Vulnerability CVE-2017-9798


Published: 2017-09-18   Modified: 2017-12-07

Description:
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Apache HTTPd 2.4.27 OPTIONS Memory Leak
Hanno Böck
19.09.2017

Type:

CWE-416

(Use After Free)

Vendor: Debian
Product: Debian linux 
Version:
9.0
8.0
7.0
Vendor: Apache
Product: Http server 
Version:
2.4.9
2.4.7
2.4.6
2.4.4
2.4.3
2.4.27
2.4.26
2.4.25
2.4.23
2.4.20
2.4.2
2.4.18
2.4.17
2.4.16
2.4.12
2.4.10
2.4.1
2.4.0
2.2.34

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://openwall.com/lists/oss-security/2017/09/18/2
http://www.debian.org/security/2017/dsa-3980
http://www.securityfocus.com/bid/100872
http://www.securitytracker.com/id/1039387
https://access.redhat.com/errata/RHSA-2017:2882
https://access.redhat.com/errata/RHSA-2017:2972
https://access.redhat.com/errata/RHSA-2017:3018
https://access.redhat.com/errata/RHSA-2017:3113
https://access.redhat.com/errata/RHSA-2017:3114
https://access.redhat.com/errata/RHSA-2017:3193
https://access.redhat.com/errata/RHSA-2017:3194
https://access.redhat.com/errata/RHSA-2017:3195
https://access.redhat.com/errata/RHSA-2017:3239
https://access.redhat.com/errata/RHSA-2017:3240
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch
https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9
https://github.com/hannob/optionsbleed
https://security-tracker.debian.org/tracker/CVE-2017-9798
https://security.gentoo.org/glsa/201710-32
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
https://www.exploit-db.com/exploits/42745/

Related CVE
CVE-2017-3157
By exploiting the way Apache OpenOffice before 4.1.4 renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections...
CVE-2017-12607
A vulnerability in OpenOffice's PPT file parser before 4.1.4, and specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary c...
CVE-2017-12608
A vulnerability in Apache OpenOffice Writer DOC file parser before 4.1.4, and specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resu...
CVE-2017-9806
A vulnerability in the OpenOffice Writer DOC file parser before 4.1.4, and specifically in the WW8Fonts Constructor, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resu...
CVE-2016-6804
The Apache OpenOffice installer (versions prior to 4.1.3, including some branded as OpenOffice.org) for Windows contains a defective operation that allows execution of arbitrary code with elevated privileges. This requires that the location in which ...
CVE-2014-0219
Apache Karaf enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.
CVE-2017-12633
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2017-12634
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.

Copyright 2017, cxsecurity.com

 

Back to Top