Vulnerabilities > CVE-2017-9798 - Use After Free vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
apache
debian
CWE-416
nessus
exploit available
metasploit

Summary

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Vulnerable Configurations

Part Description Count
Application
Apache
203
OS
Debian
3

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionApache - HTTP OPTIONS Memory Leak. CVE-2017-9798. Webapps exploit for Linux platform
fileexploits/linux/webapps/42745.py
idEDB-ID:42745
last seen2017-09-18
modified2017-09-18
platformlinux
port
published2017-09-18
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/42745/
titleApache - HTTP OPTIONS Memory Leak
typewebapps

Metasploit

descriptionThis module scans for the Apache optionsbleed vulnerability where the Allow response header returned from an OPTIONS request may bleed memory if the server has a .htaccess file with an invalid Limit method defined.
idMSF:AUXILIARY/SCANNER/HTTP/APACHE_OPTIONSBLEED
last seen2020-06-12
modified2018-08-27
published2017-09-27
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/apache_optionsbleed.rb
titleApache Optionsbleed Scanner

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3113.NASL
    descriptionAn update is now available for Red Hat JBoss Enterprise Web Server 2.1.2 for RHEL 6 and Red Hat JBoss Enterprise Web Server 2.1.2 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. This release provides an update to httpd, OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2.1.2. The updates are documented in the Release Notes document linked to in the References. This release of Red Hat JBoss Web Server 2.1.2 Service Pack 2 serves as a update for Red Hat JBoss Web Server 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Users of Red Hat JBoss Web Server 2 should upgrade to these updated packages, which resolve several security issues. Security Fix(es) : * It was discovered that the httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id104456
    published2017-11-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104456
    titleRHEL 6 / 7 : Red Hat JBoss Web Server (RHSA-2017:3113) (Optionsbleed)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:3113. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104456);
      script_version("3.15");
      script_cvs_date("Date: 2019/10/24 15:35:43");
    
      script_cve_id("CVE-2016-2183", "CVE-2017-12615", "CVE-2017-12617", "CVE-2017-9788", "CVE-2017-9798");
      script_xref(name:"RHSA", value:"2017:3113");
    
      script_name(english:"RHEL 6 / 7 : Red Hat JBoss Web Server (RHSA-2017:3113) (Optionsbleed)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update is now available for Red Hat JBoss Enterprise Web Server
    2.1.2 for RHEL 6 and Red Hat JBoss Enterprise Web Server 2.1.2 for
    RHEL 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The httpd packages provide the Apache HTTP Server, a powerful,
    efficient, and extensible web server.
    
    OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL)
    and Transport Layer Security (TLS) protocols, as well as a
    full-strength general-purpose cryptography library.
    
    Apache Tomcat is a servlet container for the Java Servlet and
    JavaServer Pages (JSP) technologies.
    
    This release provides an update to httpd, OpenSSL and Tomcat 6/7 for
    Red Hat JBoss Web Server 2.1.2. The updates are documented in the
    Release Notes document linked to in the References.
    
    This release of Red Hat JBoss Web Server 2.1.2 Service Pack 2 serves
    as a update for Red Hat JBoss Web Server 2, and includes bug fixes,
    which are documented in the Release Notes document linked to in the
    References.
    
    Users of Red Hat JBoss Web Server 2 should upgrade to these updated
    packages, which resolve several security issues.
    
    Security Fix(es) :
    
    * It was discovered that the httpd's mod_auth_digest module did not
    properly initialize memory before using it when processing certain
    headers related to digest authentication. A remote attacker could
    possibly use this flaw to disclose potentially sensitive information
    or cause httpd child process to crash by sending specially crafted
    requests to a server. (CVE-2017-9788)
    
    * A vulnerability was discovered in Tomcat where if a servlet context
    was configured with readonly=false and HTTP PUT requests were allowed,
    an attacker could upload a JSP file to that context and achieve code
    execution. (CVE-2017-12615)
    
    * A vulnerability was discovered in Tomcat where if a servlet context
    was configured with readonly=false and HTTP PUT requests were allowed,
    an attacker could upload a JSP file to that context and achieve code
    execution. (CVE-2017-12617)
    
    * A flaw was found in the way the DES/3DES cipher was used as part of
    the TLS /SSL protocol. A man-in-the-middle attacker could use this
    flaw to recover some plaintext data by capturing large amounts of
    encrypted traffic between TLS/SSL server and client if the
    communication used a DES/3DES based ciphersuite. (CVE-2016-2183)
    
    * A use-after-free flaw was found in the way httpd handled invalid and
    previously unregistered HTTP methods specified in the Limit directive
    used in an .htaccess file. A remote attacker could possibly use this
    flaw to disclose portions of the server memory, or cause httpd child
    process to crash. (CVE-2017-9798)
    
    Red Hat would like to thank OpenVPN for reporting CVE-2016-2183 and
    Hanno Bock for reporting CVE-2017-9798. Upstream acknowledges
    Karthikeyan Bhargavan (Inria) and Gaetan Leurent (Inria) as the
    original reporters of CVE-2016-2183.
    
    Bug Fix(es) :
    
    * Corruption in nodestatsmem in multiple core dumps but in different
    functions of each core dump. (BZ#1338640)
    
    * mod_cluster segfaults in process_info() due to wrongly generated
    assembler instruction movslq (BZ#1448709)
    
    * CRL checking of very large CRLs fails with OpenSSL 1.0.2
    (BZ#1493075)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/3227901"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2017:3113"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-2183"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-12615"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-12617"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-9788"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-9798"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"d2_elliot_name", value:"Apache Tomcat for Windows HTTP PUT Method File Upload");
      script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Tomcat RCE via JSP Upload Bypass');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-manual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd22");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd22-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd22-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd22-manual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd22-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-perl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-native");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-native-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_ldap22");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_ssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_ssl22");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6-admin-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6-docs-webapp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6-el-2.1-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6-jsp-2.1-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6-lib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6-log4j");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6-maven-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6-servlet-2.5-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat6-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-admin-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-docs-webapp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-el-2.2-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsp-2.2-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-lib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-log4j");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-maven-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-servlet-3.0-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-webapps");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/11/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/08");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x / 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2017:3113";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
    
      if (! (rpm_exists(release:"RHEL6", rpm:"jws-2") || rpm_exists(release:"RHEL7", rpm:"jws-2"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss Web Server");
    
      if (rpm_check(release:"RHEL6", cpu:"i386", reference:"httpd-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"httpd-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i386", reference:"httpd-debuginfo-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"httpd-debuginfo-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i386", reference:"httpd-devel-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"httpd-devel-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i386", reference:"httpd-manual-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"httpd-manual-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i386", reference:"httpd-tools-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"httpd-tools-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"jbcs-httpd24-openssl-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"jbcs-httpd24-openssl-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"jbcs-httpd24-openssl-debuginfo-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"jbcs-httpd24-openssl-debuginfo-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"jbcs-httpd24-openssl-devel-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"jbcs-httpd24-openssl-devel-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"jbcs-httpd24-openssl-libs-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"jbcs-httpd24-openssl-libs-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"jbcs-httpd24-openssl-perl-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"jbcs-httpd24-openssl-perl-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"jbcs-httpd24-openssl-static-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"jbcs-httpd24-openssl-static-1.0.2h-14.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i386", reference:"mod_cluster-native-1.2.13-9.Final_redhat_2.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mod_cluster-native-1.2.13-9.Final_redhat_2.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i386", reference:"mod_cluster-native-debuginfo-1.2.13-9.Final_redhat_2.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mod_cluster-native-debuginfo-1.2.13-9.Final_redhat_2.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i386", reference:"mod_ldap-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mod_ldap-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i386", reference:"mod_ssl-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mod_ssl-2.2.26-57.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-admin-webapps-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-docs-webapp-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-el-2.1-api-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-javadoc-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-jsp-2.1-api-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-lib-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-log4j-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-maven-devel-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-servlet-2.5-api-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat6-webapps-6.0.41-19_patch_04.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-7.0.54-28_patch_05.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-admin-webapps-7.0.54-28_patch_05.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-docs-webapp-7.0.54-28_patch_05.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-el-2.2-api-7.0.54-28_patch_05.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-javadoc-7.0.54-28_patch_05.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-jsp-2.2-api-7.0.54-28_patch_05.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-lib-7.0.54-28_patch_05.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-log4j-7.0.54-28_patch_05.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-maven-devel-7.0.54-28_patch_05.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-servlet-3.0-api-7.0.54-28_patch_05.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-webapps-7.0.54-28_patch_05.ep6.el6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"httpd22-2.2.26-58.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"httpd22-debuginfo-2.2.26-58.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"httpd22-devel-2.2.26-58.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"httpd22-manual-2.2.26-58.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"httpd22-tools-2.2.26-58.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"jbcs-httpd24-openssl-1.0.2h-14.jbcs.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"jbcs-httpd24-openssl-debuginfo-1.0.2h-14.jbcs.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"jbcs-httpd24-openssl-devel-1.0.2h-14.jbcs.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"jbcs-httpd24-openssl-libs-1.0.2h-14.jbcs.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"jbcs-httpd24-openssl-perl-1.0.2h-14.jbcs.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"jbcs-httpd24-openssl-static-1.0.2h-14.jbcs.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"mod_cluster-native-1.2.13-9.Final_redhat_2.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"mod_cluster-native-debuginfo-1.2.13-9.Final_redhat_2.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"mod_ldap22-2.2.26-58.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"mod_ssl22-2.2.26-58.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-admin-webapps-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-docs-webapp-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-el-2.1-api-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-javadoc-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-jsp-2.1-api-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-lib-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-log4j-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-maven-devel-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-servlet-2.5-api-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat6-webapps-6.0.41-19_patch_04.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-7.0.54-28_patch_05.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-admin-webapps-7.0.54-28_patch_05.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-docs-webapp-7.0.54-28_patch_05.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-el-2.2-api-7.0.54-28_patch_05.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-javadoc-7.0.54-28_patch_05.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-jsp-2.2-api-7.0.54-28_patch_05.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-lib-7.0.54-28_patch_05.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-log4j-7.0.54-28_patch_05.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-maven-devel-7.0.54-28_patch_05.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-servlet-3.0-api-7.0.54-28_patch_05.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-webapps-7.0.54-28_patch_05.ep6.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2882.NASL
    descriptionAn update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Red Hat would like to thank Hanno Bock for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id103790
    published2017-10-12
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103790
    titleCentOS 7 : httpd (CESA-2017:2882) (Optionsbleed)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3195.NASL
    descriptionAn update for httpd is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id104541
    published2017-11-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104541
    titleRHEL 6 : httpd (RHSA-2017:3195) (Optionsbleed)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_10_13_2.NASL
    descriptionThe remote host is running a version of Mac OS X that is 10.13.x prior to 10.13.2. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - curl - Directory Utility - IOAcceleratorFamily - IOKit - Intel Graphics Driver - Kernel - Mail - Mail Drafts - OpenSSL - Screen Sharing Server Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id105080
    published2017-12-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105080
    titlemacOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_SPACE_JSA_10838.NASL
    descriptionAccording to its self-reported version number, the remote Junos Space version is prior to 17.2R1. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id108520
    published2018-03-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108520
    titleJuniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2972.NASL
    descriptionAn update for httpd is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) * A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd, causing comments in the
    last seen2020-06-01
    modified2020-06-02
    plugin id104006
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104006
    titleRHEL 6 : httpd (RHSA-2017:2972) (Optionsbleed)
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_UNIFIER_CPU_APR_2019.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.15.7 or 17.7.x prior to 17.12.10 or 18.x prior to 18.8.6. It is, therefore, affected by multiple vulnerabilities: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. (CVE-2018-11763). - A deserialization vulnerability in jackson-databind, a fast and powerful JSON library for Java, allows an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. (CVE-2018-19362) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id124170
    published2019-04-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124170
    titleOracle Primavera Unifier Multiple Vulnerabilities (Apr 2019 CPU)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1083.NASL
    descriptionThis update for apache2 fixes the following security issue : - CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058). This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-09-22
    plugin id103399
    published2017-09-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103399
    titleopenSUSE Security Update : apache2 (openSUSE-2017-1083) (Optionsbleed)
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_OPS_CENTER_APR_2019_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734) - A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. (CVE-2018-11763). - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258)
    last seen2020-06-01
    modified2020-06-02
    plugin id125147
    published2019-05-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125147
    titleOracle Enterprise Manager Ops Center (Apr 2019 CPU)
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_JUL_2018_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in the Enterprise Manager Base Platform component.
    last seen2020-06-01
    modified2020-06-02
    plugin id111152
    published2018-07-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111152
    titleOracle Enterprise Manager Cloud Control Multiple Vulnerabilities (July 2018 CPU)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-896.NASL
    descriptionApache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user
    last seen2020-06-01
    modified2020-06-02
    plugin id103309
    published2017-09-19
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103309
    titleAmazon Linux AMI : httpd24 / httpd (ALAS-2017-896) (Optionsbleed)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201710-32.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201710-32 (Apache: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache. Please review the referenced CVE identifiers for details. Impact : The Optionsbleed vulnerability can leak arbitrary memory from the server process that may contain secrets. Additionally attackers may cause a Denial of Service condition, bypass authentication, or cause information loss. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id104233
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104233
    titleGLSA-201710-32 : Apache: Multiple vulnerabilities (Optionsbleed)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-2972.NASL
    descriptionAn update for httpd is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) * A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd, causing comments in the
    last seen2020-06-01
    modified2020-06-02
    plugin id119234
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119234
    titleVirtuozzo 6 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2017-2972)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1389.NASL
    descriptionAccording to the versions of the httpd packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.(CVE-2018-17199) - It was discovered that the use of httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id124892
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124892
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : httpd (EulerOS-SA-2019-1389)
  • NASL familyWeb Servers
    NASL idAPACHE_2_4_28.NASL
    descriptionAccording to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.28. It is, therefore, affected by an HTTP vulnerability related to the <Limit {method}> directive in an .htaccess file. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id103838
    published2017-10-13
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103838
    titleApache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)
  • NASL familyMisc.
    NASL idORACLE_SECURE_GLOBAL_DESKTOP_APR_2018_CPU.NASL
    descriptionThe version of Oracle Secure Global Desktop installed on the remote host is 5.3 and is missing a security patch from the April 2018 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id109165
    published2018-04-19
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109165
    titleOracle Secure Global Desktop Multiple Vulnerabilities (April 2018 CPU)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2882.NASL
    descriptionFrom Red Hat Security Advisory 2017:2882 : An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Red Hat would like to thank Hanno Bock for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id103803
    published2017-10-12
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103803
    titleOracle Linux 7 : httpd (ELSA-2017-2882) (Optionsbleed)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3193.NASL
    descriptionAn update for httpd is now available for Red Hat Enterprise Linux 7.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id104539
    published2017-11-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104539
    titleRHEL 7 : httpd (RHSA-2017:3193) (Optionsbleed)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-A52F252521.NASL
    descriptionThis is a release fixing a security fix applied upstream, known as
    last seen2020-06-05
    modified2017-09-25
    plugin id103438
    published2017-09-25
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103438
    titleFedora 26 : httpd (2017-a52f252521) (Optionsbleed)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20171011_HTTPD_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)
    last seen2020-03-18
    modified2017-10-12
    plugin id103806
    published2017-10-12
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103806
    titleScientific Linux Security Update : httpd on SL7.x x86_64 (20171011) (Optionsbleed)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3240.NASL
    descriptionAn update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 and Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 21st November 2017] Previously, this erratum was marked as a replacement of the JBoss Enterprise Application Platform 6.4.16 Natives. This was incorrect; the erratum is an update, not a replacement. The erratum text has been modified to reflect this. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release provides an update to httpd and OpenSSL. The updates are documented in the Release Notes document linked to in the References. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. This release of JBoss Enterprise Application Platform 6.4.18 Natives serves as an update to the JBoss Enterprise Application Platform 6.4.16 Natives and includes bug fixes which are documented in the Release Notes document linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.4 Natives are advised to upgrade to these updated packages. Security Fix(es) : * It was discovered that the httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id104699
    published2017-11-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104699
    titleRHEL 6 / 7 : JBoss EAP (RHSA-2017:3240) (Optionsbleed)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0118_HTTPD.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has httpd packages installed that are affected by multiple vulnerabilities: - Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. (CVE-2005-1268) - The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a Transfer-Encoding: chunked header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka HTTP Request Smuggling. (CVE-2005-2088) - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using SSLVerifyClient optional in the global virtual host configuration, does not properly enforce SSLVerifyClient require in a per-location context, which allows remote attackers to bypass intended access restrictions. (CVE-2005-2700) - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. (CVE-2005-2728) - Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps. (CVE-2005-3352) - mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference. (CVE-2005-3357) - The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post- renegotiation context, related to a plaintext injection attack, aka the Project Mogul issue. (CVE-2009-3555) - The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. (CVE-2010-1452) - fs/ext4/extents.c in the Linux kernel before 3.0 does not mark a modified extent as dirty in certain cases of extent splitting, which allows local users to cause a denial of service (system crash) via vectors involving ext4 umount and mount operations. (CVE-2011-3638) - It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743) - It was discovered that the use of httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id127360
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127360
    titleNewStart CGSL MAIN 4.05 : httpd Multiple Vulnerabilities (NS-SA-2019-0118)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2972.NASL
    descriptionAn update for httpd is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) * A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd, causing comments in the
    last seen2020-06-01
    modified2020-06-02
    plugin id104053
    published2017-10-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104053
    titleCentOS 6 : httpd (CESA-2017:2972) (Optionsbleed)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-261-01.NASL
    descriptionNew httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id103306
    published2017-09-19
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103306
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : httpd (SSA:2017-261-01) (Optionsbleed)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3476.NASL
    descriptionAn update is now available for JBoss Core Services on RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613) * It was discovered that the use of httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id105368
    published2017-12-19
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105368
    titleRHEL 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.23 (RHSA-2017:3476) (Optionsbleed)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2017-005.NASL
    descriptionThe remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components : - apache - curl - IOAcceleratorFamily - IOKit - Kernel - OpenSSL - Screen Sharing Server
    last seen2020-06-01
    modified2020-06-02
    plugin id105081
    published2017-12-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105081
    titlemacOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-FDD3A98E8F.NASL
    descriptionThis is a release fixing a security fix applied upstream, known as
    last seen2020-06-05
    modified2018-01-15
    plugin id106018
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106018
    titleFedora 27 : httpd (2017-fdd3a98e8f) (Optionsbleed)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_76B085E29D3311E79260000C292EE6B8.NASL
    descriptionThe Fuzzing Project reports : Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user
    last seen2020-06-01
    modified2020-06-02
    plugin id103344
    published2017-09-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103344
    titleFreeBSD : Apache -- HTTP OPTIONS method can leak server memory (76b085e2-9d33-11e7-9260-000c292ee6b8) (Optionsbleed)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3477.NASL
    descriptionAn update is now available for JBoss Core Services on RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613) * It was discovered that the use of httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id105369
    published2017-12-19
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105369
    titleRHEL 6 : Red Hat JBoss Core Services Apache HTTP Server 2.4.23 (RHSA-2017:3477) (Optionsbleed)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1102.NASL
    descriptionHanno Boeck discovered that incorrect parsing of Limit directives of .htaccess files by the Apache HTTP Server could result in memory disclosure. For Debian 7
    last seen2020-03-17
    modified2017-09-22
    plugin id103389
    published2017-09-22
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103389
    titleDebian DLA-1102-1 : apache2 security update (Optionsbleed)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3194.NASL
    descriptionAn update for httpd is now available for Red Hat Enterprise Linux 7.3 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * It was discovered that the httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id104540
    published2017-11-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104540
    titleRHEL 7 : httpd (RHSA-2017:3194) (Optionsbleed)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-389.NASL
    descriptionThis update for VirtualBox to version 5.1.36 fixes multiple issues : Security issues fixed : - CVE-2018-0739: Unauthorized remote attacker may have caused a hang or frequently repeatable crash (complete DOS) - CVE-2018-2830: Attacker with host login may have compromised Virtualbox or further system services after interaction with a third user - CVE-2018-2831: Attacker with host login may have compromised VirtualBox or further system services, allowing read access to some data - CVE-2018-2835: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user - CVE-2018-2836: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user - CVE-2018-2837: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user - CVE-2018-2842: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user - CVE-2018-2843: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user - CVE-2018-2844: Attacker with host login may have gained control over VirtualBox and possibly further system services after interacting with a third user - CVE-2018-2845: Attacker with host login may have caused a hang or frequently repeatable crash (complete DOS), and perform unauthorized read and write operation to some VirtualBox accessible data - CVE-2018-2860: Privileged attacker may have gained control over VirtualBox and possibly further system services http://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose- 3678108.html http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067 .html#AppendixOVIR This update also contains all upstream fixes and improvements in the stable 5.1.36 release.
    last seen2020-06-05
    modified2018-04-24
    plugin id109294
    published2018-04-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109294
    titleopenSUSE Security Update : virtualbox (openSUSE-2018-389) (Optionsbleed)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2972.NASL
    descriptionFrom Red Hat Security Advisory 2017:2972 : An update for httpd is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) * A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd, causing comments in the
    last seen2020-06-01
    modified2020-06-02
    plugin id104002
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104002
    titleOracle Linux 6 : httpd (ELSA-2017-2972) (Optionsbleed)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1419.NASL
    descriptionAccording to the versions of the httpd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.(CVE-2014-0098) - A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the
    last seen2020-06-01
    modified2020-06-02
    plugin id124922
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124922
    titleEulerOS Virtualization 3.0.1.0 : httpd (EulerOS-SA-2019-1419)
  • NASL familyWeb Servers
    NASL idSUN_JAVA_WEB_SERVER_7_0_27.NASL
    descriptionAccording to its self-reported version, the Oracle iPlanet Web Server (formerly known as Sun Java System Web Server) running on the remote host is 7.0.x prior to 7.0.27 Patch 26834070. It is, therefore, affected by an unspecified vulnerability in the Network Security Services (NSS) library with unknown impact.
    last seen2020-06-01
    modified2020-06-02
    plugin id106349
    published2018-01-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106349
    titleOracle iPlanet Web Server 7.0.x < 7.0.27 NSS Unspecified Vulnerability (January 2018 CPU)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3425-1.NASL
    descriptionHanno Bock discovered that the Apache HTTP Server incorrectly handled Limit directives in .htaccess files. In certain configurations, a remote attacker could possibly use this issue to read arbitrary server memory, including sensitive information. This issue is known as Optionsbleed. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103356
    published2017-09-20
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103356
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : apache2 vulnerability (USN-3425-1) (Optionsbleed)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1253.NASL
    descriptionAccording to the version of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-11-01
    plugin id104278
    published2017-11-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104278
    titleEulerOS 2.0 SP2 : httpd (EulerOS-SA-2017-1253)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2907-1.NASL
    descriptionThis update for apache2 fixes the following issues : - Allow disabling SNI on proxy connections using
    last seen2020-06-01
    modified2020-06-02
    plugin id104270
    published2017-10-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104270
    titleSUSE SLES11 Security Update : apache2 (SUSE-SU-2017:2907-1) (Optionsbleed)
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_P6_EPPM_CPU_APR_2019.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) installation running on the remote web server is 8.4 prior to 8.4.15.10, 15.x prior to 15.2.18.4, 16.x prior to 16.2.17.2, 17.x prior to 17.12.12.0, or 18.x prior to 18.8.8.0. It is, therefore, affected by multiple vulnerabilities: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - A denial of service vulnerability in the bundled third-party component OpenSSL library
    last seen2020-06-01
    modified2020-06-02
    plugin id124169
    published2019-04-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124169
    titleOracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Apr 2019 CPU)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2756-1.NASL
    descriptionThis update for apache2 fixes several issues. These security issues were fixed : - CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058) - CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest could have lead to leakage of potentially confidential information, and a segfault in other cases resulting in DoS (bsc#1048576). - CVE-2017-7679: mod_mime could have read one byte past the end of a buffer when sending a malicious Content-Type response header (bsc#1045060). - CVE-2017-3169: mod_ssl may dereferenced a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port allowing for DoS (bsc#1045062). - CVE-2017-3167: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may have lead to authentication requirements being bypassed (bsc#1045065). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103961
    published2017-10-19
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103961
    titleSUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2756-1) (Optionsbleed)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20171019_HTTPD_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) - A regression was found in the Scientific Linux 6.9 version of httpd, causing comments in the
    last seen2020-03-18
    modified2017-10-20
    plugin id104007
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104007
    titleScientific Linux Security Update : httpd on SL6.x i386/x86_64 (20171019) (Optionsbleed)
  • NASL familyWeb Servers
    NASL idORACLE_HTTP_SERVER_CPU_JAN_2018.NASL
    descriptionThe version of Oracle HTTP Server installed on the remote host is affected by multiple vulnerabilities as noted in the January 2018 CPU advisory.
    last seen2020-03-18
    modified2018-01-24
    plugin id106299
    published2018-01-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106299
    titleOracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2018 CPU)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2882.NASL
    descriptionAn update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es) : * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Red Hat would like to thank Hanno Bock for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id103804
    published2017-10-12
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103804
    titleRHEL 7 : httpd (RHSA-2017:2882) (Optionsbleed)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3980.NASL
    descriptionHanno Boeck discovered that incorrect parsing of Limit directives of .htaccess files by the Apache HTTP Server could result in memory disclosure.
    last seen2020-06-01
    modified2020-06-02
    plugin id103364
    published2017-09-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103364
    titleDebian DSA-3980-1 : apache2 - security update (Optionsbleed)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2542-1.NASL
    descriptionThis update for apache2 fixes the following security issue : - CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103413
    published2017-09-22
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103413
    titleSUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2542-1) (Optionsbleed)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2718-1.NASL
    descriptionThis update for apache2 fixes one issues. This security issue was fixed : - CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103833
    published2017-10-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103833
    titleSUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2718-1) (Optionsbleed)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1252.NASL
    descriptionAccording to the version of the httpd packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-11-01
    plugin id104277
    published2017-11-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104277
    titleEulerOS 2.0 SP1 : httpd (EulerOS-SA-2017-1252)

Redhat

advisories
  • bugzilla
    id1490344
    titleCVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commenthttpd-manual is earlier than 0:2.4.6-67.el7_4.5
            ovaloval:com.redhat.rhsa:tst:20172882001
          • commenthttpd-manual is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111245022
        • AND
          • commentmod_session is earlier than 0:2.4.6-67.el7_4.5
            ovaloval:com.redhat.rhsa:tst:20172882003
          • commentmod_session is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140921012
        • AND
          • commenthttpd-tools is earlier than 0:2.4.6-67.el7_4.5
            ovaloval:com.redhat.rhsa:tst:20172882005
          • commenthttpd-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111245030
        • AND
          • commentmod_proxy_html is earlier than 1:2.4.6-67.el7_4.5
            ovaloval:com.redhat.rhsa:tst:20172882007
          • commentmod_proxy_html is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140921016
        • AND
          • commentmod_ssl is earlier than 1:2.4.6-67.el7_4.5
            ovaloval:com.redhat.rhsa:tst:20172882009
          • commentmod_ssl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111245026
        • AND
          • commenthttpd is earlier than 0:2.4.6-67.el7_4.5
            ovaloval:com.redhat.rhsa:tst:20172882011
          • commenthttpd is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111245028
        • AND
          • commenthttpd-devel is earlier than 0:2.4.6-67.el7_4.5
            ovaloval:com.redhat.rhsa:tst:20172882013
          • commenthttpd-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111245024
        • AND
          • commentmod_ldap is earlier than 0:2.4.6-67.el7_4.5
            ovaloval:com.redhat.rhsa:tst:20172882015
          • commentmod_ldap is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140921014
    rhsa
    idRHSA-2017:2882
    released2017-10-11
    severityModerate
    titleRHSA-2017:2882: httpd security update (Moderate)
  • bugzilla
    id1493056
    titleCVE-2017-12171 httpd: # character matches all IPs
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commenthttpd-manual is earlier than 0:2.2.15-60.el6_9.6
            ovaloval:com.redhat.rhsa:tst:20172972001
          • commenthttpd-manual is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111245022
        • AND
          • commentmod_ssl is earlier than 1:2.2.15-60.el6_9.6
            ovaloval:com.redhat.rhsa:tst:20172972003
          • commentmod_ssl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111245026
        • AND
          • commenthttpd is earlier than 0:2.2.15-60.el6_9.6
            ovaloval:com.redhat.rhsa:tst:20172972005
          • commenthttpd is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111245028
        • AND
          • commenthttpd-devel is earlier than 0:2.2.15-60.el6_9.6
            ovaloval:com.redhat.rhsa:tst:20172972007
          • commenthttpd-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111245024
        • AND
          • commenthttpd-tools is earlier than 0:2.2.15-60.el6_9.6
            ovaloval:com.redhat.rhsa:tst:20172972009
          • commenthttpd-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111245030
    rhsa
    idRHSA-2017:2972
    released2017-10-19
    severityModerate
    titleRHSA-2017:2972: httpd security update (Moderate)
  • rhsa
    idRHSA-2017:3018
  • rhsa
    idRHSA-2017:3113
  • rhsa
    idRHSA-2017:3114
  • rhsa
    idRHSA-2017:3193
  • rhsa
    idRHSA-2017:3194
  • rhsa
    idRHSA-2017:3195
  • rhsa
    idRHSA-2017:3239
  • rhsa
    idRHSA-2017:3240
  • rhsa
    idRHSA-2017:3475
  • rhsa
    idRHSA-2017:3476
  • rhsa
    idRHSA-2017:3477
rpms
  • httpd-0:2.4.6-67.el7_4.5
  • httpd-debuginfo-0:2.4.6-67.el7_4.5
  • httpd-devel-0:2.4.6-67.el7_4.5
  • httpd-manual-0:2.4.6-67.el7_4.5
  • httpd-tools-0:2.4.6-67.el7_4.5
  • mod_ldap-0:2.4.6-67.el7_4.5
  • mod_proxy_html-1:2.4.6-67.el7_4.5
  • mod_session-0:2.4.6-67.el7_4.5
  • mod_ssl-1:2.4.6-67.el7_4.5
  • httpd-0:2.2.15-60.el6_9.6
  • httpd-debuginfo-0:2.2.15-60.el6_9.6
  • httpd-devel-0:2.2.15-60.el6_9.6
  • httpd-manual-0:2.2.15-60.el6_9.6
  • httpd-tools-0:2.2.15-60.el6_9.6
  • mod_ssl-1:2.2.15-60.el6_9.6
  • httpd24-0:1.1-18.el6
  • httpd24-0:1.1-18.el7
  • httpd24-curl-0:7.47.1-4.el7
  • httpd24-curl-debuginfo-0:7.47.1-4.el7
  • httpd24-httpd-0:2.4.27-8.el6
  • httpd24-httpd-0:2.4.27-8.el7
  • httpd24-httpd-debuginfo-0:2.4.27-8.el6
  • httpd24-httpd-debuginfo-0:2.4.27-8.el7
  • httpd24-httpd-devel-0:2.4.27-8.el6
  • httpd24-httpd-devel-0:2.4.27-8.el7
  • httpd24-httpd-manual-0:2.4.27-8.el6
  • httpd24-httpd-manual-0:2.4.27-8.el7
  • httpd24-httpd-tools-0:2.4.27-8.el6
  • httpd24-httpd-tools-0:2.4.27-8.el7
  • httpd24-libcurl-0:7.47.1-4.el7
  • httpd24-libcurl-devel-0:7.47.1-4.el7
  • httpd24-libnghttp2-0:1.7.1-6.el7
  • httpd24-libnghttp2-devel-0:1.7.1-6.el7
  • httpd24-mod_auth_kerb-0:5.4-33.el7
  • httpd24-mod_auth_kerb-debuginfo-0:5.4-33.el7
  • httpd24-mod_ldap-0:2.4.27-8.el6
  • httpd24-mod_ldap-0:2.4.27-8.el7
  • httpd24-mod_proxy_html-1:2.4.27-8.el6
  • httpd24-mod_proxy_html-1:2.4.27-8.el7
  • httpd24-mod_session-0:2.4.27-8.el6
  • httpd24-mod_session-0:2.4.27-8.el7
  • httpd24-mod_ssl-1:2.4.27-8.el6
  • httpd24-mod_ssl-1:2.4.27-8.el7
  • httpd24-nghttp2-0:1.7.1-6.el7
  • httpd24-nghttp2-debuginfo-0:1.7.1-6.el7
  • httpd24-runtime-0:1.1-18.el6
  • httpd24-runtime-0:1.1-18.el7
  • httpd24-scldevel-0:1.1-18.el6
  • httpd24-scldevel-0:1.1-18.el7
  • httpd-0:2.2.26-57.ep6.el6
  • httpd-debuginfo-0:2.2.26-57.ep6.el6
  • httpd-devel-0:2.2.26-57.ep6.el6
  • httpd-manual-0:2.2.26-57.ep6.el6
  • httpd-tools-0:2.2.26-57.ep6.el6
  • httpd22-0:2.2.26-58.ep6.el7
  • httpd22-debuginfo-0:2.2.26-58.ep6.el7
  • httpd22-devel-0:2.2.26-58.ep6.el7
  • httpd22-manual-0:2.2.26-58.ep6.el7
  • httpd22-tools-0:2.2.26-58.ep6.el7
  • jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7
  • mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el6
  • mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el7
  • mod_cluster-native-debuginfo-0:1.2.13-9.Final_redhat_2.ep6.el6
  • mod_cluster-native-debuginfo-0:1.2.13-9.Final_redhat_2.ep6.el7
  • mod_ldap-0:2.2.26-57.ep6.el6
  • mod_ldap22-0:2.2.26-58.ep6.el7
  • mod_ssl-1:2.2.26-57.ep6.el6
  • mod_ssl22-1:2.2.26-58.ep6.el7
  • tomcat6-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-admin-webapps-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-admin-webapps-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-docs-webapp-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-docs-webapp-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-el-2.1-api-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-el-2.1-api-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-javadoc-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-javadoc-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-jsp-2.1-api-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-jsp-2.1-api-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-lib-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-lib-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-log4j-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-log4j-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-maven-devel-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-maven-devel-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-servlet-2.5-api-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-servlet-2.5-api-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-webapps-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-webapps-0:6.0.41-19_patch_04.ep6.el7
  • tomcat7-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-admin-webapps-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-admin-webapps-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-docs-webapp-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-docs-webapp-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-el-2.2-api-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-el-2.2-api-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-javadoc-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-javadoc-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-jsp-2.2-api-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-jsp-2.2-api-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-lib-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-lib-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-log4j-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-log4j-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-maven-devel-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-maven-devel-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-servlet-3.0-api-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-servlet-3.0-api-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-webapps-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-webapps-0:7.0.54-28_patch_05.ep6.el7
  • httpd-0:2.4.6-40.el7_2.6
  • httpd-debuginfo-0:2.4.6-40.el7_2.6
  • httpd-devel-0:2.4.6-40.el7_2.6
  • httpd-manual-0:2.4.6-40.el7_2.6
  • httpd-tools-0:2.4.6-40.el7_2.6
  • mod_ldap-0:2.4.6-40.el7_2.6
  • mod_proxy_html-1:2.4.6-40.el7_2.6
  • mod_session-0:2.4.6-40.el7_2.6
  • mod_ssl-1:2.4.6-40.el7_2.6
  • httpd-0:2.4.6-45.el7_3.5
  • httpd-debuginfo-0:2.4.6-45.el7_3.5
  • httpd-devel-0:2.4.6-45.el7_3.5
  • httpd-manual-0:2.4.6-45.el7_3.5
  • httpd-tools-0:2.4.6-45.el7_3.5
  • mod_ldap-0:2.4.6-45.el7_3.5
  • mod_proxy_html-1:2.4.6-45.el7_3.5
  • mod_session-0:2.4.6-45.el7_3.5
  • mod_ssl-1:2.4.6-45.el7_3.5
  • httpd-0:2.2.15-47.el6_7.5
  • httpd-debuginfo-0:2.2.15-47.el6_7.5
  • httpd-devel-0:2.2.15-47.el6_7.5
  • httpd-manual-0:2.2.15-47.el6_7.5
  • httpd-tools-0:2.2.15-47.el6_7.5
  • mod_ssl-1:2.2.15-47.el6_7.5
  • httpd-0:2.2.26-57.ep6.el6
  • httpd-debuginfo-0:2.2.26-57.ep6.el6
  • httpd-devel-0:2.2.26-57.ep6.el6
  • httpd-manual-0:2.2.26-57.ep6.el6
  • httpd-tools-0:2.2.26-57.ep6.el6
  • httpd22-0:2.2.26-58.ep6.el7
  • httpd22-debuginfo-0:2.2.26-58.ep6.el7
  • httpd22-devel-0:2.2.26-58.ep6.el7
  • httpd22-manual-0:2.2.26-58.ep6.el7
  • httpd22-tools-0:2.2.26-58.ep6.el7
  • jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7
  • mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el6
  • mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el7
  • mod_cluster-native-debuginfo-0:1.2.13-9.Final_redhat_2.ep6.el6
  • mod_cluster-native-debuginfo-0:1.2.13-9.Final_redhat_2.ep6.el7
  • mod_ldap-0:2.2.26-57.ep6.el6
  • mod_ldap22-0:2.2.26-58.ep6.el7
  • mod_ssl-1:2.2.26-57.ep6.el6
  • mod_ssl22-1:2.2.26-58.ep6.el7
  • jbcs-httpd24-httpd-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-debuginfo-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-devel-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-libs-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-manual-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-selinux-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-tools-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-mod_bmx-0:0.9.6-15.GA.jbcs.el7
  • jbcs-httpd24-mod_bmx-debuginfo-0:0.9.6-15.GA.jbcs.el7
  • jbcs-httpd24-mod_cluster-native-0:1.3.8-1.Final_redhat_1.jbcs.el7
  • jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.8-1.Final_redhat_1.jbcs.el7
  • jbcs-httpd24-mod_ldap-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-mod_proxy_html-1:2.4.23-125.jbcs.el7
  • jbcs-httpd24-mod_session-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-mod_ssl-1:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-debuginfo-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-devel-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-libs-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-manual-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-selinux-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-tools-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-mod_bmx-0:0.9.6-15.GA.jbcs.el6
  • jbcs-httpd24-mod_bmx-debuginfo-0:0.9.6-15.GA.jbcs.el6
  • jbcs-httpd24-mod_cluster-native-0:1.3.8-1.Final_redhat_1.jbcs.el6
  • jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.8-1.Final_redhat_1.jbcs.el6
  • jbcs-httpd24-mod_ldap-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-mod_proxy_html-1:2.4.23-125.jbcs.el6
  • jbcs-httpd24-mod_session-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-mod_ssl-1:2.4.23-125.jbcs.el6

Seebug

bulletinFamilyexploit
descriptionIf you're using the HTTP protocol in everday Internet use you are usually only using two of its methods: GET and POST. However HTTP has a number of other methods, so I wondered what you can do with them and if there are any vulnerabilities. One HTTP method is called OPTIONS. It simply allows asking a server which other HTTP methods it supports. The server answers with the "Allow" header and gives us a comma separated list of supported methods. A scan of the Alexa Top 1 Million revealed something strange: Plenty of servers sent out an "Allow" header with what looked like corrupted data. Some examples: ``` Allow: ,GET,,,POST,OPTIONS,HEAD,, Allow: POST,OPTIONS,,HEAD,:09:44 GMT Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE ``` ![](https://images.seebug.org/1505800657517) That clearly looked interesting - and dangerous. It suspiciously looked like a "bleed"-style bug, which has become a name for bugs where arbitrary pieces of memory are leaked to a potential attacker. However these were random servers on the Internet, so at first I didn't know what software was causing this. Sometimes HTTP servers send a "Server" header telling the software. However one needs to be aware that the "Server" header can lie. It's quite common to have one HTTP server proxying another. I got all kinds of different "Server" headers back, but I very much suspected that these were all from the same bug. I tried to contact the affected server operators, but only one of them answered, and he was extremely reluctant to tell me anything about his setup, so that wasn't very helpful either. However I got one clue: Some of the corrupted headers contained strings that were clearly configuration options from Apache. It seemed quite unlikely that those would show up in the memory of other server software. But I was unable to reproduce anything alike on my own Apache servers. I also tried reading the code that put together the Allow header to see if I can find any clues, but with no success. So without knowing any details I contacted the Apache security team. Fortunately Apache developer Jacob Champion digged into it and figured out what was going on: Apache supports a configuration directive Limit that allows restricting access to certain HTTP methods to a specific user. And if one sets the [Limit](https://httpd.apache.org/docs/2.4/mod/core.html#limit) directive in an .htaccess file for an HTTP method that's not globally registered in the server then the corruption happens. After that I was able to reproduce it myself. Setting a Limit directive for any invalid HTTP method in an .htaccess file caused a use after free error in the construction of the Allow header which was also [detectable with Address Sanitizer](https://blog.fuzzing-project.org/uploads/optionsbleed-asan.txt). (However ASAN doesn't work reliable due to the memory allocation abstraction done by APR.) ### FAQ #### What's Optionsbleed? Optionsbleed is a use after free error in Apache HTTP that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked. The bug appears if a webmaster tries to use the "Limit" directive with an invalid HTTP method. Example `.htaccess`: ``` <Limit abcxyz> </Limit> ``` #### How prevalent is it? Scanning the Alexa Top 1 Million revealed 466 hosts with corrupted Allow headers. In theory it's possible that other server software has similar bugs. On the other hand this bug is nondeterministic, so not all vulnerable hosts may have been catched. #### So it only happens if you set a quite unusual configuration option? There's an additional risk in shared hosting environments. The corruption is not limited to a single virtual host. One customer of a shared hosting provider could deliberately create an .htaccess file causing this corruption hoping to be able to extract secret data from other hosts on the same system. #### I can't reproduce it! Due to its nature the bug doesn't appear deterministically. It only seems to appear on busy servers. Sometimes it only appears after multiple requests. #### Does it have a CVE? [CVE-2017-9798](https://nvd.nist.gov/vuln/detail/CVE-2017-9798). #### I'm seeing Allow headers containing HEAD multiple times! This is actually a different Apache bug ([#61207](https://bz.apache.org/bugzilla/show_bug.cgi?id=61207)) that I found during this investigation. It causes HEAD to appear three times instead of once. However it's harmless and not a security bug. Launchpad also has [a harmless bug that produces a malformed Allow header](https://bugs.launchpad.net/launchpad/+bug/1717682), using a space-separated list instead of a comma-separated one. #### How can I test it? A simple way is to use Curl in a loop and send OPTIONS requests: ``` for i in {1..100}; do curl -sI -X OPTIONS https://www.google.com/|grep -i "allow:"; done ``` Depending on the server configuration it may not answer to OPTIONS requests on some URLs. Try different paths, HTTP versus HTTPS hosts, non-www versus www etc. may lead to different results. Please note that this bug does not show up with the "*" OPTIONS target, you need a specific path. Here's a [python proof of concept script](https://github.com/hannob/optionsbleed). #### What shall I do? If you run an Apache web server you should update. Most distributions should have updated packages by now or very soon. A patch can [be found here](https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch). A patch for Apache 2.2 is [available here](https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch) (thanks to Thomas Deutschmann for backporting it). Unfortunately the communication with the Apache security team wasn't ideal. They were unable to provide a timeline for a coordinated release with a fix, so I decided to define a disclosure date on my own without an upstream fix. If you run an Apache web server in a shared hosting environment that allows users to create .htaccess files you should drop everything you do right now, update immediately and make sure you restart the server afterwards. #### Is this as bad as Heartbleed? No. Although similar in nature, this bug leaks only small chunks of memory and more importantly only affects a small number of hosts by default. It's still a pretty bad bug, particularly for shared hosting environments.
idSSV:96537
last seen2017-11-19
modified2017-09-19
published2017-09-19
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-96537
titleHTTP OPTIONS method can leak Apache's server memory(CVE-2017-9798) (Optionsbleed)

References