Apache CVE's

Issues related to applications and software problems
Post Reply
LukeChatty
Posts: 2
Joined: 2019/06/12 12:25:41

Apache CVE's

Post by LukeChatty » 2019/06/12 12:30:43

Hello
Currently running the following version of Apache HTTPd
httpd-2.4.6.89.el7-centos.x86_64

We have had a security scan which has identified the following vulnerabilities

Apache HTTPD: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)
Apache HTTPD: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)
Apache HTTPD: Possible out of bound read in mod_cache_socache (CVE-2018-1303)
Apache HTTPD: mod_session_cookie does not respect expiry time (CVE-2018-17199)

Are these currently in the build provided above? I can't see the CVE's in the change notes, but I can see they were patch on RedHat httpd24-httpd-2.4.34-7.el7

CVE Information:

https://access.redhat.com/security/cve/CVE-2018-1312 (Affected)
https://access.redhat.com/security/cve/CVE-2017-15710 (Affected)
https://access.redhat.com/security/cve/CVE-2018-1303 (Affected)
https://access.redhat.com/security/cve/CVE-2018-17199 (Affected)
Red Hat Security Advisories:

https://rhn.redhat.com/errata/RHSA-2018-3558.html
https://rhn.redhat.com/errata/RHSA-2018-3558.html
https://rhn.redhat.com/errata/RHSA-2018-3558.html

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Apache CVE's

Post by TrevorH » 2019/06/12 12:59:59

None of those appear to be fixed in the base version of httpd. 3 of those 4 are all marked as severity: Low so I am unsurprised that they are not fixed. The 4th one is Moderate but the affected module is not enabled by default.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

LukeChatty
Posts: 2
Joined: 2019/06/12 12:25:41

Re: Apache CVE's

Post by LukeChatty » 2019/06/12 13:17:40

TrevorH wrote:
2019/06/12 12:59:59
None of those appear to be fixed in the base version of httpd. 3 of those 4 are all marked as severity: Low so I am unsurprised that they are not fixed. The 4th one is Moderate but the affected module is not enabled by default.
Even on the update version 89 they are not patched?

Our security scan has them has severity High.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Apache CVE's

Post by TrevorH » 2019/06/12 13:23:20

Read the links you posted to the Redhat CVE pages, none of them are high.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply