CVE-2017-9798

MEDIUM

Description

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

References

http://openwall.com/lists/oss-security/2017/09/18/2

http://www.debian.org/security/2017/dsa-3980

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/100872

http://www.securityfocus.com/bid/105598

http://www.securitytracker.com/id/1039387

https://access.redhat.com/errata/RHSA-2017:2882

https://access.redhat.com/errata/RHSA-2017:2972

https://access.redhat.com/errata/RHSA-2017:3018

https://access.redhat.com/errata/RHSA-2017:3113

https://access.redhat.com/errata/RHSA-2017:3114

https://access.redhat.com/errata/RHSA-2017:3193

https://access.redhat.com/errata/RHSA-2017:3194

https://access.redhat.com/errata/RHSA-2017:3195

https://access.redhat.com/errata/RHSA-2017:3239

https://access.redhat.com/errata/RHSA-2017:3240

https://access.redhat.com/errata/RHSA-2017:3475

https://access.redhat.com/errata/RHSA-2017:3476

https://access.redhat.com/errata/RHSA-2017:3477

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9

https://github.com/hannob/optionsbleed

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798

https://security-tracker.debian.org/tracker/CVE-2017-9798

https://security.gentoo.org/glsa/201710-32

https://security.netapp.com/advisory/ntap-20180601-0003/

https://support.apple.com/HT208331

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

https://www.exploit-db.com/exploits/42745/

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Details

Source: MITRE

Published: 2017-09-18

Updated: 2019-02-25

Type: CWE-416

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH