Security Vulnerability reported in Apache 2.4.46 embedded in NMC
Summary: Security Vulnerability reported in Apache 2.4.46 embedded in NMC . Tenable Nessus found security vulnerabilities in Apache 2.4.46. Apache 2.4.46 is embedded in the NetWorker Management Console. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Below is the list of the CVEs identified by the security scanner.
CVE-2020-35452
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow
CVE-2021-26691
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2021-26690
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service
CVE-2020-13950
Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service
CVE-2020-13938
Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows
CVE-2019-17567
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
CVE-2021-30641
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
Environment:
NetWorker server version (service pack and build) – 19.4.0.1 build 95
Operating System where the NetWorker is running – Oracle Linux 7
Cause
Known issue: [NetWorker] Escalation 40810 - Security Vulnerability reported in Apache 2.4.46 embedded in NMC
Resolution
The CVEs mentioned do not have an impact on the NMC.
Vulnerability NMC affected Reason
CVE-2020-35452 No mod_auth_digest is not loaded.
CVE-2021-26691 No mod_session module is not loaded
CVE-2021-26690 No mod_sessions module is not loaded.
CVE-2020-13950 No mod_proxy_http module is not loaded.
CVE-2020-13938 No Http start/stop happens using gstd service and that service can only be started and stopped using Admin user.
CVE-2019-17567 No mod_proxy_wstunnel module is not loaded.
CVE-2021-30641 No mod_proxy module is not loaded.
Vulnerability NMC affected Reason
CVE-2020-35452 No mod_auth_digest is not loaded.
CVE-2021-26691 No mod_session module is not loaded
CVE-2021-26690 No mod_sessions module is not loaded.
CVE-2020-13950 No mod_proxy_http module is not loaded.
CVE-2020-13938 No Http start/stop happens using gstd service and that service can only be started and stopped using Admin user.
CVE-2019-17567 No mod_proxy_wstunnel module is not loaded.
CVE-2021-30641 No mod_proxy module is not loaded.
Article Properties
Article Number: 000190061
Article Type: Solution
Last Modified: 02 Feb 2022
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.