The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of NNM

vulnerability bulletin CVE-2011-4858

Tomcat, JBoss: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Impacted products: Tomcat, Debian, Fedora, HPE NNMi, OpenView NNM, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, ESX, vCenter Server, VMware vSphere.
Severity: 3/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/02/2012.
Identifiers: BID-51200, c03183543, c03231290, c03824583, CERTA-2012-AVI-479, CERTA-2013-AVI-440, CVE-2011-4084-REJECT, CVE-2011-4858, DSA-2401-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-7258, FEDORA-2012-7593, HPSBMU02747, HPSBMU02894, HPSBUX02741, openSUSE-SU-2012:0103-1, RHSA-2012:0041-01, RHSA-2012:0074-01, RHSA-2012:0075-01, RHSA-2012:0076-01, RHSA-2012:0077-01, RHSA-2012:0078-01, RHSA-2012:0089-01, RHSA-2012:0091-01, RHSA-2012:0325-01, RHSA-2012:0406-01, RHSA-2012:0474-01, RHSA-2012:0475-01, RHSA-2012:0679-01, RHSA-2012:0680-01, RHSA-2012:0681-01, RHSA-2012:0682-01, SSRT100728, SSRT100771, VIGILANCE-VUL-11383, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11254 describes a vulnerability which can be used to create a denial of service on several applications.

This vulnerability impacts Tomcat.

In order to simplify VIGILANCE-VUL-11254, which was too big, solutions for Tomcat were moved here.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-0053

Apache httpd: reading an HttpOnly cookie

Synthesis of the vulnerability

An attacker can use a malformed HTTP query, in order to generate a code 400 error, which displays user's HttpOnly cookies, so JavaScript code can access them.
Impacted products: Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 27/01/2012.
Identifiers: BID-51706, c03231301, c03278391, CERTA-2012-AVI-225, CVE-2012-0053, DSA-2405-1, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, HPSBUX02761, JSA10585, MDVSA-2012:012, openSUSE-SU-2012:0314-1, RHSA-2012:0128-01, RHSA-2012:0323-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL15273, SOL15889, SSA:2012-041-01, SSRT100772, SSRT100823, SUSE-SU-2012:0284-1, SUSE-SU-2012:0323-1, VIGILANCE-VUL-11323.

Description of the vulnerability

The HTTP Set-Cookie header defines a cookie. This header can also contain the HttpOnly attribute:
  Set-Cookie: v=abc; HttpOnly
This attribute indicates that this cookie cannot be accessed from JavaScript. This feature is supported since IE 6 SP1, Mozilla Firefox 3.0.0.6 and Opera 9.23, in order to protect a website against a Cross Site Scripting.

When Apache httpd receives a malformed HTTP query, (CONNECT with "authority", line larger than LimitRequestFieldSize, header without ':'), it returns a code 400 error page. If there is no default error page defined by ErrorDocument, Apache httpd dynamically generates this page. However, the generated page contains all headers, in order to help developers. Cookies are thus displayed inside the HTML, even if they have the HttpOnly attribute. As JavaScript code is allowed to read an HTML document, it can thus read the cookie.

An attacker can therefore use a malformed HTTP query, in order to generate a code 400 error, which displays user's HttpOnly cookies, so JavaScript code can access them.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-0021

Apache httpd: denial déni de service via mod_log_config

Synthesis of the vulnerability

When mod_log_config logs cookies, an attacker can send a special cookie, in order to stop Apache httpd in threaded MPM.
Impacted products: Apache httpd, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Mandriva Linux, Solaris, RHEL, Slackware.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 27/01/2012.
Identifiers: 52256, BID-51705, c03231301, c03278391, CERTA-2012-AVI-225, CVE-2012-0021, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, HPSBUX02761, MDVSA-2012:012, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL15889, SSA:2012-041-01, SSRT100772, SSRT100823, VIGILANCE-VUL-11322.

Description of the vulnerability

The mod_log_config module of Apache httpd is used to define the format of logged data. For example:
 - %a : the remote IP address
 - %D : the processing duration
 - %{var}C : the cookie named "var"
 - etc.

Clients send cookies as an HTTP header, such as:
  Cookie: var=hello

The mod_log_config module calls the apr_collapse_spaces() function to delete unneeded spaces. However, if a cookie has no name, a NULL pointer is dereferenced.

When mod_log_config logs cookies, an attacker can therefore send a special cookie, in order to stop Apache httpd in threaded MPM (a fatal error in a thread also stops other threads).
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2012-0022

Apache Tomcat: denial of service via several parameters

Synthesis of the vulnerability

An attacker can send a query containing several parameters to Apache Tomcat, in order to overload the CPU.
Impacted products: Tomcat, Debian, Fedora, OpenView NNM, HP-UX, NSMXpress, Mandriva Linux, Solaris, RHEL, JBoss EAP by Red Hat, ESX, vCenter Server, VMware vSphere.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 17/01/2012.
Identifiers: c03183543, c03231290, CERTA-2012-AVI-479, CVE-2012-0022, DSA-2401-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-7258, FEDORA-2012-7593, HPSBMU02747, HPSBUX02741, JSA10600, MDVSA-2012:085, RHSA-2012:0074-01, RHSA-2012:0075-01, RHSA-2012:0076-01, RHSA-2012:0077-01, RHSA-2012:0078-01, RHSA-2012:0091-01, RHSA-2012:0325-01, RHSA-2012:0345-02, RHSA-2012:0474-01, RHSA-2012:0475-01, RHSA-2012:0679-01, RHSA-2012:0680-01, RHSA-2012:0681-01, RHSA-2012:0682-01, RHSA-2012:1331-01, SSRT100728, SSRT100771, VIGILANCE-VUL-11290, VMSA-2012-0003.1, VMSA-2012-0005, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability

An HTTP GET or POST query uses parameters like "para1=value&para2=value&...".

The org/apache/tomcat/util/http/Parameters.java file decodes these parameters. However, the algorithm used is not efficient. If the query contains numerous parameters, Tomcat consumes a lot a processor resources.

An attacker can therefore send a query containing several parameters to Apache Tomcat, in order to overload the CPU.

This vulnerability is different from VIGILANCE-VUL-11383.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-0031

Apache httpd: denial of service via scoreboard

Synthesis of the vulnerability

An attacker, who runs code in an Apache httpd child process, can change a value of the scoreboard, in order to force the parent process, which runs as root, to free an invalid memory area, when the service stops, which may lead to code execution with root privileges.
Impacted products: Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Mandriva Linux, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: administrator access/rights, denial of service on service.
Provenance: user account.
Creation date: 16/01/2012.
Identifiers: BID-51407, c03231301, c03278391, CERTA-2012-AVI-026, CERTA-2012-AVI-225, CVE-2012-0031, DSA-2405-1, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, HPSBUX02761, MDVSA-2012:012, openSUSE-SU-2012:0314-1, RHSA-2012:0128-01, RHSA-2012:0323-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL15889, SSA:2012-041-01, SSRT100772, SSRT100823, SUSE-SU-2012:0284-1, SUSE-SU-2012:0323-1, VIGILANCE-VUL-11282.

Description of the vulnerability

The Apache httpd service is composed of:
 - a parent process, which runs with root privileges
 - child processes, which process HTTP queries, and which run with www-data rights by default

The "scoreboard" is an information area shared between processes. The "sb_type" field of the scoreboard indicates the allocation mode (SB_NOT_SHARED via malloc and SB_SHARED via mmap) depending on the MPM (Multi-Processing Module).

When the parent process stops (when the service stops), it frees the memory area used by the scoreboard, if the sb_type value is not SB_SHARED.

An attacker, who runs code in an Apache httpd child process, can therefore change a value of the scoreboard, in order to force the parent process, which runs as root, to free via free() a memory area allocated via mmap(), when the service stops, which may lead to code execution with root privileges.

It can be noted that in order to exploit this vulnerability, the attacker has to execute code in a child process, and has to wait for the administrator to stop or restart the service. Moreover, the standard glibc detects the memory corruption and block the attack.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-3165 CVE-2011-3166 CVE-2011-3167

OpenView NNM: code execution

Synthesis of the vulnerability

Three vulnerabilities of HP OpenView Network Node Manager can be used by a remote attacker to execute code.
Impacted products: OpenView, OpenView NNM.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 02/11/2011.
Revision date: 06/01/2012.
Identifiers: BID-50471, BID-51049, c03054052, CERTA-2011-AVI-611, CVE-2011-3165, CVE-2011-3166, CVE-2011-3167, HPSBMU02712, SSRT100649, VIGILANCE-VUL-11118, ZDI-11-348, ZDI-12-002, ZDI-12-003, ZDI-CAN-1208, ZDI-CAN-1209, ZDI-CAN-1210.

Description of the vulnerability

Three vulnerabilities were announced in HP OpenView Network Node Manager.

An attacker can use a large nameParams parameter for the CGI nnmRptConfig.exe program, in order to execute code. [severity:3/4; BID-51049, CERTA-2011-AVI-611, CVE-2011-3165, ZDI-11-348, ZDI-CAN-1208]

An attacker can create an overflow in the webappmon.exe CGI program, which leads to code execution. [severity:3/4; CVE-2011-3166, ZDI-12-003, ZDI-CAN-1209]

An attacker can use a long textFile option for ov.dll, in order to create an overflow in _OVBuildPath, which leads to code execution. [severity:3/4; CVE-2011-3167, ZDI-12-002, ZDI-CAN-1210]

These vulnerabilities can be used by a remote attacker to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-4317

Apache httpd: access to another server via mod_proxy

Synthesis of the vulnerability

An attacker can use a malicious HTTP query, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Impacted products: Apache httpd, Debian, BIG-IP Hardware, TMOS, OpenView NNM, Junos Space, Junos Space Network Management Platform, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading, data flow.
Provenance: internet client.
Creation date: 25/11/2011.
Identifiers: BID-50802, c03231301, CVE-2011-4317, DSA-2405-1, HPSBMU02748, JSA10585, MDVSA-2012:003, openSUSE-SU-2012:0212-1, openSUSE-SU-2012:0248-1, openSUSE-SU-2013:0243-1, openSUSE-SU-2013:0248-1, RHSA-2012:0128-01, SOL15889, SSA:2012-041-01, SSRT100772, SUSE-SU-2011:1309-1, SUSE-SU-2011:1322-1, VIGILANCE-VUL-11179.

Description of the vulnerability

The mod_proxy module is used to configure Apache httpd as a proxy, in order to access to an internal web server. Its resources are voluntarily public.

However, the VIGILANCE-VUL-11041 vulnerability of mod_proxy was not fully corrected.

Indeed, the case where the query has a scheme ("something:endOfQuery") was not corrected. The scheme ("something:") is removed, and the end of query ("endOfQuery") is concatenated to the rewrite rule.

An attacker can therefore still use a malicious HTTP query on Apache httpd, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-3607 CVE-2011-4415

Apache httpd: buffer overflow via ap_pregsub

Synthesis of the vulnerability

An attacker can create an overflow in the ap_pregsub() function, in order to create a denial of service, or to execute code.
Impacted products: Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/11/2011.
Identifiers: BID-50494, BID-50639, c03231301, c03278391, CERTA-2012-AVI-225, CVE-2011-3607, CVE-2011-4415, DSA-2405-1, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, HPSBUX02761, MDVSA-2012:003, openSUSE-SU-2012:0212-1, openSUSE-SU-2012:0248-1, RHSA-2012:0128-01, RHSA-2012:0323-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL16907, SSA:2012-041-01, SSRT100772, SSRT100823, SUSE-SU-2011:1309-1, SUSE-SU-2011:1322-1, VIGILANCE-VUL-11121.

Description of the vulnerability

The ap_pregsub() function of file server/util.c is used to replace fragments of a string split with regular expressions.

However, this function does not check if the size after substitution overflowed. Data are thus copied in a short memory area.

This function is not directly reachable via a GET query. However, the mod_env module provides the SetEnvIf directive, which calls ap_pregsub(). In order to setup the attack, the attacker has to set malicious SetEnvIf directives in a .htaccess file.

An attacker can therefore create an overflow in the ap_pregsub() function, in order to create a denial of service, or to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-3368

Apache httpd: access to another server via mod_proxy

Synthesis of the vulnerability

An attacker can use a malicious HTTP query, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Impacted products: Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, Junos Space, Junos Space Network Management Platform, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading, data flow.
Provenance: internet client.
Creation date: 05/10/2011.
Identifiers: BID-49957, c03231301, CERTA-2011-AVI-562, CERTA-2011-AVI-607, CERTA-2012-AVI-050, CERTA-2012-AVI-156, CVE-2011-3368, DSA-2405-1, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, JSA10585, MDVSA-2011:144, openSUSE-SU-2012:0212-1, openSUSE-SU-2012:0248-1, openSUSE-SU-2013:0243-1, openSUSE-SU-2014:1647-1, RHSA-2011:1391-01, RHSA-2011:1392-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL15889, SSA:2012-041-01, SSRT100772, SUSE-SU-2011:1229-1, SUSE-SU-2011:1309-1, SUSE-SU-2011:1322-1, VIGILANCE-VUL-11041.

Description of the vulnerability

The mod_proxy module is used to configure Apache httpd as a proxy, in order to access to an internal web server. Its resources are voluntarily public.

The RewriteRule and ProxyPassMatch directives are used to rewrite requested HTTP paths (url). For example:
  RewriteRule (.*) http://voluntaryPublic.example.com$1 [P]
  ProxyPassMatch (.*) http://voluntaryPublic.example.com$1

However, if the domain name does not end by a '/', an attacker can for example use the following HTTP query:
  GET @privateServer.example.com/page.html HTTP/1.1
This query will be rewritten as:
  GET http://voluntaryPublic.example.com@privateServer.example.com/page.html HTTP/1.1
The attacker then has access to the web page located on the private server.

An attacker can therefore use a malicious HTTP query, when mod_proxy uses RewriteRule or ProxyPassMatch, in order to access to web resources of another server.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-3348

Apache httpd: denial of service via mod_proxy_ajp

Synthesis of the vulnerability

When mod_proxy_ajp is used with mod_proxy_balancer, an attacker can use an unknown HTTP method, in order to create a denial of service.
Impacted products: Apache httpd, OpenView, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, Mandriva Linux, OpenSolaris, RHEL, Slackware.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 14/09/2011.
Identifiers: BID-49616, c03011498, c03025215, CERTA-2011-AVI-516, CVE-2011-3348, HPSBMU02704, HPSBUX02707, MDVSA-2011:168, PSN-2013-02-846, RHSA-2011:1391-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SSA:2011-284-01, SSRT100619, SSRT100626, VIGILANCE-VUL-10991.

Description of the vulnerability

The mod_proxy module provides a generic proxy service for Apache httpd. The mod_proxy_ajp module adds the AJP13 (Apache JServe Protocol version 1.3) support, which is used with Tomcat. The mod_proxy_balancer module is used to balance the load between several proxies.

The HTTP protocol defines a list of methods (GET, POST, etc.) which are used in queries.

The ap_proxy_ajp_request() function of the modules/proxy/mod_proxy_ajp.c file does not ignore unknown HTTP methods. However, when mod_proxy_balancer is also used, the associated proxy enters in an error state. Using several queries, an attacker can thus stop all balanced proxies.

When mod_proxy_ajp is used with mod_proxy_balancer, an attacker can therefore use an unknown HTTP method, in order to create a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.