3 Replies Latest reply on Apr 4, 2017 12:45 PM by JEDtech

    FileMaker Server 15.0.3 with Apache 2.4.23 Multiple Vulnerabilities

    JEDtech

      FileMaker Server 15.0.3 with Web Publishing enabled on Mac installs Apache version 2.4.23 on macOS Sierra.  This version of Apache has multiple known vulnerabilities.  An update is needed to get Apache to 2.4.25 or above.

       

      Below is information about these vulnerabilities

       

      - A flaw exists in the mod_session_crypto module due to

      encryption for data and cookies using the configured

      ciphers with possibly either CBC or ECB modes of

      operation (AES256-CBC by default). An unauthenticated,

      remote attacker can exploit this, via a padding oracle

      attack, to decrypt information without knowledge of the

      encryption key, resulting in the disclosure of

      potentially sensitive information. (CVE-2016-0736)

       

      - A denial of service vulnerability exists in the

      mod_auth_digest module during client entry allocation.

      An unauthenticated, remote attacker can exploit this,

      via specially crafted input, to exhaust shared memory

      resources, resulting in a server crash. (CVE-2016-2161)

       

      - The Apache HTTP Server is affected by a

      man-in-the-middle vulnerability known as 'httpoxy' due

      to a failure to properly resolve namespace conflicts in

      accordance with RFC 3875 section 4.1.18. The HTTP_PROXY

      environment variable is set based on untrusted user data

      in the 'Proxy' header of HTTP requests. The HTTP_PROXY

      environment variable is used by some web client

      libraries to specify a remote proxy server. An

      unauthenticated, remote attacker can exploit this, via a

      crafted 'Proxy' header in an HTTP request, to redirect

      an application's internal HTTP traffic to an arbitrary

      proxy server where it may be observed or manipulated.

      (CVE-2016-5387)

       

      - A denial of service vulnerability exists in the

      mod_http2 module due to improper handling of the

      LimitRequestFields directive. An unauthenticated, remote

      attacker can exploit this, via specially crafted

      CONTINUATION frames in an HTTP/2 request, to inject

      unlimited request headers into the server, resulting in

      the exhaustion of memory resources. (CVE-2016-8740)

       

      - A flaw exists due to improper handling of whitespace

      patterns in user-agent headers. An unauthenticated,

      remote attacker can exploit this, via a specially

      crafted user-agent header, to cause the program to

      incorrectly process sequences of requests, resulting in

      interpreting responses incorrectly, polluting the cache,

      or disclosing the content from one request to a second

      downstream user-agent. (CVE-2016-8743)

       

      See also :

       

      https://httpd.apache.org/dev/dist/Announcement2.4.html

      http://httpd.apache.org/security/vulnerabilities_24.html

      https://github.com/apache/httpd/blob/2.4.x/CHANGES

      https://www.apache.org/security/asf-httpoxy-response.txt

      https://httpoxy.org