Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2019:0367
HistoryFeb 18, 2019 - 4:47 p.m.

(RHSA-2019:0367) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update

2019-02-1816:47:10
access.redhat.com
165

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.963 High

EPSS

Percentile

99.5%

JSON

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.

This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Service Pack 1 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.29, and includes bug fixes for CVEs which are linked to in the References section.

Security Fixes:

  • httpd: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)

  • httpd: Weak Digest auth nonce generation in mod_auth_digest
    (CVE-2018-1312)

  • httpd: Out of bound access after failure in reading the HTTP request
    (CVE-2018-1301)

  • httpd: Use-after-free on HTTP/2 stream shutdown (CVE-2018-1302)

  • httpd: <FilesMatch> bypass with a trailing newline in the file name
    (CVE-2017-15715)

  • httpd: Out of bound write in mod_authnz_ldap when using too small
    Accept-Language values (CVE-2017-15710)

  • httpd: Out of bounds read in mod_cache_socache can allow a remote
    attacker to cause a denial of service (CVE-2018-1303)

  • httpd: Improper handling of headers in mod_session can allow a remote
    user to modify session data for CGI applications (CVE-2018-1283)

  • httpd: mod_http2: too much time allocated to workers, possibly leading to
    DoS (CVE-2018-1333)

  • mod_jk: connector path traversal due to mishandled HTTP requests in httpd
    (CVE-2018-11759)

  • nghttp2: Null pointer dereference when too large ALTSVC frame is received
    (CVE-2018-1000168)

  • openssl: Handling of crafted recursive ASN.1 structures can cause a stack
    overflow and resulting denial of service (CVE-2018-0739)

Details around each issue, including information about the CVE, severity of
the issue, and the CVSS score, can be found on the CVE pages listed in the
Reference section below.

OSVersionArchitecturePackageVersionFilename
RedHat7x86_64jbcs-httpd24-httpd-selinux< 2.4.29-35.jbcs.el7jbcs-httpd24-httpd-selinux-2.4.29-35.jbcs.el7.x86_64.rpm
RedHat7x86_64jbcs-httpd24-nghttp2-devel< 1.29.0-9.jbcs.el7jbcs-httpd24-nghttp2-devel-1.29.0-9.jbcs.el7.x86_64.rpm
RedHat7x86_64jbcs-httpd24-apr-util-ldap< 1.6.1-24.jbcs.el7jbcs-httpd24-apr-util-ldap-1.6.1-24.jbcs.el7.x86_64.rpm
RedHat6i686jbcs-httpd24-apr-util-sqlite< 1.6.1-24.jbcs.el6jbcs-httpd24-apr-util-sqlite-1.6.1-24.jbcs.el6.i686.rpm
RedHat6i686jbcs-httpd24-mod_cluster-native-debuginfo< 1.3.8-3.Final_redhat_2.jbcs.el6jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-3.Final_redhat_2.jbcs.el6.i686.rpm
RedHat6x86_64jbcs-httpd24-mod_ldap< 2.4.29-35.jbcs.el6jbcs-httpd24-mod_ldap-2.4.29-35.jbcs.el6.x86_64.rpm
RedHat6x86_64jbcs-httpd24-mod_jk-manual< 1.2.46-1.redhat_1.jbcs.el6jbcs-httpd24-mod_jk-manual-1.2.46-1.redhat_1.jbcs.el6.x86_64.rpm
RedHat6x86_64jbcs-httpd24-apr-util-odbc< 1.6.1-24.jbcs.el6jbcs-httpd24-apr-util-odbc-1.6.1-24.jbcs.el6.x86_64.rpm
RedHat7x86_64jbcs-httpd24-apr-util-devel< 1.6.1-24.jbcs.el7jbcs-httpd24-apr-util-devel-1.6.1-24.jbcs.el7.x86_64.rpm
RedHat7x86_64jbcs-httpd24-mod_session< 2.4.29-35.jbcs.el7jbcs-httpd24-mod_session-2.4.29-35.jbcs.el7.x86_64.rpm
Rows per page:
1-10 of 1201

Related

veracode 6
nessus 57
mageia 1
redhat 3
openvas 38
altlinux 3
archlinux 1
kaspersky 1
ibm 17
freebsd 2
amazon 2
debian 6
suse 3
fedora 6
ubuntu 4
osv 7
symantec 1
ubuntucve 5
oraclelinux 2
centos 2
redhatcve 5
debiancve 4
f5 3
prion 3
cve 3
checkpoint_advisories 2
alpinelinux 4
cbl_mariner 1
httpd 3
nuclei 1
cisa 1
hackerone 1
photon 1
veracode
veracode
Denial Of Service
2019-05-16 03:38:52
Denial Of Service
2019-05-16 03:38:53
Path Traversal
2019-05-16 03:38:52
nessus
nessus
RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 (RHSA-2019:0367)
2019-02-19 00:00:00
Apache 2.4.x < 2.4.33 Multiple Vulnerabilities
2019-02-08 00:00:00
SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:1161-1)
2018-05-08 00:00:00
mageia
mageia
Updated apache packages fix security vulnerabilities
2018-11-20 14:11:24
redhat
redhat
(RHSA-2019:0366) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP1 security update
2019-02-18 16:45:31
(RHSA-2020:1121) Moderate: httpd security, bug fix, and enhancement update
2020-03-31 09:21:40
(RHSA-2020:3958) Moderate: httpd security, bug fix, and enhancement update
2020-09-29 07:46:42
openvas
openvas
Mageia: Security Advisory (MGASA-2018-0460)
2022-01-28 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:1161-2)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2018:1161-1)
2021-04-19 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package apache2 version 1:2.4.33-alt1
2018-03-31 00:00:00
Security fix for the ALT Linux 9 package apache2 version 1:2.4.33-alt1
2018-03-31 00:00:00
Security fix for the ALT Linux 8 package apache2 version 1:2.4.33-alt1
2018-03-31 00:00:00
archlinux
archlinux
[ASA-201804-4] apache: multiple issues
2018-04-04 00:00:00
kaspersky
kaspersky
KLA12361 Multiple vulnerabilities in Apache HTTP Server
2018-03-21 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities in Apache HTTP Server affect Rational Build Forge (CVE-2018-1283, CVE-2018-1302, CVE-2018-1303, CVE-2018-1312, CVE-2017-15710, CVE-2017-15715, CVE-2018-1301)
2020-04-20 14:40:53
Security Bulletin: Security vulnerabilities have been identified in IBM HTTP Server shipped with IBM Rational ClearQuest (CVE-2017-15710, CVE-2017-15715, CVE-2018-1301)
2018-06-17 05:28:09
Security Bulletin: Security vulnerabilities have been identified in IBM HTTP Server shipped with IBM Rational ClearCase (CVE-2017-15710, CVE-2017-15715, CVE-2018-1301)
2018-07-10 08:34:12
freebsd
freebsd
apache -- multiple vulnerabilities
2018-03-23 00:00:00
nghttp2 -- Denial of service due to NULL pointer dereference
2018-04-04 00:00:00
amazon
amazon
Medium: httpd24
2018-05-03 16:29:00
Medium: nghttp2
2018-05-24 17:59:00
debian
debian
[SECURITY] [DSA 4164-1] apache2 security update
2018-04-03 16:02:15
[SECURITY] [DSA 4164-1] apache2 security update
2018-04-03 16:02:15
[SECURITY] [DLA 1389-1] apache2 security update
2018-05-30 13:24:40
suse
suse
Security update for apache2 (important)
2018-04-09 03:07:20
Security update for apache2 (important)
2018-04-05 21:09:45
Security update for apache2-mod_jk (important)
2018-12-08 00:12:01
fedora
fedora
[SECURITY] Fedora 27 Update: httpd-2.4.33-2.fc27
2018-04-05 23:59:00
[SECURITY] Fedora 28 Update: httpd-2.4.33-2.fc28
2018-04-05 11:50:14
[SECURITY] Fedora 26 Update: httpd-2.4.33-4.fc26
2018-05-12 18:27:28
ubuntu
ubuntu
Apache HTTP Server vulnerabilities
2018-04-30 00:00:00
Apache HTTP Server vulnerabilities
2018-04-19 00:00:00
Apache HTTP Server vulnerabilities
2018-10-03 00:00:00
osv
osv
apache2 - security update
2018-04-03 00:00:00
apache2 - security update
2018-05-30 00:00:00
CVE-2018-1000168
2018-05-08 15:29:00
symantec
symantec
Apache HTTP Server Vulnerabilities Jul 2017 - Sep 2018
2018-11-07 08:01:01
ubuntucve
ubuntucve
CVE-2018-11763
2018-09-25 00:00:00
CVE-2018-1333
2018-06-18 00:00:00
CVE-2018-1000168
2018-04-12 00:00:00
oraclelinux
oraclelinux
httpd security, bug fix, and enhancement update
2020-04-06 00:00:00
httpd security, bug fix, and enhancement update
2020-10-06 00:00:00
centos
centos
httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update
2020-04-08 18:07:48
httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update
2020-10-20 18:13:33
redhatcve
redhatcve
CVE-2018-1000168
2019-10-25 06:31:58
CVE-2017-15715
2018-03-26 15:18:59
CVE-2017-15710
2018-03-26 14:48:56
debiancve
debiancve
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2017-15710
2018-03-26 15:29:00
CVE-2017-15715
2018-03-26 15:29:00
f5
f5
K49902412 : nghttp vulnerability CVE-2018-1000168
2018-04-12 00:00:00
K14027805 : Apache vulnerability CVE-2017-15710
2018-03-30 00:00:00
K27757011 : Apache HTTPD vulnerability CVE-2017-15715
2018-04-05 00:00:00
prion
prion
Input validation
2018-05-08 15:29:00
Design/Logic Flaw
2018-03-26 15:29:00
Code injection
2018-03-26 15:29:00
cve
cve
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2017-15715
2018-03-26 15:29:00
CVE-2017-15710
2018-03-26 15:29:00
checkpoint_advisories
checkpoint_advisories
Node.js Foundation Node.js nghttp2 nghttp2_frame_altsvc_free Null Pointer Dereference (CVE-2018-1000168)
2019-02-14 00:00:00
Apache httpd FilesMatch Directive Security Restriction Bypass (CVE-2017-15715)
2018-05-30 00:00:00
alpinelinux
alpinelinux
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2017-15715
2018-03-26 15:29:00
CVE-2017-15710
2018-03-26 15:29:00
cbl_mariner
cbl_mariner
CVE-2018-1000168 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
httpd
httpd
Apache Httpd < 2.4.33 : Out of bound write in mod_authnz_ldap when using too small Accept-Language values
2017-12-07 00:00:00
Apache Httpd < 2.4.33 : <FilesMatch> bypass with a trailing newline in the file name
2017-11-24 00:00:00
Apache Httpd < 2.4.33 : Possible out of bound access after failure in reading the HTTP request
2018-01-23 00:00:00
nuclei
nuclei
Apache httpd <=2.4.29 - Arbitrary File Upload
2021-04-23 13:34:52
cisa
cisa
Apache Releases Security Update for Apache Tomcat JK Connectors
2018-10-31 00:00:00
hackerone
hackerone
Internet Bug Bounty: DoS for HTTP/2 connections by crafted requests (CVE-2018-1333)
2018-07-21 02:41:14
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-1.0-0181
2018-09-05 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.963 High

EPSS

Percentile

99.5%

JSON
Related for RHSA-2019:0367
veracode6nessus57mageia1redhat3openvas38altlinux3archlinux1kaspersky1ibm17freebsd2amazon2debian6suse3fedora6ubuntu4osv7symantec1ubuntucve5oraclelinux2centos2redhatcve5debiancve4f53prion3cve3checkpoint_advisories2alpinelinux4cbl_mariner1httpd3nuclei1cisa1hackerone1photon1