CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
96.9%
The version of httpd24 installed on the remote host is prior to 2.4.54-1.98. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1607 advisory.
Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
(CVE-2022-26377)
Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. (CVE-2022-28330)
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the ‘ap_rputs’ function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue. (CVE-2022-28614)
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. (CVE-2022-28615)
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. (CVE-2022-29404)
If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
(CVE-2022-30522)
Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. (CVE-2022-30556)
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. (CVE-2022-31813)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2022-1607.
##
include('compat.inc');
if (description)
{
script_id(162833);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/18");
script_cve_id(
"CVE-2022-26377",
"CVE-2022-28330",
"CVE-2022-28614",
"CVE-2022-28615",
"CVE-2022-29404",
"CVE-2022-30522",
"CVE-2022-30556",
"CVE-2022-31813"
);
script_name(english:"Amazon Linux AMI : httpd24 (ALAS-2022-1607)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux AMI host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of httpd24 installed on the remote host is prior to 2.4.54-1.98. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS-2022-1607 advisory.
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of
Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This
issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
(CVE-2022-26377)
- Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process
requests with the mod_isapi module. (CVE-2022-28330)
- The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an
attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with
mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use
the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against
current headers to resolve the issue. (CVE-2022-28614)
- Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in
ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the
server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may
hypothetically be affected. (CVE-2022-28615)
- In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0)
may cause a denial of service due to no default limit on possible input size. (CVE-2022-29404)
- If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input
to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
(CVE-2022-30522)
- Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point
past the end of the storage allocated for the buffer. (CVE-2022-30556)
- Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on
client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on
the origin server/application. (CVE-2022-31813)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2022-1607.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-26377.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-28330.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-28614.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-28615.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-29404.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-30522.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-30556.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2022-31813.html");
script_set_attribute(attribute:"solution", value:
"Run 'yum update httpd24' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-31813");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/06/08");
script_set_attribute(attribute:"patch_publication_date", value:"2022/06/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/07/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-manual");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:httpd24-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_ldap");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_md");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_proxy_html");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_session");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:mod24_ssl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
var os_ver = os_ver[1];
if (os_ver != "A")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var pkgs = [
{'reference':'httpd24-2.4.54-1.98.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'httpd24-2.4.54-1.98.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'httpd24-debuginfo-2.4.54-1.98.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'httpd24-debuginfo-2.4.54-1.98.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'httpd24-devel-2.4.54-1.98.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'httpd24-devel-2.4.54-1.98.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'httpd24-manual-2.4.54-1.98.amzn1', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'httpd24-tools-2.4.54-1.98.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'httpd24-tools-2.4.54-1.98.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mod24_ldap-2.4.54-1.98.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mod24_ldap-2.4.54-1.98.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mod24_md-2.4.54-1.98.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mod24_md-2.4.54-1.98.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mod24_proxy_html-2.4.54-1.98.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mod24_proxy_html-2.4.54-1.98.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mod24_session-2.4.54-1.98.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mod24_session-2.4.54-1.98.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mod24_ssl-2.4.54-1.98.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
{'reference':'mod24_ssl-2.4.54-1.98.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var release = NULL;
var sp = NULL;
var cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {
if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd24 / httpd24-debuginfo / httpd24-devel / etc");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28330
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
alas.aws.amazon.com/ALAS-2022-1607.html
alas.aws.amazon.com/cve/html/CVE-2022-26377.html
alas.aws.amazon.com/cve/html/CVE-2022-28330.html
alas.aws.amazon.com/cve/html/CVE-2022-28614.html
alas.aws.amazon.com/cve/html/CVE-2022-28615.html
alas.aws.amazon.com/cve/html/CVE-2022-29404.html
alas.aws.amazon.com/cve/html/CVE-2022-30522.html
alas.aws.amazon.com/cve/html/CVE-2022-30556.html
alas.aws.amazon.com/cve/html/CVE-2022-31813.html
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
96.9%