ID

VAR-201507-0017


CVE

CVE-2015-3185


TITLE

Apache HTTP Server Permission Licensing and Access Control Issue Vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-201507-660

DESCRIPTION

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. Apache HTTP Server is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. The server is fast, reliable and extensible through a simple API. The vulnerability stems from the fact that when the program does not require authentication, the Require directive will still be used for authorization settings and in displayed in the configuration. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. (CVE-2015-3185) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. Upstream acknowledges Karthikeyan Bhargavan (Inria) and GaA<<tan Leurent (Inria) as the original reporters of CVE-2016-2183. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. JIRA issues fixed (https://issues.jboss.org/): JBCS-329 - Unable to load large CRL openssl problem JBCS-336 - Errata for httpd 2.4.23 SP2 RHEL 7 7. 7) - x86_64 3. ============================================================================ Ubuntu Security Notice USN-2686-1 July 27, 2015 apache2 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.04 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in the Apache HTTP server. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-3185) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: apache2.2-bin 2.4.10-9ubuntu1.1 Ubuntu 14.04 LTS: apache2.2-bin 2.4.7-1ubuntu4.5 Ubuntu 12.04 LTS: apache2.2-bin 2.2.22-1ubuntu1.10 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: httpd24-httpd security update Advisory ID: RHSA-2015:1666-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1666.html Issue date: 2015-08-24 CVE Names: CVE-2015-0228 CVE-2015-0253 CVE-2015-3183 CVE-2015-3185 ===================================================================== 1. Summary: Updated httpd24-httpd packages that fix multiple security issues are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) Note: This update introduces new a new API function, ap_some_authn_required(), which correctly indicates if a request is authenticated. External httpd modules using the old API function should be modified to use the new one to completely resolve this issue. A denial of service flaw was found in the way the mod_lua httpd module processed certain WebSocket Ping requests. A remote attacker could send a specially crafted WebSocket Ping packet that would cause the httpd child process to crash. (CVE-2015-0228) A NULL pointer dereference flaw was found in the way httpd generated certain error responses. A remote attacker could possibly use this flaw to crash the httpd child process using a request that triggers a certain HTTP error. (CVE-2015-0253) All httpd24-httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd24-httpd service will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1202988 - CVE-2015-0228 httpd: Possible mod_lua crash due to websocket bug 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1243888 - CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4 1243891 - CVE-2015-0253 httpd: NULL pointer dereference crash with ErrorDocument 400 pointing to a local URL-path 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: httpd24-httpd-2.4.12-4.el6.2.src.rpm noarch: httpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm x86_64: httpd24-httpd-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5): Source: httpd24-httpd-2.4.12-4.el6.2.src.rpm noarch: httpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm x86_64: httpd24-httpd-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6): Source: httpd24-httpd-2.4.12-4.el6.2.src.rpm noarch: httpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm x86_64: httpd24-httpd-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: httpd24-httpd-2.4.12-4.el6.2.src.rpm noarch: httpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm x86_64: httpd24-httpd-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm httpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_proxy_html-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_session-2.4.12-4.el6.2.x86_64.rpm httpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: httpd24-httpd-2.4.12-6.el7.1.src.rpm noarch: httpd24-httpd-manual-2.4.12-6.el7.1.noarch.rpm x86_64: httpd24-httpd-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.12-6.el7.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1): Source: httpd24-httpd-2.4.12-6.el7.1.src.rpm noarch: httpd24-httpd-manual-2.4.12-6.el7.1.noarch.rpm x86_64: httpd24-httpd-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.12-6.el7.1.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: httpd24-httpd-2.4.12-6.el7.1.src.rpm noarch: httpd24-httpd-manual-2.4.12-6.el7.1.noarch.rpm x86_64: httpd24-httpd-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.12-6.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.12-6.el7.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-0228 https://access.redhat.com/security/cve/CVE-2015-0253 https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/cve/CVE-2015-3185 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV22bPXlSAg2UNWIIRAmm2AKCI6AByn1Zlj/2R8aLKFD4hZno5VgCfcx8H y5DWl0MjeqKeAOHiddwyDdU= =yzQP -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.16-i486-1_slack14.1.txz: Upgraded. This update fixes the following security issues: * CVE-2015-0253: Fix a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. * CVE-2015-3183: core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. * CVE-2015-3185: Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0253 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.16-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.16-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.16-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.16-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.16-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.16-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.0 package: d78c9925e69ba6ce14d67fb67245981b httpd-2.4.16-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 1370e3c7e135bf07b65e73049099a942 httpd-2.4.16-x86_64-1_slack14.0.txz Slackware 14.1 package: ea116c45bba8c80f59cfe0394a8f87fa httpd-2.4.16-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 8b5b1caa1fa203b07b529f77834fac16 httpd-2.4.16-x86_64-1_slack14.1.txz Slackware -current package: 01ccb961f17bd14c1d157892af4c9f1d n/httpd-2.4.16-i586-1.txz Slackware x86_64 -current package: 70a6644de3585007861e57cf08608843 n/httpd-2.4.16-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg httpd-2.4.16-i486-1_slack14.1.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. Security Fix(es): * This update fixes several flaws in OpenSSL. (CVE-2014-8176, CVE-2015-0209, CVE-2015-0286, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-3216, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2177, CVE-2016-2178, CVE-2016-2842) * This update fixes several flaws in libxml2. (CVE-2016-1762, CVE-2016-1833, CVE-2016-1834, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2016-1840, CVE-2016-3627, CVE-2016-3705, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, CVE-2016-4483) * This update fixes three flaws in curl. (CVE-2016-5419, CVE-2016-5420, CVE-2016-7141) * This update fixes two flaws in httpd. (CVE-2014-3523, CVE-2015-3185) * This update fixes two flaws in mod_cluster. (CVE-2016-4459, CVE-2016-8612) * A buffer overflow flaw when concatenating virtual host names and URIs was fixed in mod_jk. (CVE-2016-6808) * A memory leak flaw was fixed in expat. Upstream acknowledges Stephen Henson (OpenSSL development team) as the original reporter of CVE-2015-0286; Huzaifa Sidhpurwala (Red Hat), Hanno BAPck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken as the original reporter of CVE-2016-2105, CVE-2016-2106, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842; Juraj Somorovsky as the original reporter of CVE-2016-2107; Yuval Yarom (University of Adelaide and NICTA), Daniel Genkin (Technion and Tel Aviv University), and Nadia Heninger (University of Pennsylvania) as the original reporters of CVE-2016-0702; and Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705. See the corresponding CVE pages linked to in the References section for more information about each of the flaws listed in this advisory. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). Bugs fixed (https://bugzilla.redhat.com/): 801648 - CVE-2012-1148 expat: Memory leak in poolGrow 1121519 - CVE-2014-3523 httpd: WinNT MPM denial of service 1196737 - CVE-2015-0209 openssl: use-after-free on invalid EC private key import 1202366 - CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp() 1227574 - CVE-2015-3216 openssl: Crash in ssleay_rand_bytes due to locking regression 1228611 - CVE-2014-8176 OpenSSL: Invalid free in DTLS 1243888 - CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4 1288320 - CVE-2015-3194 OpenSSL: Certificate verify crash with missing PSS parameter 1288322 - CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak 1288326 - CVE-2015-3196 OpenSSL: Race condition handling PSK identify hint 1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code 1310599 - CVE-2016-0702 OpenSSL: Side channel attack on modular exponentiation 1311880 - CVE-2016-0797 OpenSSL: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 1312219 - CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions 1314757 - CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds 1319829 - CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder 1331426 - CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1332443 - CVE-2016-3705 libxml2: stack overflow before detecting invalid XML file 1332820 - CVE-2016-4483 libxml2: out-of-bounds read 1338682 - CVE-2016-1833 libxml2: Heap-based buffer overread in htmlCurrentChar 1338686 - CVE-2016-4447 libxml2: Heap-based buffer underreads due to xmlParseName 1338691 - CVE-2016-1835 libxml2: Heap use-after-free in xmlSAX2AttributeNs 1338696 - CVE-2016-1837 libxml2: Heap use-after-free in htmlPArsePubidLiteral and htmlParseSystemiteral 1338700 - CVE-2016-4448 libxml2: Format string vulnerability 1338701 - CVE-2016-4449 libxml2: Inappropriate fetch of entities content 1338702 - CVE-2016-1836 libxml2: Heap use-after-free in xmlDictComputeFastKey 1338703 - CVE-2016-1839 libxml2: Heap-based buffer overread in xmlDictAddString 1338705 - CVE-2016-1838 libxml2: Heap-based buffer overread in xmlPArserPrintFileContextInternal 1338706 - CVE-2016-1840 libxml2: Heap-buffer-overflow in xmlFAParserPosCharGroup 1338708 - CVE-2016-1834 libxml2: Heap-buffer-overflow in xmlStrncat 1338711 - CVE-2016-1762 libxml2: Heap-based buffer-overread in xmlNextChar 1341583 - CVE-2016-4459 mod_cluster: Buffer overflow in mod_manager when sending request with long JVMRoute 1341705 - CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase 1343400 - CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation 1362183 - CVE-2016-5419 curl: TLS session resumption client cert bypass 1362190 - CVE-2016-5420 curl: Re-using connection with wrong client cert 1373229 - CVE-2016-7141 curl: Incorrect reuse of client certificates 1382352 - CVE-2016-6808 mod_jk: Buffer overflow when concatenating virtual host name and URI 1387605 - CVE-2016-8612 JBCS mod_cluster: Protocol parsing logic error 5. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use. CVE-2015-3185 A design error in the "ap_some_auth_required" function renders the API unusuable in apache2 2.4.x. The fix backports the new "ap_some_authn_required" API from 2.4.16. This issue does not affect the oldstable distribution (wheezy). In addition, the updated package for the oldstable distribution (wheezy) removes a limitation of the Diffie-Hellman (DH) parameters to 1024 bits. This limitation may potentially allow an attacker with very large computing resources, like a nation-state, to break DH key exchange by precomputation. The updated apache2 package also allows to configure custom DH parameters. More information is contained in the changelog.Debian.gz file. These improvements were already present in the stable, testing, and unstable distributions. For the oldstable distribution (wheezy), these problems have been fixed in version 2.2.22-13+deb7u5. For the stable distribution (jessie), these problems have been fixed in version 2.4.10-10+deb8u1. For the testing distribution (stretch), these problems will be fixed soon. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your apache2 packages

Trust: 2.07

sources: NVD: CVE-2015-3185 // BID: 75965 // VULHUB: VHN-81146 // VULMON: CVE-2015-3185 // PACKETSTORM: 144136 // PACKETSTORM: 133278 // PACKETSTORM: 132852 // PACKETSTORM: 133281 // PACKETSTORM: 132743 // PACKETSTORM: 140182 // PACKETSTORM: 132922 // PACKETSTORM: 144134

AFFECTED PRODUCTS

vendor:applemodel:mac os x serverscope:eqversion:5.0.3

Trust: 1.6

vendor:applemodel:xcodescope:eqversion:7.0

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:10.10.4

Trust: 1.6

vendor:canonicalmodel:ubuntu linuxscope:eqversion:12.04

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:14.04

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.6

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.10

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.2

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.7

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.9

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:15.04

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.4

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.13

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.1

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.8

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.3

Trust: 1.0

vendor:apachemodel:http serverscope:eqversion:2.4.12

Trust: 1.0

vendor:ubuntumodel:linux lts i386scope:eqversion:12.04

Trust: 0.3

vendor:ubuntumodel:linux lts amd64scope:eqversion:12.04

Trust: 0.3

vendor:slackwaremodel:linux x86 64 -currentscope: - version: -

Trust: 0.3

vendor:slackwaremodel:linux -currentscope: - version: -

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.4.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:3.0

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.3

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.2

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.1

Trust: 0.3

vendor:applemodel:xcodescope:eqversion:2.0

Trust: 0.3

vendor:apachemodel:software foundation apachescope:eqversion:2.4.2

Trust: 0.3

sources: BID: 75965 // CNNVD: CNNVD-201507-660 // NVD: CVE-2015-3185

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-3185
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-201507-660
value: MEDIUM

Trust: 0.6

VULHUB: VHN-81146
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-3185
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-3185
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-81146
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-81146 // VULMON: CVE-2015-3185 // CNNVD: CNNVD-201507-660 // NVD: CVE-2015-3185

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.1

sources: VULHUB: VHN-81146 // NVD: CVE-2015-3185

THREAT TYPE

remote

Trust: 0.9

sources: PACKETSTORM: 133278 // PACKETSTORM: 132852 // PACKETSTORM: 133281 // CNNVD: CNNVD-201507-660

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201507-660

PATCH

title:httpd-2.4.14url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57056

Trust: 0.6

title:httpd-2.4.14url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57055

Trust: 0.6

title:Red Hat: Important: Red Hat JBoss Core Services security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20172708 - Security Advisory

Trust: 0.1

title:Red Hat: Important: Red Hat JBoss Core Services security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20172710 - Security Advisory

Trust: 0.1

title:Red Hat: Important: Red Hat JBoss Core Services security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20172709 - Security Advisory

Trust: 0.1

title:Debian Security Advisories: DSA-3325-1 apache2 -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=f6a16e3e13155cdb8edbd0ecf11552be

Trust: 0.1

title:Ubuntu Security Notice: apache2 vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-2686-1

Trust: 0.1

title:Red Hat: CVE-2015-3185url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2015-3185

Trust: 0.1

title:Amazon Linux AMI: ALAS-2015-579url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2015-579

Trust: 0.1

title:Tenable Security Advisories: [R4] SecurityCenter 5.0.2 Fixes Third-party Libraryurl:https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories&qid=TNS-2015-11

Trust: 0.1

title:Red Hat: Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Releaseurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20162957 - Security Advisory

Trust: 0.1

title:DC-2: Vulnhub Walkthroughurl:https://github.com/vshaliii/DC-2-Vulnhub-Walkthrough

Trust: 0.1

title:Shodan Search Scripturl:https://github.com/firatesatoglu/shodanSearch

Trust: 0.1

sources: VULMON: CVE-2015-3185 // CNNVD: CNNVD-201507-660

EXTERNAL IDS

db:NVDid:CVE-2015-3185

Trust: 2.9

db:BIDid:75965

Trust: 2.1

db:SECTRACKid:1032967

Trust: 1.8

db:CNNVDid:CNNVD-201507-660

Trust: 0.7

db:PACKETSTORMid:144136

Trust: 0.2

db:PACKETSTORMid:144134

Trust: 0.2

db:PACKETSTORMid:144135

Trust: 0.1

db:VULHUBid:VHN-81146

Trust: 0.1

db:VULMONid:CVE-2015-3185

Trust: 0.1

db:PACKETSTORMid:133278

Trust: 0.1

db:PACKETSTORMid:132852

Trust: 0.1

db:PACKETSTORMid:133281

Trust: 0.1

db:PACKETSTORMid:132743

Trust: 0.1

db:PACKETSTORMid:140182

Trust: 0.1

db:PACKETSTORMid:132922

Trust: 0.1

sources: VULHUB: VHN-81146 // VULMON: CVE-2015-3185 // BID: 75965 // PACKETSTORM: 144136 // PACKETSTORM: 133278 // PACKETSTORM: 132852 // PACKETSTORM: 133281 // PACKETSTORM: 132743 // PACKETSTORM: 140182 // PACKETSTORM: 132922 // PACKETSTORM: 144134 // CNNVD: CNNVD-201507-660 // NVD: CVE-2015-3185

REFERENCES

url:https://access.redhat.com/errata/rhsa-2017:2708

Trust: 2.0

url:http://rhn.redhat.com/errata/rhsa-2015-1666.html

Trust: 1.9

url:http://rhn.redhat.com/errata/rhsa-2015-1667.html

Trust: 1.9

url:http://rhn.redhat.com/errata/rhsa-2016-2957.html

Trust: 1.9

url:https://access.redhat.com/errata/rhsa-2017:2709

Trust: 1.9

url:http://www.ubuntu.com/usn/usn-2686-1

Trust: 1.9

url:http://lists.apple.com/archives/security-announce/2015/aug/msg00001.html

Trust: 1.8

url:http://lists.apple.com/archives/security-announce/2015/sep/msg00002.html

Trust: 1.8

url:http://lists.apple.com/archives/security-announce/2015/sep/msg00004.html

Trust: 1.8

url:http://www.securityfocus.com/bid/75965

Trust: 1.8

url:https://support.apple.com/ht205217

Trust: 1.8

url:https://support.apple.com/ht205219

Trust: 1.8

url:https://support.apple.com/kb/ht205031

Trust: 1.8

url:http://www.debian.org/security/2015/dsa-3325

Trust: 1.8

url:https://access.redhat.com/errata/rhsa-2017:2710

Trust: 1.8

url:http://www.securitytracker.com/id/1032967

Trust: 1.8

url:http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html

Trust: 1.8

url:http://httpd.apache.org/security/vulnerabilities_24.html

Trust: 1.2

url:http://www.apache.org/dist/httpd/changes_2.4

Trust: 1.2

url:https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708

Trust: 1.2

url:https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73

Trust: 1.2

url:https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3ccvs.httpd.apache.org%3e

Trust: 1.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-3185

Trust: 0.8

url:https://access.redhat.com/security/cve/cve-2015-3185

Trust: 0.6

url:httpd.apache.org/security/vulnerabilities_24.html

Trust: 0.6

url:http://

Trust: 0.6

url:httpd.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3ccvs.

Trust: 0.6

url:httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708

Trust: 0.6

url:https://github.com/apache/

Trust: 0.6

url:https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3ccvs.

Trust: 0.6

url:httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73

Trust: 0.6

url:https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3ccvs.

Trust: 0.6

url:httpd/changes_2.4

Trust: 0.6

url:http://www.apache.org/dist/

Trust: 0.6

url:https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3ccvs.

Trust: 0.6

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.5

url:https://bugzilla.redhat.com/):

Trust: 0.5

url:https://access.redhat.com/security/team/contact/

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2015-3183

Trust: 0.5

url:https://access.redhat.com/articles/11258

Trust: 0.4

url:http://httpd.apache.org/

Trust: 0.3

url:https://issues.jboss.org/):

Trust: 0.3

url:https://access.redhat.com/security/team/key/

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.3

url:https://access.redhat.com/documentation/en/red-hat-jboss-core-services/

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2017-9788

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2017-9788

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2016-2183

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2016-2183

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2015-3183

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-0228

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2015-0253

Trust: 0.2

url:https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/264.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://usn.ubuntu.com/2686-1/

Trust: 0.1

url:https://www.debian.org/security/./dsa-3325

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/apache2/2.4.10-9ubuntu1.1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/apache2/2.2.22-1ubuntu1.10

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.5

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-0228

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-0253

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3183

Trust: 0.1

url:http://slackware.com

Trust: 0.1

url:http://osuosl.org)

Trust: 0.1

url:http://slackware.com/gpg-key

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0253

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0228

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3185

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2107

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2106

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-0705

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-3196

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-4448

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-3216

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-2106

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-0702

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-0797

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2014-8176

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-6808

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1835

Trust: 0.1

url:https://access.redhat.com/documentation/en/red-hat-jboss-core-services-apache-http-server/version-2.4.23/apache-http-server-2423-release-notes/

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-3705

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-1838

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-2107

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-0799

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-3196

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-1839

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-3523

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-2177

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-4483

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2014-3523

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-2842

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-8612

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2012-1148

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1840

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-0797

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2109

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1836

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-0705

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-3194

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-1833

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.apachehttp&downloadtype=distributions&version=2.4.23

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-2105

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2014-8176

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-1840

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-1836

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-1762

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-1835

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-4449

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-0286

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1762

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-5420

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-2178

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-3194

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-2108

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-0286

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-3627

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2012-1148

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-1837

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-2109

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-1834

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-3195

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2015-0209

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1837

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1839

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-5419

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-4459

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2108

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-0209

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-3195

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-0702

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2015-3216

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1838

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1833

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-2105

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-1834

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-4447

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-7141

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-0799

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.apachehttp&downloadtype=securitypatches&version=2.4.23

Trust: 0.1

sources: VULHUB: VHN-81146 // VULMON: CVE-2015-3185 // BID: 75965 // PACKETSTORM: 144136 // PACKETSTORM: 133278 // PACKETSTORM: 132852 // PACKETSTORM: 133281 // PACKETSTORM: 132743 // PACKETSTORM: 140182 // PACKETSTORM: 132922 // PACKETSTORM: 144134 // CNNVD: CNNVD-201507-660 // NVD: CVE-2015-3185

CREDITS

Red Hat

Trust: 0.5

sources: PACKETSTORM: 144136 // PACKETSTORM: 133278 // PACKETSTORM: 133281 // PACKETSTORM: 140182 // PACKETSTORM: 144134

SOURCES

db:VULHUBid:VHN-81146
db:VULMONid:CVE-2015-3185
db:BIDid:75965
db:PACKETSTORMid:144136
db:PACKETSTORMid:133278
db:PACKETSTORMid:132852
db:PACKETSTORMid:133281
db:PACKETSTORMid:132743
db:PACKETSTORMid:140182
db:PACKETSTORMid:132922
db:PACKETSTORMid:144134
db:CNNVDid:CNNVD-201507-660
db:NVDid:CVE-2015-3185

LAST UPDATE DATE

2024-12-21T20:01:09.317000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-81146date:2020-10-27T00:00:00
db:VULMONid:CVE-2015-3185date:2023-11-07T00:00:00
db:BIDid:75965date:2016-07-06T14:51:00
db:CNNVDid:CNNVD-201507-660date:2021-06-07T00:00:00
db:NVDid:CVE-2015-3185date:2024-11-21T02:28:51.297

SOURCES RELEASE DATE

db:VULHUBid:VHN-81146date:2015-07-20T00:00:00
db:VULMONid:CVE-2015-3185date:2015-07-20T00:00:00
db:BIDid:75965date:2015-07-15T00:00:00
db:PACKETSTORMid:144136date:2017-09-14T19:50:57
db:PACKETSTORMid:133278date:2015-08-24T22:05:56
db:PACKETSTORMid:132852date:2015-07-27T23:45:42
db:PACKETSTORMid:133281date:2015-08-24T22:06:47
db:PACKETSTORMid:132743date:2015-07-20T15:45:36
db:PACKETSTORMid:140182date:2016-12-16T16:34:49
db:PACKETSTORMid:132922date:2015-08-04T01:08:56
db:PACKETSTORMid:144134date:2017-09-14T19:44:18
db:CNNVDid:CNNVD-201507-660date:2015-07-21T00:00:00
db:NVDid:CVE-2015-3185date:2015-07-20T23:59:03.770