99568

1038907

https://httpd.apache.org/security/vulnerabilities_24.html

[announce] 20170713 CVE-2017-9789: Apache httpd 2.4 Read after free in mod_http2

GLSA-201710-32

https://security.netapp.com/advisory/ntap-20170911-0002/

https://support.apple.com/HT208221

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03908en_us

The remote host is running a version of macOS that is prior to 10.13. It is, therefore, affected by multiple vulnerabilities in the following components :

 - Apache
 - AppSandbox
 - AppleScript
 - Application Firewall
 - ATS
 - Audio
 - CFNetwork
 - CFNetwork Proxies
 - CFString
 - Captive Network Assistant
 - CoreAudio
 - CoreText
 - DesktopServices
 - Directory Utility
 - file
 - Fonts
 - fsck_msdos
 - HFS
 - Heimdal
 - HelpViewer
 - IOFireWireFamily
 - ImageIO
 - Installer
 - Kernel
 - kext tools
 - libarchive
 - libc
 - libexpat
 - Mail
 - Mail Drafts
 - ntp
 - Open Scripting Architecture
 - PCRE
 - Postfix
 - Quick Look
 - QuickTime
 - Remote Management
 - SQLite
 - Sandbox
 - Screen Lock
 - Security
 - Spotlight
 - WebKit
 - zlib

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.27. It is, therefore, affected by the following vulnerabilities :

 - A denial of service vulnerability exists in httpd due to a failure to initialize or reset the value placeholder in [Proxy-]Authorization headers of type 'Digest' before or between successive key=value assignments by mod_auth_digest. An unauthenticated, remote attacker can exploit this, by
providing an initial key with no '=' assignment, to disclose sensitive information or cause a denial of service condition. (CVE-2017-9788)

 - A read-after-free error exists in httpd that is triggered when closing a large number of connections. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2017-9789)

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for apache2 fixes several issues.

These security issues were fixed :

  - CVE-2017-9789: When under stress (closing many     connections) the HTTP/2 handling code would sometimes     access memory after it has been freed, resulting in     potentially erratic behaviour (bsc#1048575).

  - CVE-2017-7659: A maliciously constructed HTTP/2 request     could cause mod_http2 to dereference a NULL pointer and     crash the server process (bsc#1045160).

These non-security issues were fixed :

  - Use the full path to a2enmod and a2dismod in the     apache-22-24-upgrade script (bsc#1042037)

  - Fall back to 'localhost' as hostname in gensslcert     (bsc#1057406)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for apache2 fixes several issues. These security issues were fixed :

  - CVE-2017-9789: When under stress (closing many     connections) the HTTP/2 handling code would sometimes     access memory after it has been freed, resulting in     potentially erratic behaviour (bsc#1048575).

  - CVE-2017-7659: A maliciously constructed HTTP/2 request     could cause mod_http2 to dereference a NULL pointer and     crash the server process (bsc#1045160).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components :

  - 802.1X
  - apache
  - AppleScript
  - ATS
  - Audio
  - CFString
  - CoreText
  - curl
  - Dictionary Widget
  - file
  - Fonts
  - fsck_msdos
  - HFS
  - Heimdal
  - HelpViewer
  - ImageIO
  - Kernel
  - libarchive
  - Open Scripting Architecture
  - PCRE
  - Postfix
  - Quick Look
  - QuickTime
  - Remote Management
  - Sandbox
  - StreamingZip
  - tcpdump
  - Wi-Fi

The remote host is affected by the vulnerability described in GLSA-201710-32 (Apache: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache. Please review       the referenced CVE identifiers for details.
  Impact :

    The Optionsbleed vulnerability can leak arbitrary memory from the server       process that may contain secrets.  Additionally attackers may cause a       Denial of Service condition, bypass authentication, or cause information       loss.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, 10.12.x prior to 10.12.6, or is not macOS 10.13. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - AppSandbox
  - AppleScript
  - Application Firewall
  - ATS
  - Audio
  - CFNetwork
  - CFNetwork Proxies
  - CFString
  - Captive Network Assistant
  - CoreAudio
  - CoreText
  - DesktopServices
  - Directory Utility
  - file
  - Fonts
  - fsck_msdos
  - HFS
  - Heimdal
  - HelpViewer
  - IOFireWireFamily
  - ImageIO
  - Installer
  - Kernel
  - kext tools
  - libarchive
  - libc
  - libexpat
  - Mail
  - Mail Drafts
  - ntp
  - Open Scripting Architecture
  - PCRE
  - Postfix
  - Quick Look
  - QuickTime
  - Remote Management
  - SQLite
  - Sandbox
  - Screen Lock
  - Security
  - Spotlight
  - WebKit
  - zlib

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.27. It is, therefore, affected by the following vulnerabilities :

  - A denial of service vulnerability exists in httpd due to     a failure to initialize or reset the value placeholder     in [Proxy-]Authorization headers of type 'Digest' before     or between successive key=value assignments by     mod_auth_digest. An unauthenticated, remote attacker can     exploit this, by providing an initial key with no '='     assignment, to disclose sensitive information or cause a     denial of service condition. (CVE-2017-9788)

  - A read-after-free error exists in httpd that is     triggered when closing a large number of connections. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact. (CVE-2017-9789)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Apache httpd project reports :

important: Read after free in mod_http2 (CVE-2017-9789) When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

important: Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788)The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault.

New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

ID	Name	Product	Family	Severity
700511	macOS < 10.13 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
98912	Apache 2.4.x < 2.4.27 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
106523	openSUSE Security Update : apache2 (openSUSE-2018-104)	Nessus	SuSE Local Security Checks	medium
106471	SUSE SLES12 Security Update : Recommended update for apache2 (SUSE-SU-2018:0261-1)	Nessus	SuSE Local Security Checks	medium
104379	macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-001 and 2017-004)	Nessus	MacOS X Local Security Checks	critical
104233	GLSA-201710-32 : Apache: Multiple vulnerabilities (Optionsbleed)	Nessus	Gentoo Local Security Checks	high
103598	macOS < 10.13 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
101788	Apache 2.4.x < 2.4.27 Multiple Vulnerabilities	Nessus	Web Servers	medium
101540	FreeBSD : Apache httpd -- multiple vulnerabilities (457ce015-67fa-11e7-867f-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	medium
101532	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : httpd (SSA:2017-194-01)	Nessus	Slackware Local Security Checks	medium

CVE-2017-9789

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins