux Local Check: ALAS-2012-46", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2012-46.nasl 6578 2017-07-06 13:44:33Z cfischer$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120253\");\n script_version(\"$Revision: 11711 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:21:35 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 14:30:57 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2012-46\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in httpd. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update httpd to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2012-46.html\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.22~1.23.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.22~1.23.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.22~1.23.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.22~1.23.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.22~1.23.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:23", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1368-1", "modified": "2019-03-13T00:00:00", "published": "2012-02-21T00:00:00", "id": "OPENVAS:1361412562310840900", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840900", "title": "Ubuntu Update for apache2 USN-1368-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1368_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for apache2 USN-1368-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1368-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.840900\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-21 19:00:08 +0530 (Tue, 21 Feb 2012)\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-4317\", \"CVE-2012-0021\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"USN\", value:\"1368-1\");\n script_name(\"Ubuntu Update for apache2 USN-1368-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(10\\.10|10\\.04 LTS|11\\.04|8\\.04 LTS)\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1368-1\");\n script_tag(name:\"affected\", value:\"apache2 on Ubuntu 11.04,\n Ubuntu 10.10,\n Ubuntu 10.04 LTS,\n Ubuntu 8.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"It was discovered that the Apache HTTP Server incorrectly handled the\n SetEnvIf .htaccess file directive. An attacker having write access to a\n .htaccess file may exploit this to possibly execute arbitrary code.\n (CVE-2011-3607)\n\n Prutha Parikh discovered that the mod_proxy module did not properly\n interact with the RewriteRule and ProxyPassMatch pattern matches in the\n configuration of a reverse proxy. This could allow remote attackers to\n contact internal webservers behind the proxy that were not intended for\n external exposure. (CVE-2011-4317)\n\n Rainer Canavan discovered that the mod_log_config module incorrectly\n handled a certain format string when used with a threaded MPM. A remote\n attacker could exploit this to cause a denial of service via a specially-\n crafted cookie. This issue only affected Ubuntu 11.04 and 11.10.\n (CVE-2012-0021)\n\n It was discovered that the Apache HTTP Server incorrectly handled certain\n type fields within a scoreboard shared memory segment. A local attacker\n could exploit this to to cause a denial of service. (CVE-2012-0031)\n\n Norman Hippert discovered that the Apache HTTP Server incorrecly handled\n header information when returning a Bad Request (400) error page. A remote\n attacker could exploit this to obtain the values of certain HTTPOnly\n cookies. (CVE-2012-0053)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.16-1ubuntu3.5\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.14-5ubuntu8.8\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.17-1ubuntu1.5\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.8-1ubuntu0.23\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:04", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-12T00:00:00", "published": "2012-02-27T00:00:00", "id": "OPENVAS:1361412562310870571", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870571", "title": "RedHat Update for httpd RHSA-2012:0323-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for httpd RHSA-2012:0323-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2012-February/msg00063.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870571\");\n script_version(\"$Revision: 14114 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-12 12:48:52 +0100 (Tue, 12 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-27 11:17:07 +0530 (Mon, 27 Feb 2012)\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\",\n \"CVE-2012-0053\", \"CVE-2011-3368\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name:\"RHSA\", value:\"2012:0323-01\");\n script_name(\"RedHat Update for httpd RHSA-2012:0323-01\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n script_tag(name:\"affected\", value:\"httpd on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"The Apache HTTP Server is a popular web server.\n\n It was discovered that the fix for CVE-2011-3368 (released via\n RHSA-2011:1392) did not completely address the problem. An attacker could\n bypass the fix and make a reverse proxy connect to an arbitrary server not\n directly accessible to the attacker by sending an HTTP version 0.9 request.\n (CVE-2011-3639)\n\n The httpd server included the full HTTP header line in the default error\n page generated when receiving an excessively long or malformed header.\n Malicious JavaScript running in the server's domain context could use this\n flaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\n An integer overflow flaw, leading to a heap-based buffer overflow, was\n found in the way httpd performed substitutions in regular expressions. An\n attacker able to set certain httpd settings, such as a user permitted to\n override the httpd configuration for a specific directory using a\n '.htaccess' file, could use this flaw to crash the httpd child process or,\n possibly, execute arbitrary code with the privileges of the 'apache' user.\n (CVE-2011-3607)\n\n A flaw was found in the way httpd handled child process status information.\n A malicious program running with httpd child process privileges (such as a\n PHP or CGI script) could use this flaw to cause the parent httpd process to\n crash during httpd service shutdown. (CVE-2012-0031)\n\n All httpd users should upgrade to these updated packages, which contain\n backported patches to correct these issues. After installing the updated\n packages, the httpd daemon will be restarted automatically.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~63.el5_8.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:36:02", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2012-0323", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123980", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123980", "title": "Oracle Linux Local Check: ELSA-2012-0323", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2012-0323.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123980\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:11:07 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2012-0323\");\n script_tag(name:\"insight\", value:\"ELSA-2012-0323 - httpd security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2012-0323\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2012-0323.html\");\n script_cve_id(\"CVE-2011-3607\", \"CVE-2011-3639\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~63.0.1.el5_8.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~63.0.1.el5_8.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~63.0.1.el5_8.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~63.0.1.el5_8.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-02T10:57:22", "bulletinFamily": "scanner", "description": "Check for the Version of httpd", "modified": "2017-12-28T00:00:00", "published": "2012-03-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=863759", "id": "OPENVAS:863759", "title": "Fedora Update for httpd FEDORA-2012-1642", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for httpd FEDORA-2012-1642\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"httpd on Fedora 15\";\ntag_insight = \"The Apache HTTP Server is a powerful, efficient, and extensible\n web server.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-March/074371.html\");\n script_id(863759);\n script_version(\"$Revision: 8253 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-28 07:29:51 +0100 (Thu, 28 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-07 11:18:18 +0530 (Wed, 07 Mar 2012)\");\n script_cve_id(\"CVE-2011-3368\", \"CVE-2011-3607\", \"CVE-2011-4317\", \"CVE-2012-0021\", \"CVE-2012-0031\", \"CVE-2012-0053\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2012-1642\");\n script_name(\"Fedora Update for httpd FEDORA-2012-1642\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of httpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC15\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.22~1.fc15\", rls:\"FC15\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "ubuntu": [{"lastseen": "2019-05-29T17:23:19", "bulletinFamily": "unix", "description": "It was discovered that the Apache HTTP Server incorrectly handled the SetEnvIf .htaccess file directive. An attacker having write access to a .htaccess file may exploit this to possibly execute arbitrary code. (CVE-2011-3607)\n\nPrutha Parikh discovered that the mod_proxy module did not properly interact with the RewriteRule and ProxyPassMatch pattern matches in the configuration of a reverse proxy. This could allow remote attackers to contact internal webservers behind the proxy that were not intended for external exposure. (CVE-2011-4317)\n\nRainer Canavan discovered that the mod_log_config module incorrectly handled a certain format string when used with a threaded MPM. A remote attacker could exploit this to cause a denial of service via a specially- crafted cookie. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2012-0021)\n\nIt was discovered that the Apache HTTP Server incorrectly handled certain type fields within a scoreboard shared memory segment. A local attacker could exploit this to to cause a denial of service. (CVE-2012-0031)\n\nNorman Hippert discovered that the Apache HTTP Server incorrecly handled header information when returning a Bad Request (400) error page. A remote attacker could exploit this to obtain the values of certain HTTPOnly cookies. (CVE-2012-0053)", "modified": "2012-02-16T00:00:00", "published": "2012-02-16T00:00:00", "id": "USN-1368-1", "href": "https://usn.ubuntu.com/1368-1/", "title": "Apache HTTP Server vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-05-29T14:34:05", "bulletinFamily": "unix", "description": "The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1392) did not completely address the problem. An attacker could\nbypass the fix and make a reverse proxy connect to an arbitrary server not\ndirectly accessible to the attacker by sending an HTTP version 0.9 request.\n(CVE-2011-3639)\n\nThe httpd server included the full HTTP header line in the default error\npage generated when receiving an excessively long or malformed header.\nMalicious JavaScript running in the server's domain context could use this\nflaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions. An\nattacker able to set certain httpd settings, such as a user permitted to\noverride the httpd configuration for a specific directory using a\n\".htaccess\" file, could use this flaw to crash the httpd child process or,\npossibly, execute arbitrary code with the privileges of the \"apache\" user.\n(CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information.\nA malicious program running with httpd child process privileges (such as a\nPHP or CGI script) could use this flaw to cause the parent httpd process to\ncrash during httpd service shutdown. (CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain\nbackported patches to correct these issues. After installing the updated\npackages, the httpd daemon will be restarted automatically.\n", "modified": "2017-09-08T12:08:34", "published": "2012-02-21T05:00:00", "id": "RHSA-2012:0323", "href": "https://access.redhat.com/errata/RHSA-2012:0323", "type": "redhat", "title": "(RHSA-2012:0323) Moderate: httpd security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T14:35:44", "bulletinFamily": "unix", "description": "The Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker could\nbypass the fix and make a reverse proxy connect to an arbitrary server not\ndirectly accessible to the attacker by sending an HTTP version 0.9 request,\nor by using a specially-crafted URI. (CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default error\npage generated when receiving an excessively long or malformed header.\nMalicious JavaScript running in the server's domain context could use this\nflaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions. An\nattacker able to set certain httpd settings, such as a user permitted to\noverride the httpd configuration for a specific directory using a\n\".htaccess\" file, could use this flaw to crash the httpd child process or,\npossibly, execute arbitrary code with the privileges of the \"apache\" user.\n(CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information.\nA malicious program running with httpd child process privileges (such as a\nPHP or CGI script) could use this flaw to cause the parent httpd process to\ncrash during httpd service shutdown. (CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain\nbackported patches to correct these issues. After installing the updated\npackages, the httpd daemon will be restarted automatically.\n", "modified": "2018-06-06T20:24:35", "published": "2012-02-13T05:00:00", "id": "RHSA-2012:0128", "href": "https://access.redhat.com/errata/RHSA-2012:0128", "type": "redhat", "title": "(RHSA-2012:0128) Moderate: httpd security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T14:34:09", "bulletinFamily": "unix", "description": "The Apache HTTP Server (\"httpd\") is the namesake project of The Apache\nSoftware Foundation.\n\nIt was discovered that the Apache HTTP Server did not properly validate the\nrequest URI for proxied requests. In certain configurations, if a reverse\nproxy used the ProxyPassMatch directive, or if it used the RewriteRule\ndirective with the proxy flag, a remote attacker could make the proxy\nconnect to an arbitrary server, possibly disclosing sensitive information\nfrom internal web servers not directly accessible to the attacker.\n(CVE-2011-3368)\n\nIt was discovered that mod_proxy_ajp incorrectly returned an \"Internal\nServer Error\" response when processing certain malformed HTTP requests,\nwhich caused the back-end server to be marked as failed in configurations\nwhere mod_proxy was used in load balancer mode. A remote attacker could\ncause mod_proxy to not send requests to back-end AJP (Apache JServ\nProtocol) servers for the retry timeout period or until all back-end\nservers were marked as failed. (CVE-2011-3348)\n\nThe httpd server included the full HTTP header line in the default error\npage generated when receiving an excessively long or malformed header.\nMalicious JavaScript running in the server's domain context could use this\nflaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions. An\nattacker able to set certain httpd settings, such as a user permitted to\noverride the httpd configuration for a specific directory using a\n\".htaccess\" file, could use this flaw to crash the httpd child process or,\npossibly, execute arbitrary code with the privileges of the \"apache\" user.\n(CVE-2011-3607)\n\nA NULL pointer dereference flaw was found in the httpd mod_log_config\nmodule. In configurations where cookie logging is enabled, a remote\nattacker could use this flaw to crash the httpd child process via an HTTP\nrequest with a malformed Cookie header. (CVE-2012-0021)\n\nA flaw was found in the way httpd handled child process status information.\nA malicious program running with httpd child process privileges (such as a\nPHP or CGI script) could use this flaw to cause the parent httpd process to\ncrash during httpd service shutdown. (CVE-2012-0031)\n\nRed Hat would like to thank Context Information Security for reporting the\nCVE-2011-3368 issue.\n\nThis update also fixes the following bug:\n\n* The fix for CVE-2011-3192 provided by the RHSA-2011:1329 update\nintroduced a regression in the way httpd handled certain Range HTTP header\nvalues. This update corrects this regression. (BZ#749071)\n\nAll users of JBoss Enterprise Web Server 1.0.2 should upgrade to these\nupdated packages, which contain backported patches to correct these issues.\nAfter installing the updated packages, users must restart the httpd\nservice for the update to take effect.\n", "modified": "2018-06-07T02:42:41", "published": "2012-05-07T04:00:00", "id": "RHSA-2012:0542", "href": "https://access.redhat.com/errata/RHSA-2012:0542", "type": "redhat", "title": "(RHSA-2012:0542) Moderate: httpd security and bug fix update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T14:34:40", "bulletinFamily": "unix", "description": "The Apache HTTP Server (\"httpd\") is the namesake project of The Apache\nSoftware Foundation.\n\nIt was discovered that the Apache HTTP Server did not properly validate the\nrequest URI for proxied requests. In certain configurations, if a reverse\nproxy used the ProxyPassMatch directive, or if it used the RewriteRule\ndirective with the proxy flag, a remote attacker could make the proxy\nconnect to an arbitrary server, possibly disclosing sensitive information\nfrom internal web servers not directly accessible to the attacker.\n(CVE-2011-3368)\n\nIt was discovered that mod_proxy_ajp incorrectly returned an \"Internal\nServer Error\" response when processing certain malformed HTTP requests,\nwhich caused the back-end server to be marked as failed in configurations\nwhere mod_proxy was used in load balancer mode. A remote attacker could\ncause mod_proxy to not send requests to back-end AJP (Apache JServ\nProtocol) servers for the retry timeout period or until all back-end\nservers were marked as failed. (CVE-2011-3348)\n\nThe httpd server included the full HTTP header line in the default error\npage generated when receiving an excessively long or malformed header.\nMalicious JavaScript running in the server's domain context could use this\nflaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions. An\nattacker able to set certain httpd settings, such as a user permitted to\noverride the httpd configuration for a specific directory using a\n\".htaccess\" file, could use this flaw to crash the httpd child process or,\npossibly, execute arbitrary code with the privileges of the \"apache\" user.\n(CVE-2011-3607)\n\nA NULL pointer dereference flaw was found in the httpd mod_log_config\nmodule. In configurations where cookie logging is enabled, a remote\nattacker could use this flaw to crash the httpd child process via an HTTP\nrequest with a malformed Cookie header. (CVE-2012-0021)\n\nA flaw was found in the way httpd handled child process status information.\nA malicious program running with httpd child process privileges (such as a\nPHP or CGI script) could use this flaw to cause the parent httpd process to\ncrash during httpd service shutdown. (CVE-2012-0031)\n\nRed Hat would like to thank Context Information Security for reporting the\nCVE-2011-3368 issue.\n\nThis update also fixes the following bug:\n\n* The fix for CVE-2011-3192 provided by the RHSA-2011:1330 update\nintroduced a regression in the way httpd handled certain Range HTTP header\nvalues. This update corrects this regression. (BZ#749071)\n\nAll users of JBoss Enterprise Web Server 1.0.2 as provided from the Red Hat\nCustomer Portal are advised to apply this update.", "modified": "2019-02-20T17:33:31", "published": "2012-05-07T22:13:40", "id": "RHSA-2012:0543", "href": "https://access.redhat.com/errata/RHSA-2012:0543", "type": "redhat", "title": "(RHSA-2012:0543) Moderate: httpd security and bug fix update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:48", "bulletinFamily": "unix", "description": "[2.2.3-63.0.1.el5_8.1]\n- Fix mod_ssl always performing full renegotiation (orabug 12423387)\n- replace index.html with Oracle's index page oracle_index.html\n- update vstring and distro in specfile\n[2.2.3-63.1]\n- add security fixes for CVE-2012-0053, CVE-2012-0031, CVE-2011-3607 (#787596)\t\n- remove patch for CVE-2011-3638, obviated by fix for CVE-2011-3639", "modified": "2012-02-28T00:00:00", "published": "2012-02-28T00:00:00", "id": "ELSA-2012-0323", "href": "http://linux.oracle.com/errata/ELSA-2012-0323.html", "title": "httpd security update", "type": "oraclelinux", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:48", "bulletinFamily": "unix", "description": "[2.2.15-15.0.1.el6_2.1]\n- replace index.html with Oracle's index page oracle_index.html\n update vstring in specfile\n[2.2.15-15.1]\n- add security fixes for CVE-2011-4317, CVE-2012-0053, CVE-2012-0031,\n CVE-2011-3607 (#787598)\n- obviates fix for CVE-2011-3638, patch removed", "modified": "2012-02-13T00:00:00", "published": "2012-02-13T00:00:00", "id": "ELSA-2012-0128", "href": "http://linux.oracle.com/errata/ELSA-2012-0128.html", "title": "httpd security update", "type": "oraclelinux", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:00", "bulletinFamily": "unix", "description": "[2.2.15-26.0.1.el6]\n- replace index.html with Oracle's index page oracle_index.html\n update vstring in specfile\n[2.2.15-26]\n- htcacheclean: exit with code 4 also for 'restart' action (#805810)\n[2.2.15-25]\n- htcacheclean: exit with code 4 if nonprivileged user runs initscript (#805810)\n- rotatelogs: omit the second arg when invoking a post-rotate program (#876923)\n[2.2.15-24]\n- mod_ssl: improved patch for mod_nss fallback (w/mharmsen, #805720)\n[2.2.15-23]\n- mod_log_config: fix cookie parsing substring mismatch (#867268)\n[2.2.15-22]\n- mod_cache: fix header merging for 304 case, thanks to Roy Badami (#868283)\n- mod_cache: fix handling of 304 responses (#868253)\n[2.2.15-21]\n- mod_proxy_ajp: ignore flushing if headers have not been sent (#853160)\n- mod_proxy_ajp: do not mark worker in error state when one request\n timeouts (#864317)\n- mod_ssl: do not run post script if all files are already created (#752618)\n[2.2.15-20]\n- add htcacheclean init script (Jan Kaluza, #805810)\n[2.2.15-19]\n- mod_ssl: fall back on another module's proxy hook if mod_ssl proxy\n is not configured. (#805720)\n[2.2.15-18]\n- add security fix for CVE-2012-2687 (#850794)\n[2.2.15-17]\n- mod_proxy: allow change BalancerMember state in web interface (#748400)\n- mod_proxy: Tone down 'worker [URL] used by another worker' warning (#787247)\n- mod_proxy: add support for 'failonstatus' option (#824571)\n- mod_proxy: avoid DNS lookup on hostname from request URI if\n ProxyRemote* is configured (#837086)\n- rotatelogs: create files even if they are empty (#757739)\n- rotatelogs: option to rotate files into a custom location (#757735)\n- rotatelogs: add support for -L option (#838493)\n- fix handling of long chunk-line (#842376)\n- add server aliases to 'httpd -S' output (#833092)\n- omit %posttrans daemon restart if\n /etc/sysconfig/httpd-disable-posttrans exists (#833064)\n- mod_ldap: treat LDAP_UNAVAILABLE as a transient error (#829689)\n- ab: fix double free when SSL request fails in verbose mode (#837613)\n- mod_cache: do not cache partial results (#822587)\n- mod_ldap: add LDAPReferrals directive alias (#796958)\n- mod_ssl: add _userID DN variable suffix for NID_userId (#842375)\n- mod_ssl: fix test for missing decrypted private keys, and ensure that\n the keypair matches (#848954)\n- mod_authnz_ldap: set AUTHORIZE_* variables in LDAP authorization (#828896)\n- relax checks for status-line validity (#853348)\n[2.2.15-16]\n- add security fixes for CVE-2011-4317, CVE-2012-0053, CVE-2012-0031,\n CVE-2011-3607 (#787599)\n- obviates fix for CVE-2011-3638, patch removed", "modified": "2013-02-22T00:00:00", "published": "2013-02-22T00:00:00", "id": "ELSA-2013-0512", "href": "http://linux.oracle.com/errata/ELSA-2013-0512.html", "title": "httpd security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "slackware": [{"lastseen": "2019-05-30T07:37:26", "bulletinFamily": "unix", "description": "New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,\n13.37, and -current to fix security issues. The apr-util package has also been\nupdated to the latest version.\n\n\nHere are the details from the Slackware 13.37 ChangeLog:\n\npatches/packages/apr-util-1.4.1-i486-1_slack13.37.txz: Upgraded.\n Version bump for httpd upgrade.\npatches/packages/httpd-2.2.22-i486-1_slack13.37.txz: Upgraded.\n *) SECURITY: CVE-2011-3368 (cve.mitre.org)\n Reject requests where the request-URI does not match the HTTP\n specification, preventing unexpected expansion of target URLs in\n some reverse proxy configurations. [Joe Orton]\n *) SECURITY: CVE-2011-3607 (cve.mitre.org)\n Fix integer overflow in ap_pregsub() which, when the mod_setenvif module\n is enabled, could allow local users to gain privileges via a .htaccess\n file. [Stefan Fritsch, Greg Ames]\n *) SECURITY: CVE-2011-4317 (cve.mitre.org)\n Resolve additional cases of URL rewriting with ProxyPassMatch or\n RewriteRule, where particular request-URIs could result in undesired\n backend network exposure in some configurations.\n [Joe Orton]\n *) SECURITY: CVE-2012-0021 (cve.mitre.org)\n mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format\n string is in use and a client sends a nameless, valueless cookie, causing\n a denial of service. The issue existed since version 2.2.17. PR 52256.\n [Rainer Canavan <rainer-apache 7val com>]\n *) SECURITY: CVE-2012-0031 (cve.mitre.org)\n Fix scoreboard issue which could allow an unprivileged child process\n could cause the parent to crash at shutdown rather than terminate\n cleanly. [Joe Orton]\n *) SECURITY: CVE-2012-0053 (cve.mitre.org)\n Fix an issue in error responses that could expose "httpOnly" cookies\n when no custom ErrorDocument is specified for status code 400.\n [Eric Covener]\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/apr-util-1.4.1-i486-1_slack12.0.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.22-i486-1_slack12.0.tgz\n\nUpdated packages for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/apr-util-1.4.1-i486-1_slack12.1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.22-i486-1_slack12.1.tgz\n\nUpdated packages for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/apr-util-1.4.1-i486-1_slack12.2.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.22-i486-1_slack12.2.tgz\n\nUpdated packages for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/apr-util-1.4.1-i486-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.22-i486-1_slack13.0.txz\n\nUpdated packages for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/apr-util-1.4.1-x86_64-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.22-x86_64-1_slack13.0.txz\n\nUpdated packages for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/apr-util-1.4.1-i486-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.22-i486-1_slack13.1.txz\n\nUpdated packages for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/apr-util-1.4.1-x86_64-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.22-x86_64-1_slack13.1.txz\n\nUpdated packages for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/apr-util-1.4.1-i486-1_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.22-i486-1_slack13.37.txz\n\nUpdated packages for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/apr-util-1.4.1-x86_64-1_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.22-x86_64-1_slack13.37.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/apr-util-1.4.1-i486-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.2.22-i486-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/apr-util-1.4.1-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.2.22-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.0 packages:\n3143affee7e89d16a2f5b4f58f1f2c9d apr-util-1.4.1-i486-1_slack12.0.tgz\n86c2b71a544c9533794951f718bd907b httpd-2.2.22-i486-1_slack12.0.tgz\n\nSlackware 12.1 packages:\naab31157fa672bb2bc11851b486c9d5c apr-util-1.4.1-i486-1_slack12.1.tgz\n1362ef9a9b2d355e1cf9b5c7e0ae0607 httpd-2.2.22-i486-1_slack12.1.tgz\n\nSlackware 12.2 packages:\nf30f1f0a949f321b6aefb99a703eca3f apr-util-1.4.1-i486-1_slack12.2.tgz\n18fd6ddd6e6bbf4a7222ade821ec1aa1 httpd-2.2.22-i486-1_slack12.2.tgz\n\nSlackware 13.0 packages:\nd3600fef7f1cabb62554417567fb55ab apr-util-1.4.1-i486-1_slack13.0.txz\n0456c808efb92da333942ff939746d77 httpd-2.2.22-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 packages:\nd15c2e0a4aa074bbadfa50099da482b2 apr-util-1.4.1-x86_64-1_slack13.0.txz\n1b72685b2519bbf167973d88dce562e1 httpd-2.2.22-x86_64-1_slack13.0.txz\n\nSlackware 13.1 packages:\n9c7c2bb99c99f3a6275f0dc9636ce38c apr-util-1.4.1-i486-1_slack13.1.txz\n49a5e4a73be2328d80cca186efe2f6f7 httpd-2.2.22-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 packages:\n4f9dcb6495c04d3094cc68050440505b apr-util-1.4.1-x86_64-1_slack13.1.txz\n1f378f8a4d990d7298e0155b22cfcf19 httpd-2.2.22-x86_64-1_slack13.1.txz\n\nSlackware 13.37 packages:\n7feb382700511d72737c5a31e91ee56e apr-util-1.4.1-i486-1_slack13.37.txz\n783de593b5827c8601e2b486cf98397f httpd-2.2.22-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 packages:\n1bd4b3df67a0449f3015e82e47cd808d apr-util-1.4.1-x86_64-1_slack13.37.txz\n8999903e736cbb29c055ea2bf66cfed1 httpd-2.2.22-x86_64-1_slack13.37.txz\n\nSlackware -current packages:\ne709c8056cede91c35fd354ad5b654df l/apr-util-1.4.1-i486-1.txz\n97c295a42d4678537c62d6ce54d3e1fa n/httpd-2.2.22-i486-1.txz\n\nSlackware x86_64 -current packages:\n55fdf36b05ff7e82aa9a015289290424 l/apr-util-1.4.1-x86_64-1.txz\n09daa138b81fbf877596e4abc2a01bb6 n/httpd-2.2.22-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg apr-util-1.4.1-i486-1_slack13.37.txz httpd-2.2.22-i486-1_slack13.37.txz\n\nThen, restart the httpd daemon.", "modified": "2012-02-10T09:43:57", "published": "2012-02-10T09:43:57", "id": "SSA-2012-041-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2012&m=slackware-security.792124", "title": "httpd", "type": "slackware", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2019-06-25T02:21:25", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2405-1 security@debian.org\nhttp://www.debian.org/security/ Stefan Fritsch\nFebruary 06, 2012 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : apache2\nVulnerability : multiple issues\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-3607 CVE-2011-3368 CVE-2011-3639 CVE-2011-4317 \n CVE-2012-0031 CVE-2012-0053 \n\nSeveral vulnerabilities have been found in the Apache HTTPD Server:\n\nCVE-2011-3607:\n\n An integer overflow in ap_pregsub() could allow local attackers to\n execute arbitrary code at elevated privileges via crafted .htaccess\n files.\n\nCVE-2011-3368 CVE-2011-3639 CVE-2011-4317:\n\n The Apache HTTP Server did not properly validate the request URI for\n proxied requests. In certain reverse proxy configurations using the\n ProxyPassMatch directive or using the RewriteRule directive with the\n [P] flag, a remote attacker could make the proxy connect to an\n arbitrary server. The could allow the attacker to access internal\n servers that are not otherwise accessible from the outside.\n\n The three CVE ids denote slightly different variants of the same\n issue.\n\n Note that, even with this issue fixed, it is the responsibility of\n the administrator to ensure that the regular expression replacement\n pattern for the target URI does not allow a client to append arbitrary\n strings to the host or port parts of the target URI. For example, the\n configuration\n\n ProxyPassMatch ^/mail(.*) http://internal-host$1\n\n is still insecure and should be replaced by one of the following\n configurations:\n\n ProxyPassMatch ^/mail(/.*) http://internal-host$1\n ProxyPassMatch ^/mail/(.*) http://internal-host/$1\n\nCVE-2012-0031:\n\n An apache2 child process could cause the parent process to crash\n during shutdown. This is a violation of the privilege separation\n between the apache2 processes and could potentially be used to worsen\n the impact of other vulnerabilities.\n\nCVE-2012-0053:\n\n The response message for error code 400 (bad request) could be used to\n expose "httpOnly" cookies. This could allow a remote attacker using\n cross site scripting to steal authentication cookies.\n\n\nFor the oldstable distribution (lenny), these problems have been fixed in\nversion apache2 2.2.9-10+lenny12.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion apache2 2.2.16-6+squeeze6\n\nFor the testing distribution (wheezy), these problems will be fixed in\nversion 2.2.22-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.2.22-1.\n\nWe recommend that you upgrade your apache2 packages.\n\nThis update also contains updated apache2-mpm-itk packages which have\nbeen recompiled against the updated apache2 packages. The new version\nnumber for the oldstable distribution is 2.2.6-02-1+lenny7. In the\nstable distribution, apache2-mpm-itk has the same version number as\napache2.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2012-02-06T09:24:08", "published": "2012-02-06T09:24:08", "id": "DEBIAN:DSA-2405-1:AE657", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2012/msg00031.html", "title": "[SECURITY] [DSA 2405-1] apache2 security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "centos": [{"lastseen": "2019-05-29T18:34:22", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2012:0128\n\n\nThe Apache HTTP Server is a popular web server.\n\nIt was discovered that the fix for CVE-2011-3368 (released via\nRHSA-2011:1391) did not completely address the problem. An attacker could\nbypass the fix and make a reverse proxy connect to an arbitrary server not\ndirectly accessible to the attacker by sending an HTTP version 0.9 request,\nor by using a specially-crafted URI. (CVE-2011-3639, CVE-2011-4317)\n\nThe httpd server included the full HTTP header line in the default error\npage generated when receiving an excessively long or malformed header.\nMalicious JavaScript running in the server's domain context could use this\nflaw to gain access to httpOnly cookies. (CVE-2012-0053)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in the way httpd performed substitutions in regular expressions. An\nattacker able to set certain httpd settings, such as a user permitted to\noverride the httpd configuration for a specific directory using a\n\".htaccess\" file, could use this flaw to crash the httpd child process or,\npossibly, execute arbitrary code with the privileges of the \"apache\" user.\n(CVE-2011-3607)\n\nA flaw was found in the way httpd handled child process status information.\nA malicious program running with httpd child process privileges (such as a\nPHP or CGI script) could use this flaw to cause the parent httpd process to\ncrash during httpd service shutdown. (CVE-2012-0031)\n\nAll httpd users should upgrade to these updated packages, which contain\nbackported patches to correct these issues. After installing the updated\npackages, the httpd daemon will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-February/018433.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ssl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-0128.html", "modified": "2012-02-14T06:13:29", "published": "2012-02-14T06:13:29", "href": "http://lists.centos.org/pipermail/centos-announce/2012-February/018433.html", "id": "CESA-2012:0128", "title": "httpd, mod_ssl security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "amazon": [{"lastseen": "2019-05-29T17:22:39", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nIt was discovered that the fix for [CVE-2011-3368 __](<https://access.redhat.com/security/cve/CVE-2011-3368>) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially-crafted URI. ([CVE-2011-3639 __](<https://access.redhat.com/security/cve/CVE-2011-3639>), [CVE-2011-4317 __](<https://access.redhat.com/security/cve/CVE-2011-4317>))\n\nThe httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies. ([CVE-2012-0053 __](<https://access.redhat.com/security/cve/CVE-2012-0053>))\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions. An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a \".htaccess\" file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the \"apache\" user. ([CVE-2011-3607 __](<https://access.redhat.com/security/cve/CVE-2011-3607>))\n\nA flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown. ([CVE-2012-0031 __](<https://access.redhat.com/security/cve/CVE-2012-0031>))\n\n \n**Affected Packages:** \n\n\nhttpd\n\n \n**Issue Correction:** \nRun _yum update httpd_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n httpd-debuginfo-2.2.22-1.23.amzn1.i686 \n mod_ssl-2.2.22-1.23.amzn1.i686 \n httpd-devel-2.2.22-1.23.amzn1.i686 \n httpd-2.2.22-1.23.amzn1.i686 \n httpd-tools-2.2.22-1.23.amzn1.i686 \n \n noarch: \n httpd-manual-2.2.22-1.23.amzn1.noarch \n \n src: \n httpd-2.2.22-1.23.amzn1.src \n \n x86_64: \n httpd-2.2.22-1.23.amzn1.x86_64 \n httpd-devel-2.2.22-1.23.amzn1.x86_64 \n httpd-debuginfo-2.2.22-1.23.amzn1.x86_64 \n mod_ssl-2.2.22-1.23.amzn1.x86_64 \n httpd-tools-2.2.22-1.23.amzn1.x86_64 \n \n \n", "modified": "2014-09-14T15:21:00", "published": "2014-09-14T15:21:00", "id": "ALAS-2012-046", "href": "https://alas.aws.amazon.com/ALAS-2012-46.html", "title": "Medium: httpd", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:53", "bulletinFamily": "unix", "description": "\nCVE MITRE reports:\n\nAn exposure was found when using mod_proxy in reverse proxy\n\t mode. In certain configurations using RewriteRule with proxy\n\t flag or ProxyPassMatch, a remote attacker could cause the reverse\n\t proxy to connect to an arbitrary server, possibly disclosing\n\t sensitive information from internal web servers not directly\n\t accessible to attacker.\nInteger overflow in the ap_pregsub function in server/util.c in\n\t the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through\n\t 2.2.21, when the mod_setenvif module is enabled, allows local\n\t users to gain privileges via a .htaccess file with a crafted\n\t SetEnvIf directive, in conjunction with a crafted HTTP request\n\t header, leading to a heap-based buffer overflow.\nAn additional exposure was found when using mod_proxy in\n\t reverse proxy mode. In certain configurations using RewriteRule\n\t with proxy flag or ProxyPassMatch, a remote attacker could cause\n\t the reverse proxy to connect to an arbitrary server, possibly\n\t disclosing sensitive information from internal web servers\n\t not directly accessible to attacker.\nA flaw was found in mod_log_config. If the '%{cookiename}C' log\n\t format string is in use, a remote attacker could send a specific\n\t cookie causing a crash. This crash would only be a denial of\n\t service if using a threaded MPM.\nA flaw was found in the handling of the scoreboard. An\n\t unprivileged child process could cause the parent process to\n\t crash at shutdown rather than terminate cleanly.\nA flaw was found in the default error response for status code\n\t 400. This flaw could be used by an attacker to expose\n\t \"httpOnly\" cookies when no custom ErrorDocument is specified.\n\n", "modified": "2011-10-05T00:00:00", "published": "2011-10-05T00:00:00", "id": "4B7DBFAB-4C6B-11E1-BC16-0023AE8E59F0", "href": "https://vuxml.freebsd.org/freebsd/4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0.html", "title": "apache -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:26", "bulletinFamily": "info", "description": "### *Detect date*:\n07/22/2013\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Apache httpd. Malicious users can exploit these vulnerabilities to gain privileges, cause denial of service, execute arbitrary code, obtain sensitive information or bypass security restrictions. Below is a complete list of vulnerabilities\n\n### *Affected products*:\nApache httpd 2.0 versions 2.0.64 and earlier\n\n### *Solution*:\nUpdate to latest version\n\n### *Original advisories*:\n[Apache changelog](<http://httpd.apache.org/security/vulnerabilities_20.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Apache HTTP Server](<https://threats.kaspersky.com/en/product/Apache-HTTP-Server/>)\n\n### *CVE-IDS*:\n[CVE-2011-3192](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192>)7.8Critical \n[CVE-2013-1862](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862>)5.1Critical \n[CVE-2012-0031](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031>)4.6Critical \n[CVE-2011-0419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419>)4.3Critical \n[CVE-2011-3607](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607>)4.4Critical \n[CVE-2011-3368](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368>)5.0Critical \n[CVE-2012-0053](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053>)4.3Critical", "modified": "2019-03-07T00:00:00", "published": "2013-07-22T00:00:00", "id": "KLA10065", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10065", "title": "\r KLA10065Multiple vulnerabilities in Apache httpd ", "type": "kaspersky", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:13", "bulletinFamily": "unix", "description": "### Background\n\nApache HTTP Server is one of the most popular web servers on the Internet. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Apache HTTP Server. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker might obtain sensitive information, gain privileges, send requests to unintended servers behind proxies, bypass certain security restrictions, obtain the values of HTTPOnly cookies, or cause a Denial of Service in various ways. \n\nA local attacker could gain escalated privileges.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Apache HTTP Server users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/apache-2.2.22-r1\"", "modified": "2012-06-24T00:00:00", "published": "2012-06-24T00:00:00", "id": "GLSA-201206-25", "href": "https://security.gentoo.org/glsa/201206-25", "type": "gentoo", "title": "Apache HTTP Server: Multiple vulnerabilities", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2019-05-29T18:21:06", "bulletinFamily": "software", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 87 new security fixes across the product families listed below.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n", "modified": "2013-08-09T00:00:00", "published": "2012-07-17T00:00:00", "id": "ORACLE:CPUJUL2012-392727", "href": "", "title": "Oracle Critical Patch Update - July 2012", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:21:04", "bulletinFamily": "software", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nPlease note that on October 16, 2014, Oracle released information for [CVE-2014-3566 \"POODLE\"](<http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "modified": "2015-01-20T00:00:00", "published": "2015-03-10T00:00:00", "id": "ORACLE:CPUJAN2015-1972971", "href": "", "title": "Oracle Critical Patch Update - January 2015", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}