Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
kasperskyKaspersky LabKLA10640
HistoryJul 21, 2015 - 12:00 a.m.

KLA10640 Multiple vulnerabilities in Apache HTTP Server

2015-07-2100:00:00
Kaspersky Lab
threats.kaspersky.com
152

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

8 High

AI Score

Confidence

Low

0.062 Low

EPSS

Percentile

93.6%

JSON

Multiple serious vulnerabilities have been found in Apache HTTP Server. Malicious users can exploit these vulnerabilities to cause a denial of service.

Below is a complete list of vulnerabilities

  1. Stack recursion crash in the mod_lua module in the lua_request.c file in lua_websocket_read function can lead to cause a denial of service via specially crafted PING request.
  2. The read_request_line function in server/protocol.c file doesn’t properly initialize the protocol structure member which can lead to cause a denial of service via specially crafted request.
  3. The chunked transfer coding implementation parse chunk headers improperly which can lead to HTTP Request Smuggling Attack via a specially crafted request
  4. The ap_some_auth_required function in server/request.c file has design error which renders the API unusuable.

Original advisories

Apache changelog

Related products

Apache-HTTP-Server

CVE list

CVE-2015-0228 critical

CVE-2015-0253 critical

CVE-2015-3183 critical

CVE-2015-3185 warning

Solution

Update to the latest version

Impacts

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

Affected Products

  • Apache httpd 2.4 versions 2.4.14 and earlier

Related

nessus 46
redhat 12
slackware 1
archlinux 1
openvas 28
oraclelinux 3
fedora 2
veracode 4
freebsd 2
amazon 2
securityvulns 6
ibm 36
centos 2
mageia 2
ubuntu 2
osv 3
debian 6
prion 4
ubuntucve 5
nvd 4
cvelist 4
debiancve 4
f5 8
httpd 5
cve 4
hackerone 2
gentoo 1
nessus
nessus
Slackware 14.0 / 14.1 / current : httpd (SSA:2015-198-01)
2015-07-20 00:00:00
Oracle Linux 7 : httpd24-httpd (ELSA-2015-1666)
2023-09-07 00:00:00
Apache 2.4.x < 2.4.16 Multiple Vulnerabilities
2019-01-09 00:00:00
redhat
redhat
(RHSA-2015:1666) Moderate: httpd24-httpd security update
2015-08-24 00:00:00
(RHSA-2015:1667) Moderate: httpd security update
2015-08-24 00:00:00
(RHSA-2015:1668) Moderate: httpd security update
2015-08-24 00:00:00
slackware
slackware
[slackware-security] httpd
2015-07-17 20:25:06
archlinux
archlinux
apache: multiple issues
2015-07-17 00:00:00
openvas
openvas
Oracle: Security Advisory (ELSA-2015-1666)
2016-02-05 00:00:00
Amazon Linux: Security Advisory (ALAS-2015-579)
2015-09-08 00:00:00
Slackware: Security Advisory (SSA:2015-198-01)
2022-04-21 00:00:00
oraclelinux
oraclelinux
httpd24-httpd security update
2016-02-04 00:00:00
httpd security update
2015-08-24 00:00:00
httpd security update
2015-08-24 00:00:00
fedora
fedora
[SECURITY] Fedora 22 Update: httpd-2.4.16-1.fc22
2015-07-21 08:12:37
[SECURITY] Fedora 21 Update: httpd-2.4.16-1.fc21
2015-07-30 00:52:03
veracode
veracode
Denial Of Service (DoS)
2019-05-02 05:18:03
Denial Of Service (DoS)
2019-01-15 09:07:16
HTTP Request Smuggling
2019-01-15 09:07:33
freebsd
freebsd
apache24 -- multiple vulnerabilities
2015-02-04 00:00:00
apache22 -- chunk header parsing defect
2015-06-24 00:00:00
amazon
amazon
Medium: httpd24
2015-08-17 12:27:00
Medium: httpd
2015-08-17 12:23:00
securityvulns
securityvulns
[slackware-security] httpd &#40;SSA:2015-198-01&#41;
2015-07-20 00:00:00
Apache security vulnerabilities
2015-07-20 00:00:00
[USN-2523-1] Apache HTTP Server vulnerabilities
2015-03-15 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in the Apache HTTP Server affect PowerKVM (CVE-2015-3183,CVE-2015-3185)
2018-06-18 01:32:18
Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-3183)
2018-06-17 15:10:04
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Intelligent Operations Center and related products (CVE-2015-3183)
2022-08-19 21:04:31
centos
centos
httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update
2015-08-25 16:08:42
httpd, mod_ssl security update
2015-08-24 18:23:20
mageia
mageia
Updated apache package fixes security vulnerabilities
2015-07-27 12:53:07
Updated apache packages fix CVE-2015-0228
2015-03-06 21:08:57
ubuntu
ubuntu
Apache HTTP Server vulnerabilities
2015-07-27 00:00:00
Apache HTTP Server vulnerabilities
2015-03-10 00:00:00
osv
osv
apache2 - security update
2015-08-01 00:00:00
apache2 - regression update
2015-08-01 00:00:00
apache2 - security update
2015-07-28 00:00:00
debian
debian
[SECURITY] [DSA 3325-1] apache2 security update
2015-08-01 22:04:23
[SECURITY] [DSA 3325-1] apache2 security update
2015-08-01 22:04:23
[SECURITY] [DSA 3325-2] apache2 regression update
2015-08-18 11:39:08
prion
prion
Null pointer dereference
2015-07-20 23:59:00
Code injection
2015-03-08 02:59:00
Design/Logic Flaw
2015-07-20 23:59:00
ubuntucve
ubuntucve
CVE-2015-0253
2015-07-20 00:00:00
CVE-2015-0228
2015-02-16 00:00:00
CVE-2015-3185
2015-07-20 00:00:00
nvd
nvd
CVE-2015-0253
2015-07-20 23:59:00
CVE-2015-0228
2015-03-08 02:59:00
CVE-2015-3185
2015-07-20 23:59:03
cvelist
cvelist
CVE-2015-0253
2015-07-20 23:00:00
CVE-2015-0228
2015-03-08 02:00:00
CVE-2015-3185
2015-07-20 23:00:00
debiancve
debiancve
CVE-2015-0253
2015-07-20 23:59:00
CVE-2015-0228
2015-03-08 02:59:00
CVE-2015-3185
2015-07-20 23:59:03
f5
f5
K17317 : Apache HTTP server vulnerability CVE-2015-0253
2015-09-24 00:00:00
SOL17317 - Apache HTTP server vulnerability CVE-2015-0253
2015-09-24 00:00:00
SOL17157 - Apache HTTP server vulnerability CVE-2015-0228
2015-08-20 00:00:00
httpd
httpd
Apache Httpd < 2.4.16 : Crash in ErrorDocument 400 handling
2015-02-03 00:00:00
Apache Httpd < 2.4.16 : ap_some_auth_required API unusable
2013-08-05 00:00:00
Apache Httpd < 2.4.16 : mod_lua: Crash in websockets PING handling
2015-01-28 00:00:00
cve
cve
CVE-2015-0253
2015-07-20 23:59:00
CVE-2015-0228
2015-03-08 02:59:00
CVE-2015-3185
2015-07-20 23:59:03
hackerone
hackerone
Internet Bug Bounty: mod_lua: Crash in websockets PING handling
2015-01-28 00:00:00
Internet Bug Bounty: Apache HTTP Request Parsing Whitespace Defects
2017-06-29 17:41:22
gentoo
gentoo
Apache: Multiple vulnerabilities
2016-10-06 00:00:00

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

8 High

AI Score

Confidence

Low

0.062 Low

EPSS

Percentile

93.6%

JSON
Related for KLA10640
nessus46redhat12slackware1archlinux1openvas28oraclelinux3fedora2veracode4freebsd2amazon2securityvulns6ibm36centos2mageia2ubuntu2osv3debian6prion4ubuntucve5nvd4cvelist4debiancve4f58httpd5cve4hackerone2gentoo1