Vulnerabilities > CVE-2015-1829 - Denial of Service vulnerability in IBM HTTP Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 10.1.3.5, 11.1.1.7, 11.1.1.9, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener. Per Advisory: <a href="http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html">The fix also addresses CVE-2015-3183.</a>
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Nessus
NASL family Web Servers NASL id WEBSPHERE_CVE-2015-1829.NASL description The IBM HTTP Server running on the remote host is version 6.0 prior to or equal to 6.0.2.43, 6.1 prior to or equal to 6.1.0.47, 7.0 prior to 7.0.0.39, 8.0 prior to 8.0.0.11, or 8.5 prior to 8.5.5.7. It is, therefore, affected by a flaw in the Apache Portable Runtime (APR) that is triggered when an APR application is using APR named pipe support on Windows. A local attacker can exploit this to conduct a pipe squatting attack from a local process. last seen 2020-06-01 modified 2020-06-02 plugin id 86019 published 2015-09-18 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86019 title IBM HTTP Server 6.0 <= 6.0.2.43 (FP43) / 6.1 <= 6.1.0.47 (FP47) / 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.11 (FP11) / 8.5 < 8.5.5.7 (FP7) Named Pipe DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(86019); script_version("1.3"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id("CVE-2015-1829"); script_bugtraq_id(75164); script_name(english:"IBM HTTP Server 6.0 <= 6.0.2.43 (FP43) / 6.1 <= 6.1.0.47 (FP47) / 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.11 (FP11) / 8.5 < 8.5.5.7 (FP7) Named Pipe DoS"); script_summary(english:"Reads the version number from the SOAP port."); script_set_attribute(attribute:"synopsis", value: "The remote IBM HTTP Server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The IBM HTTP Server running on the remote host is version 6.0 prior to or equal to 6.0.2.43, 6.1 prior to or equal to 6.1.0.47, 7.0 prior to 7.0.0.39, 8.0 prior to 8.0.0.11, or 8.5 prior to 8.5.5.7. It is, therefore, affected by a flaw in the Apache Portable Runtime (APR) that is triggered when an APR application is using APR named pipe support on Windows. A local attacker can exploit this to conduct a pipe squatting attack from a local process."); # CVE-2015-1829 / PI39833 script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21959081"); script_set_attribute(attribute:"solution", value: "Apply IBM 7.0 Fix Pack 39 (7.0.0.39) / 8.0 Fix Pack 11 (8.0.0.11) / 8.5 Fix Pack 7 (8.5.5.7) or later. Alternatively, apply the Interim Fixes as recommended in the vendor advisory. In the case of the 6.0 branch, apply IBM 6.0 Fix Pack 43 (6.0.2.43) and then apply Interim Fix PI39833. In the case of the 6.1 branch, apply IBM 6.1 Fix Pack 47 (6.1.0.47) and then apply Interim Fixes PI39833."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/29"); script_set_attribute(attribute:"patch_publication_date", value:"2015/09/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/18"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:http_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("websphere_detect.nasl"); script_require_ports("Services/www", 8880, 8881); script_require_keys("www/WebSphere", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:8880, embedded:0); version = get_kb_item_or_exit("www/WebSphere/"+port+"/version"); source = get_kb_item_or_exit("www/WebSphere/"+port+"/source"); app_name = "IBM WebSphere Application Server"; if (version =~ "^[0-9]+(\.[0-9]+)?$") audit(AUDIT_VER_NOT_GRANULAR, app_name, port, version); fix = FALSE; # Fixed version for compare min = FALSE; # Min version for branch pck = FALSE; # Fix pack name (tacked onto fix in report) itr = "PI39833"; # Required interim fixes vuln = FALSE; # Flag for branches requiring <= checks if (version =~ "^8\.5\.") { fix = '8.5.5.7'; min = '8.5.0.0'; pck = " (Fix Pack 7)"; } else if (version =~ "^8\.0\.") { fix = '8.0.0.11'; min = '8.0.0.0'; pck = " (Fix Pack 11)"; } else if (version =~ "^7\.0\.") { fix = '7.0.0.39'; min = '7.0.0.0'; pck = " (Fix Pack 39) Available 2015/11/02"; } # V6.1.0.0 through 6.1.0.47 (without PI39833) else if (version =~ "^6\.1\.") { if (ver_compare(ver:version, fix:'6.1.0.47', strict:FALSE) <= 0) { fix = '6.1.0.47'; min = '6.1.0.0'; pck = " (Fix Pack 47) plus PI45596"; vuln = TRUE; } } # V6.0.0.0 through 6.0.2.43 (without PI39833) else if (version =~ "^6\.0\.") { if (ver_compare(ver:version, fix:'6.0.2.43', strict:FALSE) <= 0) { fix = '6.0.2.43'; min = '6.0.0.0'; pck = " (Fix Pack 43) plus PI39833"; vuln = TRUE; } } if ( ( fix && min && ver_compare(ver:version, fix:fix, strict:FALSE) < 0 && ver_compare(ver:version, fix:min, strict:FALSE) >= 0 ) || vuln ) { if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : ' + fix + pck + '\n Interim fixes : ' + itr + '\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version);NASL family Web Servers NASL id IBM_HTTP_SERVER_PI39833.NASL description According to its banner, the version of IBM HTTP Server running on the remote host is potentially affected by a denial of service vulnerability due to an error related to the included Apache Portable Runtime (APR) and named pipe handling. A local attacker, using a last seen 2020-06-01 modified 2020-06-02 plugin id 84290 published 2015-06-19 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84290 title IBM HTTP Server on Windows Apache Portable Runtime (APR) Named Pipe DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(84290); script_version("1.8"); script_cvs_date("Date: 2019/11/22"); script_cve_id("CVE-2015-1829"); script_bugtraq_id(75164); script_name(english:"IBM HTTP Server on Windows Apache Portable Runtime (APR) Named Pipe DoS"); script_summary(english:"Checks the version in server response header."); script_set_attribute(attribute:"synopsis", value: "The remote web server may be affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the version of IBM HTTP Server running on the remote host is potentially affected by a denial of service vulnerability due to an error related to the included Apache Portable Runtime (APR) and named pipe handling. A local attacker, using a 'named pipe squatting attack' from a local process, can exploit this to cause a denial of service. This issue only affects IBM HTTP Server on Windows. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Also note that Nessus has not attempted to determine if the 'PI39833' interim fix or a later patch has been applied. If a patch has already been applied, consider this a false positive."); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21959081"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg24040155"); script_set_attribute(attribute:"solution", value: "Upgrade to 6.0.2.43, 6.1.0.47, 7.0.0.37, 8.0.0.9, or 8.5.5.5. Then apply Interim Fix PI39833. Note that the fix is scheduled to be included in the following versions : - 7.0.0.39 - 8.0.0.11 - 8.5.5.7"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1829"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/29"); script_set_attribute(attribute:"patch_publication_date", value:"2015/06/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/19"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:http_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl", "os_fingerprint.nasl"); script_require_keys("www/ibm-http", "Settings/ParanoidReport", "Host/OS"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); get_kb_item_or_exit("www/ibm-http"); port = get_http_port(default:80); # Get Server header server_header = http_server_header(port:port); if (empty_or_null(server_header)) audit(AUDIT_WEB_NO_SERVER_HEADER, port); # Make sure this is IBM HTTP if ( "IBM HTTP Server" >!< server_header && "IBM_HTTP_Server" >!< server_header ) audit(AUDIT_WRONG_WEB_SERVER, port, "IBM HTTP Server"); # Make sure this is Windows os = get_kb_item_or_exit("Host/OS"); if ("windows" >!< tolower(os)) audit(AUDIT_OS_NOT, "Windows", os); if (report_paranoia < 2) audit(AUDIT_PARANOID); # Get Server header and version pattern = "IBM[ _]HTTP[ _]Server\/(V([0-9]+)R([0-9]+)M([0-9]+))"; matches = eregmatch(pattern:pattern, string:server_header); if (!isnull(matches)) { # Build the version, e.g.: # raw_version: V5R3M0 # version: 5.3.0 version = matches[2] + "." + matches[3] + "." + matches[4]; } else { pattern = "IBM[ _]HTTP[ _]Server\/([0-9]+[0-9.]+)"; matches = eregmatch(pattern:pattern, string:server_header); version = matches[1]; } if (isnull(matches)) audit(AUDIT_UNKNOWN_WEB_SERVER_VER, "IBM HTTP Server for Windows", port); # Check granularity # format V#R#M# versions are going to be # not granular enough by default in this case. if ( version =~ "^6(\.0)?$" || version =~ "^6\.0\.2$" || version =~ "^6\.1(\.0)?$" || version =~ "^7(\.0)?$" || version =~ "^7\.0\.0$" || version =~ "^8(\.0)?$" || version =~ "^8\.0\.0$" || version =~ "^8\.5(\.5)?$" ) audit(AUDIT_VER_NOT_GRANULAR, "IBM HTTP Server", port, version); source = matches[0]; if ( # V6.0.0.0 through 6.0.1.x version =~ "^6\.0\.[01]($|[^0-9])" || # V6.0.2.0 through 6.0.2.43 version =~ "^6\.0\.2\.([0-9]|[1-3][0-9]|4[0-3])($|[^0-9])" || # V6.1.0.0 through 6.1.0.47 version =~ "^6\.1\.0\.([0-9]|[1-3][0-9]|4[0-7)($|[^0-9])" || # V7.0.0.0 through 7.0.0.37 (with 7.0.0.38) version =~ "^7\.0\.0\.([0-9]|[1-2][0-9]|3[0-8])($|[^0-9])" || # V8.0 through 8.0.0.10 version =~ "^8\.0\.0\.([0-9]|10)($|[^0-9])" || # V8.5.0.0 through 8.5.4.x version =~ "^8\.5\.[0-4]($|[^0-9])" || # V8.5.5.0 through 8.5.5.5 (with 8.5.5.6) version =~ "^8\.5\.5\.[0-6]($|[^0-9])" ) { if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : See solution' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "IBM HTTP Server for Windows", port, version);NASL family Web Servers NASL id ORACLE_HTTP_SERVER_CPU_OCT_2015.NASL description The version of Oracle HTTP Server installed on the remote host is affected by multiple vulnerabilities : - (CVE-2003-1418) - A denial of service vulnerability exists in libxml2, related to the xmlParserHandlePEReference() function in file parser.c, due to loading external parameter entities without regard to entity substitution or validation being enabled, as in the case of entity substitution in the doctype prolog. An unauthenticated, remote attacker can exploit this, via specially crafted XML content, to exhaust the system CPU, memory, or file descriptor resources. (CVE-2014-0191) - An unspecified vulnerability exists in the Web Listener component that allows an unauthenticated, remote attacker to impact availability. (CVE-2015-1829) - (CVE-2015-2808) - An unspecified vulnerability exists in the OSSL Module that allows an unauthenticated, remote attacker to impact confidentiality. (CVE-2015-4812) - An unspecified vulnerability exists in the Web Listener component that allows an authenticated, remote attacker to impact confidentiality. (CVE-2015-4914) - (CVE-2016-2183) last seen 2020-03-18 modified 2015-10-23 plugin id 86569 published 2015-10-23 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86569 title Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (October 2015 CPU) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(86569); script_version("1.19"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25"); script_cve_id( "CVE-2003-1418", "CVE-2014-0191", "CVE-2015-1829", "CVE-2015-2808", "CVE-2015-4812", "CVE-2015-4914", "CVE-2016-2183" ); script_bugtraq_id( 67233, 73684, 75164, 77195, 77201, 92630 ); script_name(english:"Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (October 2015 CPU)"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle HTTP Server installed on the remote host is affected by multiple vulnerabilities : - (CVE-2003-1418) - A denial of service vulnerability exists in libxml2, related to the xmlParserHandlePEReference() function in file parser.c, due to loading external parameter entities without regard to entity substitution or validation being enabled, as in the case of entity substitution in the doctype prolog. An unauthenticated, remote attacker can exploit this, via specially crafted XML content, to exhaust the system CPU, memory, or file descriptor resources. (CVE-2014-0191) - An unspecified vulnerability exists in the Web Listener component that allows an unauthenticated, remote attacker to impact availability. (CVE-2015-1829) - (CVE-2015-2808) - An unspecified vulnerability exists in the OSSL Module that allows an unauthenticated, remote attacker to impact confidentiality. (CVE-2015-4812) - An unspecified vulnerability exists in the Web Listener component that allows an authenticated, remote attacker to impact confidentiality. (CVE-2015-4914) - (CVE-2016-2183)"); # http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?75a4a4fb"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the October 2015 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2183"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(200); script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/05"); script_set_attribute(attribute:"patch_publication_date", value:"2015/10/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/23"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:http_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_http_server_installed.nbin"); script_require_keys("Oracle/OHS/Installed"); exit(0); } include('oracle_http_server_patch_func.inc'); get_kb_item_or_exit('Oracle/OHS/Installed'); install_list = get_kb_list_or_exit('Oracle/OHS/*/EffectiveVersion'); install = branch(install_list, key:TRUE, value:TRUE); patches = make_array(); patches['10.1.3.5'] = make_array('fix_ver', '10.1.3.5.151020', 'patch', '21845960'); patches['11.1.1.7'] = make_array('fix_ver', '11.1.1.7.151020', 'patch', '21640624'); patches['11.1.1.9'] = make_array('fix_ver', '11.1.1.9.151020', 'patch', '21663064'); patches['12.1.2.0'] = make_array('fix_ver', '12.1.2.0.151120', 'patch', '21768251'); patches['12.1.3.0'] = make_array('fix_ver', '12.1.3.0.160130', 'patch', '21640673'); oracle_http_server_check_vuln( install : install, min_patches : patches, severity : SECURITY_WARNING );