New bunch of security flaws found in Apache web server

Plethora of fresh vulnerabilities identified in the Apache web server

Users are being warned about a series of security flaws in the open-source Apache web server, which are so fresh they haven't even been categorised yet.

The vulnerabilities, included in the latest US-Cert Cyber Security Bulletin, were recorded by the National Institute of Standards and Technology and the National Vulnerability Database over the past week.

A number of vulnerabilities affect Apache, which is widely used open-source web server software that can be deployed on a plethora of platforms.

Apache Cordova, which is a popular mobile application development framework, is one of the products affected. Multiple versions of the in-app browser plugin fail to validate callback identifiers, enabling attackers to distribute arbitrary JavaScript.

The company's distributed storage framework, Apache Hadoop, has been affected by vulnerabilities too. Context-dependent attackers have found a way to crack secret keys over brute-force attacks.

Several versions of Apache Hive, data warehousing software, mask policies defined in tables and views. However, when a view is generated, the policy enforcement fails to take place correctly.

There are also vulnerabilities affecting httpclient. Security specialists have found that http/impl/client/HttpClientBuilder.java in ApacheHttpClient 4.3.x before 4.3.1 isn't ensuring that X509HostnameVerifier is not invalid.

As a result of this, attackers are able to target Apache software through vendors that use hostname verification. It's not specifically known how they're able to do this.

Users may also be affected by a cross-site scripting (XSS) vulnerability found in Apache jUDDI before 2.0, which gives remote attackers the ability to deploy arbitrary web script or HTML using the dsname parameter.

Remote attackers can make use of a loophole affecting Apache Qpid 0.30. They can use a crafted protocol sequence set to cause a denial of service, and this exists due to an incomplete fix for CVE-2015-0203.

Apache's Traffic Server (5.1.x before 5.1.1) is vulnerable to attack as well. Attackers are able to bypass access restrictions by using a vulnerability affecting tunnel remap requests.

And the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, which is an important component of Apache Archiva, can fall victim to hackers looking to inject it with arbitrary code via a crafted serialized Java object.

These vulnerabilities were identified by Apache towards the end of October, and come as the company has just released security four patches for the OpenOffice platform.

Marcin Noga, of Cisco Talos, identified the OpenOffice vulnerabilities. He wrote: "Talos is releasing details of three new vulnerabilities discovered within Apache OpenOffice application.

"The first vulnerability, TALOS-2017-0295 within OpenOffice Writer, the second TALOS-2017-0300 in the Draw application, and the third TALOS-2017-0301 discovered in the Writer application. All three vulnerabilities allow arbitrary code execution to be performed."