| VID |
22689 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the version of Apache 2.4 installed on the remote host is a version prior to 2.4.16. It is, therefore, affected by the following vulnerabilities :
- A flaw exists in the lua_websocket_read() function in the 'mod_lua' module due to incorrect handling of WebSocket PING frames. A remote attacker can exploit this, by sending a crafted WebSocket PING frame after a Lua script has called the wsupgrade() function, to crash a child process, resulting in a denial of service condition. (CVE-2015-0228)
- A NULL pointer dereference flaw exists in the read_request_line() function due to a failure to initialize the protocol structure member. A remote attacker can exploit this flaw, on installations that enable the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI, by sending a request that lacks a method, to cause a denial of service condition. (CVE-2015-0253)
- A flaw exists in the chunked transfer coding implementation due to a failure to properly parse chunk headers. A remote attacker can exploit this to conduct HTTP request smuggling attacks. (CVE-2015-3183)
- A flaw exists in the ap_some_auth_required() function due to a failure to consider that a Require directive may be associated with an authorization setting rather than an authentication setting. A remote attacker can exploit this, if a module that relies on the 2.2 API behavior exists, to bypass intended access restrictions. (CVE-2015-3185)
- A flaw exists in the RC4 algorithm due to an initial double-byte bias in the keystream generation. An attacker can exploit this, via Bayesian analysis that combines an a priori plaintext distribution with keystream distribution statistics, to conduct a plaintext recovery of the ciphertext. Note that RC4 cipher suites are prohibited per RFC 7465. This issue was fixed in Apache version 2.4.13 however, 2.4.13, 2.4.14, and 2.4.15 were never publicly released. (OSVDB 128186)
* Note: This check solely relied on the version number of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.apache.org/dist/httpd/CHANGES_2.4.16
http://httpd.apache.org/security/vulnerabilities_24.html
* Platforms Affected:
Apache HTTP versions 2.4.x prior to 2.4.16
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Apache HTTP Server (2.4.16 or later), available from the Apache Software Foundation download site, http://httpd.apache.org/download.cgi |
| Related URL |
CVE-2015-0228,CVE-2015-0253,CVE-2015-3183,CVE-2015-3185 (CVE) |
| Related URL |
73041,75963,75964,75965 (SecurityFocus) |
| Related URL |
(ISS) |
|
