SB2016010704 - Multiple vulnerabilities in HP-UX Web Server Suite
Published: January 7, 2016 Updated: April 27, 2023
Security Bulletin ID
SB2016010704
Severity
Medium
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Man-in-the-middle attack (CVE-ID: CVE-2015-4000)
The vulnerability allows a remote attacker to decrypt TLS connections in certain situations.The vulnerability exists due to boundary error when parsing HTTP requests. A remote unauthenticated attacker can conduct a man-in-the-middle attack that can lead to the target system to downgrade the Diffie-Hellman algorithm to 512-bit export-grade cryptography.
Successful exploitation of this vulnerability may result in modification of authentication information
2) Information disclosure (CVE-ID: CVE-2015-2808)
The vulnerability allows a remote attacker to obtain potentially sensitive information communicated by target system.The vulnerability exists due to access control error. A remote unauthenticated attacker can obtain RC4 encrypted data and conduct a brute-force key guessing attack by monitoring TLS network traffic.
Successful exploitation of this vulnerability may result in disclosure of system information.
3) Input validation error (CVE-ID: CVE-2015-3183)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
Remediation
Install update from vendor's website.