RHEL 7/8:Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP10 (RHSA-2021: 4614)
critical Nessus Plugin ID 155223
語系:
概要
遠端 Red Hat 主機缺少一個或多個安全性更新。說明
遠端 Redhat Enterprise Linux 7/8 主機上安裝的套件受到 RHSA-2021: 4614 公告中提及的多個弱點影響。- httpd:非升級版連線的 mod_proxy_wstunnel 通道 (CVE-2019-17567)
- pcre:停用 UTF 且 \X 或 \R 具有大於 1 的固定量詞時,JIT 中會出現緩衝區過度讀取 (CVE-2019-20838)
- httpd:mod_proxy NULL 指標解除參照 (CVE-2020-13950)
- pcre:剖析標註數值引數時發生整數溢位 (CVE-2020-14155)
- httpd:mod_auth_digest 中的單一零位元組堆疊溢位 (CVE-2020-35452)
- openssl:CipherUpdate 中的整數溢位 (CVE-2021-23840)
- openssl:X509_issuer_and_serial_hash() 中的 NULL 指標解除參照 (CVE-2021-23841)
- httpd:mod_session:剖析 Cookie 標頭時發生 NULL 指標解除參照 (CVE-2021-26690)
- httpd:mod_session:透過特製的 SessionHeader 值造成堆積溢位 (CVE-2021-26691)
- httpd:非預期的 URL 符合「MergeSlashes OFF」(CVE-2021-30641)
- httpd:透過格式錯誤的要求造成 NULL 指標解除參照 (CVE-2021-34798)
- Red Hat JBCS:含 /..;/ 的 URL 標準化問題會導致資訊洩漏 (CVE-2021-3688)
- openssl:讀取緩衝區滿溢處理 ASN.1 字串 (CVE-2021-3712)
請注意,Nessus 並未測試這些問題,而是僅依據應用程式自我報告的版本號碼作出判斷。
解決方案
更新受影響的套件。另請參閱
http://www.nessus.org/u?dbe8101f
https://access.redhat.com/errata/RHSA-2021:4614
https://bugzilla.redhat.com/show_bug.cgi?id=1848436
https://bugzilla.redhat.com/show_bug.cgi?id=1848444
https://bugzilla.redhat.com/show_bug.cgi?id=1930310
https://bugzilla.redhat.com/show_bug.cgi?id=1930324
https://bugzilla.redhat.com/show_bug.cgi?id=1966724
https://bugzilla.redhat.com/show_bug.cgi?id=1966729
https://bugzilla.redhat.com/show_bug.cgi?id=1966732
https://bugzilla.redhat.com/show_bug.cgi?id=1966738
https://bugzilla.redhat.com/show_bug.cgi?id=1966740
https://bugzilla.redhat.com/show_bug.cgi?id=1966743
https://bugzilla.redhat.com/show_bug.cgi?id=1995634
https://access.redhat.com/security/updates/classification/#moderate
Plugin 詳細資訊
嚴重性: Critical
ID: 155223
檔案名稱: redhat-RHSA-2021-4614.nasl
版本: 1.10
類型: local
代理程式: unix
已發布: 2021/11/11
已更新: 2024/4/28
支援的感應器: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
風險資訊
VPR
風險因素: Medium
分數: 6.7
CVSS v2
風險因素: High
基本分數: 7.5
時間分數: 5.5
媒介: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 評分資料來源: CVE-2021-26691
CVSS v3
風險因素: Critical
基本分數: 9.8
時間分數: 8.5
媒介: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
時間媒介: CVSS:3.0/E:U/RL:O/RC:C
弱點資訊
CPE: cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-ldap, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-mysql, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-nss, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-odbc, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-openssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-pgsql, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apr-util-sqlite, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-curl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-manual, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-selinux, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-httpd-tools, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-libcurl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-libcurl-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_cluster-native, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_http2, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-ap24, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_jk-manual, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ldap, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_md, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_proxy_html, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_security, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_session, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-mod_ssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-nghttp2-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-chil, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-devel, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-libs, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-perl, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-pkcs11, p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-openssl-static
必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
可輕鬆利用: No known exploits are available
修補程式發佈日期: 2021/11/10
弱點發布日期: 2020/6/15
參考資訊
CVE: CVE-2019-17567, CVE-2019-20838, CVE-2020-13950, CVE-2020-14155, CVE-2020-35452, CVE-2021-23840, CVE-2021-23841, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641, CVE-2021-34798, CVE-2021-3688, CVE-2021-3712