| VID |
22481 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.15. Such versions are potentially affected by multiple vulnerabilities.
- A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555)
- The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-end server to be put into an error state. (CVE-2010-0408)
- The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-backs in an undefined state. (CVE-2010-0425)
- A flaw in the core sub-request process code can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded environment is used. (CVE-2010-0434)
* Note: This check solely relied on the version number of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
http://www.apache.org/dist/httpd/CHANGES_2.2.15
* Platforms Affected:
Apache HTTP versions prior to 2.2.15
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Apache HTTP Server (2.2.15 or later), available from the Apache Software Foundation download site, http://httpd.apache.org/download.cgi
-- OR --
As a workaround, ensure that the affected modules are not in use. |
| Related URL |
CVE-2009-3555,CVE-2010-0408,CVE-2010-0425,CVE-2010-0434 (CVE) |
| Related URL |
36935,38491,38494,38580 (SecurityFocus) |
| Related URL |
(ISS) |
|
