We're running a vulnerability scan (Nessus) against the CA Access
Gateway (SPS) and we've discovered the following vulnerability :
CVE-2019-9517 mod_http2
CVE-2019-10081 mod_http2
CVE-2019-10082 mod_http2
CVE-2019-10092 mod_proxy
CVE-2019-10097 mod_remoteip
CVE-2019-10098 mod_rewrite
Apache HTTP Server 2.4 vulnerabilities
https://httpd.apache.org/security/vulnerabilities_24.html
Plugin Output:
Source : Server: Apache/2.4.4 (Unix) mod_jk/1.2.37
Installed version : 2.4.4
Fixed version : 2.4.41
The Nessus tool mentioned that :
Note that Nessus has not tested for this issue but has instead
relied only on the application's self-reported version number.
How can we fix it ?
Release : 12.6
Component : SITEMINDER -WEB AGENT FOR APACHE
The nessus tools has reported the following vulnerabilities, and I've
put the module affected.
CVE-2019-9517 mod_http2
CVE-2019-10081 mod_http2
CVE-2019-10082 mod_http2
CVE-2019-10092 mod_proxy
CVE-2019-10097 mod_remoteip
CVE-2019-10098 mod_rewrite
From the output of the module in use in apache, none of those modules
are in usage.
[[email protected] bin]# ./apachectl -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
mpm_worker_module (static)
env_module (shared)
log_config_module (shared)
setenvif_module (shared)
mime_module (shared)
negotiation_module (shared)
dir_module (shared)
jk_module (shared)
cgi_module (shared)
alias_module (shared)
authz_host_module (shared)
authn_core_module (shared)
authz_core_module (shared)
unixd_module (shared)
slotmem_shm_module (shared)
So said, the SPS you run is not vulnerable and you have to upgrade it
only to get a supported version.