| VID |
22856 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the version of Apache 2.4 installed on the remote host is a version prior to 2.4.34. It is, therefore, affected by the following vulnerabilities :
- By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. (CVE-2018-1333)
- By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. (CVE-2018-8011)
* Note: This check solely relied on the version number of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
https://archive.apache.org/dist/httpd/CHANGES_2.4.34
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.34
* Platforms Affected:
Apache HTTP versions 2.4.x prior to 2.4.34
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Apache HTTP Server (2.4.34 or later), available from the Apache Software Foundation download site, http://httpd.apache.org/download.cgi |
| Related URL |
CVE-2018-1333,CVE-2018-8011 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
