Vulnerabilities > CVE-2015-0228 - Improper Input Validation vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
apache
canonical
apple
opensuse
CWE-20
nessus

Summary

The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function.

Vulnerable Configurations

Part Description Count
Application
Apache
173
OS
Canonical
4
OS
Apple
2
OS
Opensuse
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-579.NASL
    descriptionIt was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) A NULL pointer dereference flaw was found in the way httpd generated certain error responses. A remote attacker could possibly use this flaw crash the httpd child process using a request that triggers a certain HTTP error. (CVE-2015-0253) A denial of service flaw was found in the way the mod_lua httpd module processed certain WebSocket Ping requests. A remote attacker could send a specially crafted WebSocket Ping packet that would cause the httpd child process to crash. (CVE-2015-0228)
    last seen2020-06-01
    modified2020-06-02
    plugin id85452
    published2015-08-18
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85452
    titleAmazon Linux AMI : httpd24 (ALAS-2015-579)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2015-579.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(85452);
      script_version("2.4");
      script_cvs_date("Date: 2018/04/18 15:09:35");
    
      script_cve_id("CVE-2015-0228", "CVE-2015-0253", "CVE-2015-3183", "CVE-2015-3185");
      script_xref(name:"ALAS", value:"2015-579");
    
      script_name(english:"Amazon Linux AMI : httpd24 (ALAS-2015-579)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that in httpd 2.4, the internal API function
    ap_some_auth_required() could incorrectly indicate that a request was
    authenticated even when no authentication was used. An httpd module
    using this API function could consequently allow access that should
    have been denied. (CVE-2015-3185)
    
    Multiple flaws were found in the way httpd parsed HTTP requests and
    responses using chunked transfer encoding. A remote attacker could use
    these flaws to create a specially crafted request, which httpd would
    decode differently from an HTTP proxy software in front of it,
    possibly leading to HTTP request smuggling attacks. (CVE-2015-3183)
    
    A NULL pointer dereference flaw was found in the way httpd generated
    certain error responses. A remote attacker could possibly use this
    flaw crash the httpd child process using a request that triggers a
    certain HTTP error. (CVE-2015-0253)
    
    A denial of service flaw was found in the way the mod_lua httpd module
    processed certain WebSocket Ping requests. A remote attacker could
    send a specially crafted WebSocket Ping packet that would cause the
    httpd child process to crash. (CVE-2015-0228)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2015-579.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update httpd24' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-manual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_proxy_html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_session");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_ssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/08/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"httpd24-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"httpd24-debuginfo-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"httpd24-devel-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"httpd24-manual-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"httpd24-tools-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"mod24_ldap-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"mod24_proxy_html-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"mod24_session-2.4.16-1.62.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"mod24_ssl-2.4.16-1.62.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd24 / httpd24-debuginfo / httpd24-devel / httpd24-manual / etc");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-093.NASL
    descriptionUpdated apache packages fix security vulnerabilities : Apache HTTPD before 2.4.9 was vulnerable to a denial of service in mod_dav when handling DAV_WRITE requests (CVE-2013-6438). Apache HTTPD before 2.4.9 was vulnerable to a denial of service when logging cookies (CVE-2014-0098). A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the apache user (CVE-2014-0226). A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash (CVE-2014-0117). A denial of service flaw was found in the way httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id82346
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82346
    titleMandriva Linux Security Advisory : apache (MDVSA-2015:093)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2015:093. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82346);
      script_version("1.7");
      script_cvs_date("Date: 2019/08/02 13:32:56");
    
      script_cve_id("CVE-2013-6438", "CVE-2014-0098", "CVE-2014-0117", "CVE-2014-0118", "CVE-2014-0226", "CVE-2014-0231", "CVE-2014-3581", "CVE-2014-5704", "CVE-2014-8109", "CVE-2015-0228");
      script_xref(name:"MDVSA", value:"2015:093");
    
      script_name(english:"Mandriva Linux Security Advisory : apache (MDVSA-2015:093)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated apache packages fix security vulnerabilities :
    
    Apache HTTPD before 2.4.9 was vulnerable to a denial of service in
    mod_dav when handling DAV_WRITE requests (CVE-2013-6438).
    
    Apache HTTPD before 2.4.9 was vulnerable to a denial of service when
    logging cookies (CVE-2014-0098).
    
    A race condition flaw, leading to heap-based buffer overflows, was
    found in the mod_status httpd module. A remote attacker able to access
    a status page served by mod_status on a server using a threaded
    Multi-Processing Module (MPM) could send a specially crafted request
    that would cause the httpd child process to crash or, possibly, allow
    the attacker to execute arbitrary code with the privileges of the
    apache user (CVE-2014-0226).
    
    A denial of service flaw was found in the mod_proxy httpd module. A
    remote attacker could send a specially crafted request to a server
    configured as a reverse proxy using a threaded Multi-Processing
    Modules (MPM) that would cause the httpd child process to crash
    (CVE-2014-0117).
    
    A denial of service flaw was found in the way httpd's mod_deflate
    module handled request body decompression (configured via the DEFLATE
    input filter). A remote attacker able to send a request whose body
    would be decompressed could use this flaw to consume an excessive
    amount of system memory and CPU on the target system (CVE-2014-0118).
    
    A denial of service flaw was found in the way httpd's mod_cgid module
    executed CGI scripts that did not read data from the standard input. A
    remote attacker could submit a specially crafted request that would
    cause the httpd child process to hang indefinitely (CVE-2014-0231).
    
    A NULL pointer dereference flaw was found in the way the mod_cache
    httpd module handled Content-Type headers. A malicious HTTP server
    could cause the httpd child process to crash when the Apache HTTP
    server was configured to proxy to a server with caching enabled
    (CVE-2014-3581).
    
    mod_lua.c in the mod_lua module in the Apache HTTP Server through
    2.4.10 does not support an httpd configuration in which the same Lua
    authorization provider is used with different arguments within
    different contexts, which allows remote attackers to bypass intended
    access restrictions in opportunistic circumstances by leveraging
    multiple Require directives, as demonstrated by a configuration that
    specifies authorization for one group to access a certain directory,
    and authorization for a second group to access a second directory
    (CVE-2014-8109).
    
    In the mod_lua module in the Apache HTTP Server through 2.4.10, a
    maliciously crafted websockets PING after a script calls r:wsupgrade()
    can cause a child process crash (CVE-2015-0228).
    
    A flaw was found in the way httpd handled HTTP Trailer headers when
    processing requests using chunked encoding. A malicious client could
    use Trailer headers to set additional HTTP headers after header
    processing was performed by other modules. This could, for example,
    lead to a bypass of header restrictions defined with mod_headers
    (CVE-2013-5704).
    
    Note: With this update, httpd has been modified to not merge HTTP
    Trailer headers with other HTTP request headers. A newly introduced
    configuration directive MergeTrailers can be used to re-enable the old
    method of processing Trailer headers, which also re-introduces the
    aforementioned flaw.
    
    This update also fixes the following bug :
    
    Prior to this update, the mod_proxy_wstunnel module failed to set up
    an SSL connection when configured to use a back end server using the
    wss: URL scheme, causing proxied connections to fail. In these updated
    packages, SSL is used when proxying to wss: back end servers
    (rhbz#1141950)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://advisories.mageia.org/MGASA-2014-0135.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://advisories.mageia.org/MGASA-2014-0305.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://advisories.mageia.org/MGASA-2014-0527.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://advisories.mageia.org/MGASA-2015-0011.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://advisories.mageia.org/MGASA-2015-0099.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-htcacheclean");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_cache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dav");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy_html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_session");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_suexec");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_userdir");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-devel-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", reference:"apache-doc-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-htcacheclean-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-mod_cache-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-mod_dav-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-mod_dbd-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-mod_ldap-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-mod_proxy-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-mod_proxy_html-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-mod_session-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-mod_ssl-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-mod_suexec-2.4.12-1.mbs2")) flag++;
    if (rpm_check(release:"MDK-MBS2", cpu:"x86_64", reference:"apache-mod_userdir-2.4.12-1.mbs2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-191.NASL
    descriptionapache2 was updated to fix one security issue. This security issue was fixed : - CVE-2015-0228: Mod_lua websocket DoS (bnc#918352).
    last seen2020-06-05
    modified2015-03-05
    plugin id81622
    published2015-03-05
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81622
    titleopenSUSE Security Update : apache2 (openSUSE-2015-191)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2015-191.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81622);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-0228");
    
      script_name(english:"openSUSE Security Update : apache2 (openSUSE-2015-191)");
      script_summary(english:"Check for the openSUSE-2015-191 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "apache2 was updated to fix one security issue.
    
    This security issue was fixed :
    
      - CVE-2015-0228: Mod_lua websocket DoS (bnc#918352)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=918352"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected apache2 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-event");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-event-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-example-pages");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-prefork");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-utils-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-worker");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-worker-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/02/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-debuginfo-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-debugsource-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-devel-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-event-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-event-debuginfo-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-example-pages-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-prefork-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-prefork-debuginfo-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-utils-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-utils-debuginfo-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-worker-2.4.10-16.1") ) flag++;
    if ( rpm_check(release:"SUSE13.2", reference:"apache2-worker-debuginfo-2.4.10-16.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2 / apache2-debuginfo / apache2-debugsource / apache2-devel / etc");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_10_5.NASL
    descriptionThe remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id85408
    published2015-08-17
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85408
    titleMac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2015-006.NASL
    descriptionThe remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-006. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - CoreText - FontParser - Libinfo - libxml2 - OpenSSL - perl - PostgreSQL - QL Office - Quartz Composer Framework - QuickTime 7 - SceneKit Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id85409
    published2015-08-17
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85409
    titleMac OS X Multiple Vulnerabilities (Security Update 2015-006)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2523-1.NASL
    descriptionMartin Holst Swende discovered that the mod_headers module allowed HTTP trailers to replace HTTP headers during request processing. A remote attacker could possibly use this issue to bypass RequestHeaders directives. (CVE-2013-5704) Mark Montague discovered that the mod_cache module incorrectly handled empty HTTP Content-Type headers. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-3581) Teguh P. Alko discovered that the mod_proxy_fcgi module incorrectly handled long response headers. A remote attacker could use this issue to cause the server to stop responding, leading to a denial of service. This issue only affected Ubuntu 14.10. (CVE-2014-3583) It was discovered that the mod_lua module incorrectly handled different arguments within different contexts. A remote attacker could possibly use this issue to bypass intended access restrictions. This issue only affected Ubuntu 14.10. (CVE-2014-8109) Guido Vranken discovered that the mod_lua module incorrectly handled a specially crafted websocket PING in certain circumstances. A remote attacker could possibly use this issue to cause the server to stop responding, leading to a denial of service. This issue only affected Ubuntu 14.10. (CVE-2015-0228). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id81755
    published2015-03-11
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81755
    titleUbuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : apache2 vulnerabilities (USN-2523-1)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SERVER_5_0_3.NASL
    descriptionThe remote Mac OS X host has a version of OS X Server installed that is prior to 5.0.3. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the mod_headers module that allows HTTP trailers to replace HTTP headers late during request processing. A remote attacker can exploit this to inject arbitrary headers. This can also cause some modules to function incorrectly or appear to function incorrectly. (CVE-2013-5704) - A privilege escalation vulnerability exists due to the
    last seen2020-06-01
    modified2020-06-02
    plugin id86066
    published2015-09-22
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86066
    titleMac OS X : OS X Server < 5.0.3 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0974-1.NASL
    descriptionApache2 updated to fix four security issues and one non-security bug. The following vulnerabilities have been fixed : - mod_headers rules could be bypassed via chunked requests. Adds
    last seen2020-06-01
    modified2020-06-02
    plugin id83945
    published2015-06-02
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83945
    titleSUSE SLES12 Security Update : apache2 (SUSE-SU-2015:0974-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-11689.NASL
    descriptionUpdate to new version 2.4.16. This update fixed various bugs as well as few security issues. For full changelog, see http://www.apache.org/dist/httpd/CHANGES_2.4.16 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-07-22
    plugin id84906
    published2015-07-22
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84906
    titleFedora 22 : httpd-2.4.16-1.fc22 (2015-11689)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_A12494C12AF411E586FF14DAE9D210B8.NASL
    descriptionJim Jagielski reports : CVE-2015-3183 (cve.mitre.org) core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. CVE-2015-3185 (cve.mitre.org) Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook. CVE-2015-0253 (cve.mitre.org) core: Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. CVE-2015-0228 (cve.mitre.org) mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash.
    last seen2020-06-01
    modified2020-06-02
    plugin id84781
    published2015-07-16
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84781
    titleFreeBSD : apache24 -- multiple vulnerabilities (a12494c1-2af4-11e5-86ff-14dae9d210b8)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-11792.NASL
    descriptionUpdate to new version 2.4.16. This update fixed various bugs as well as few security issues. For full changelog, see http://www.apache.org/dist/httpd/CHANGES_2.4.16 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-07-30
    plugin id85092
    published2015-07-30
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85092
    titleFedora 21 : httpd-2.4.16-1.fc21 (2015-11792)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2015-198-01.NASL
    descriptionNew httpd packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id84829
    published2015-07-20
    reporterThis script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84829
    titleSlackware 14.0 / 14.1 / current : httpd (SSA:2015-198-01)
  • NASL familyWeb Servers
    NASL idAPACHE_2_4_16.NASL
    descriptionAccording to its banner, the version of Apache 2.4.x installed on the remote host is prior to 2.4.16. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the lua_websocket_read() function in the
    last seen2020-06-01
    modified2020-06-02
    plugin id84959
    published2015-07-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84959
    titleApache 2.4.x < 2.4.16 Multiple Vulnerabilities

Redhat

advisories
rhsa
idRHSA-2015:1666
rpms
  • httpd24-httpd-0:2.4.12-4.el6.2
  • httpd24-httpd-0:2.4.12-6.el7.1
  • httpd24-httpd-debuginfo-0:2.4.12-4.el6.2
  • httpd24-httpd-debuginfo-0:2.4.12-6.el7.1
  • httpd24-httpd-devel-0:2.4.12-4.el6.2
  • httpd24-httpd-devel-0:2.4.12-6.el7.1
  • httpd24-httpd-manual-0:2.4.12-4.el6.2
  • httpd24-httpd-manual-0:2.4.12-6.el7.1
  • httpd24-httpd-tools-0:2.4.12-4.el6.2
  • httpd24-httpd-tools-0:2.4.12-6.el7.1
  • httpd24-mod_ldap-0:2.4.12-4.el6.2
  • httpd24-mod_ldap-0:2.4.12-6.el7.1
  • httpd24-mod_proxy_html-1:2.4.12-4.el6.2
  • httpd24-mod_proxy_html-1:2.4.12-6.el7.1
  • httpd24-mod_session-0:2.4.12-4.el6.2
  • httpd24-mod_session-0:2.4.12-6.el7.1
  • httpd24-mod_ssl-1:2.4.12-4.el6.2
  • httpd24-mod_ssl-1:2.4.12-6.el7.1

References