| VID |
22629 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the version of Apache 2.4 installed on the remote host is a version prior to 2.4.10. It is, therefore, affected by the following vulnerabilities :
- A flaw exists in the 'mod_proxy' module that may allow an attacker to send a specially crafted request to a server configured as a reverse proxy that may cause the child process to crash. This could potentially lead to a denial of service attack. (CVE-2014-0117)
- A flaw exists in the 'mod_deflate' module when request body decompression is configured. This could allow a remote attacker to cause the server to consume significant resources. (CVE-2014-0118)
- A flaw exists in the 'mod_status' module when a publicly accessible server status page is in place. This could allow an attacker to send a specially crafted request designed to cause a heap buffer overflow. (CVE-2014-0226)
- A flaw exists in the 'mod_cgid' module in which CGI scripts that did not consume standard input may be manipulated in order to cause child processes to hang. A remote attacker may be able to abuse this in order to cause a denial of service. (CVE-2014-0231)
- A flaw exists in WinNT MPM versions 2.4.1 to 2.4.9 when using the default AcceptFilter. An attacker may be able to specially craft requests that create a memory leak in the application and may eventually lead to a denial of service attack. (CVE-2014-3523) |
| Recommendation |
Upgrade to the latest version of Apache HTTP Server (2.4.10 or later), available from the Apache Software Foundation download site, http://httpd.apache.org/download.cgi |
| Related URL |
CVE-2014-0117,CVE-2014-0118,CVE-2014-0226,CVE-2014-0231,CVE-2014-3523 (CVE) |
| Related URL |
68740,68745,68678,68742,68747 (SecurityFocus) |
| Related URL |
(ISS) |
|
