You are here

Apache HTTP Server Vulnerabilities Related to Version 2.4.25

IDs: 
CVE-2016-8743, CVE-2016-2161, CVE-2016-0736, CVE-2016-8740, CVE-2016-5387
Keywords: 
httpd, apache, HttpProtocolOptions
Description: 

The Apache HTTP Server version 2.4.25 fixes 5 vulnerabilities.

Airlock WAF is not affected.

Details

  • CVE-2016-8743 Stricter parsing of HTTP requests. The old implementation could lead to cache pollution and response splitting attacks. No attack vector for Airlock WAF known.
  • CVE-2016-5387 httpoxy attack. Already discussed in TZ article [2].
  • CVE-2016-8740 HTTP/2 CONTINUATION DoS attack. Already discussed in TZ article [3]. Hotfix available for Airlock WAF 6.1
  • CVE-2016-5387 Padding Oracle in Apache module mod_session_crypto. Does not affect Airlock WAF because the module is not used.
  • CVE-2016-2161 DoS vulnerability in Apache module mod_auth_digest. Does not affect Airlock WAF because the module is not used.
Resolution: 

No action is required.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required