You are here

Home › Apache HTTP Server Vulnerabilities Related to Version 2.4.25

Apache HTTP Server Vulnerabilities Related to Version 2.4.25

Submitted on 21. December 2016 - 10:48 by rischi.
Last update on 19. January 2017 - 14:57.
IDs: 
CVE-2016-8743, CVE-2016-2161, CVE-2016-0736, CVE-2016-8740, CVE-2016-5387
Keywords: 
httpd, apache, HttpProtocolOptions
Description: 

The Apache HTTP Server version 2.4.25 fixes 5 vulnerabilities.

Airlock WAF is not affected.

Details

  • CVE-2016-8743 Stricter parsing of HTTP requests. The old implementation could lead to cache pollution and response splitting attacks. No attack vector for Airlock WAF known.
  • CVE-2016-5387 httpoxy attack. Already discussed in TZ article [2].
  • CVE-2016-8740 HTTP/2 CONTINUATION DoS attack. Already discussed in TZ article [3]. Hotfix available for Airlock WAF 6.1
  • CVE-2016-5387 Padding Oracle in Apache module mod_session_crypto. Does not affect Airlock WAF because the module is not used.
  • CVE-2016-2161 DoS vulnerability in Apache module mod_auth_digest. Does not affect Airlock WAF because the module is not used.
Resolution: 

No action is required.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required
Reference: 
[1] Apache httpd 2.4 vulnerabilities
[2] TZ article on HTTPOXY
[3] TZ article on Apache Webserver HTTP/2 DoS attack
© Ergon Informatik AG