Gentoo update for Apache HTTPD



| Updated: 2024-12-19
Risk High
Patch available YES
Number of vulnerabilities 14
CVE-ID CVE-2023-38709
CVE-2024-24795
CVE-2024-27316
CVE-2024-36387
CVE-2024-38472
CVE-2024-38473
CVE-2024-38474
CVE-2024-38475
CVE-2024-38476
CVE-2024-38477
CVE-2024-39573
CVE-2024-39884
CVE-2024-40725
CVE-2024-40898
CWE-ID CWE-113
CWE-400
CWE-476
CWE-918
CWE-20
CWE-200
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #5 is available.
Public exploit code for vulnerability #6 is available.
Public exploit code for vulnerability #8 is available.
Public exploit code for vulnerability #13 is available.
Public exploit code for vulnerability #14 is available.
Vulnerable software
Gentoo Linux
Operating systems & Components / Operating system

www-servers/apache
Operating systems & Components / Operating system package or component

Vendor Gentoo

Security Bulletin

This security bulletin contains information about 14 vulnerabilities.

1) HTTP response splitting

EUVDB-ID: #VU88151

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-38709

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correctly process CRLF character sequences. A malicious or exploitable backend/content generators can send specially crafted response containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) HTTP response splitting

EUVDB-ID: #VU88152

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-24795

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correctly process CRLF character sequences in multiple modules. A remote attacker can inject malicious response headers into backend applications and perform an HTTP desynchronization attack.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Resource exhaustion

EUVDB-ID: #VU88153

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-27316

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) NULL pointer dereference

EUVDB-ID: #VU93538

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-36387

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when handling websocket over HTTP/2 connections. A remote attacker can send specially crafted data to the web server and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU93539

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-38472

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: Yes

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the web server to leak NTLM hashes.

Note, the vulnerability affects Windows installations only.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

6) Input validation error

EUVDB-ID: #VU93540

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-38473

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to insufficient validation of user-supplied input when handling incorrect encoding in mod_proxy. A remote attacker can force the web server to pass request URLs with incorrect encoding to backend services.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

7) Input validation error

EUVDB-ID: #VU93541

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-38474

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in mod_rewrite when parsing encoded question marks in backreferences. A remote attacker can execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Input validation error

EUVDB-ID: #VU93542

Risk: High

CVSSv4.0: 8.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2024-38475

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in mod_rewrite when first segment of substitution matches filesystem path. A remote attacker can map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL and view contents of files or execute arbitrary code.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

9) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU93543

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-38476

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker with control over the backend server can run local handlers via internal redirect and gain access to sensitive information or compromise the affected system.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Input validation error

EUVDB-ID: #VU93544

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-38477

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in mod_proxy. A remote attacker can send specially crafted requests to the web server and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU93545

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-39573

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in mod_rewrite proxy handler substitution. A remote attacker can cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Information disclosure

EUVDB-ID: #VU93729

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-39884

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error when processing legacy content-type based configuration of handlers, such as "AddType" and similar configuration when files are requested indirectly. A remote attacker can send a specially crafted HTTP request and view contents of files, for example the source code of a PHP script can be served instead of interpreted.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Information disclosure

EUVDB-ID: #VU94504

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-40725

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error when processing legacy content-type based configuration of handlers, such as "AddType" and similar configuration when files are requested indirectly. A remote attacker can send a specially crafted HTTP request and view contents of files, for example the source code of a PHP script can be served instead of interpreted.

Note, the vulnerability exists due to incomplete fix for #VU93729 (CVE-2024-39884).

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

14) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU94503

Risk: High

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2024-40898

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: Yes

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in Apache HTTP Server on Windows with mod_rewrite in server/vhost context. A remote attacker can force the web server to leak NTML hashes to a malicious server via SSRF and malicious requests.

Mitigation

Update the affected packages.
www-servers/apache to version: 2.4.62

Vulnerable software versions

Gentoo Linux: All versions

www-servers/apache: before 2.4.62

CPE2.3 External links

http://security.gentoo.org/glsa/202409-31


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###