CVE-2017-9798

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

References

https://security-tracker.debian.org/tracker/CVE-2017-9798

https://github.com/hannob/optionsbleed

https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

http://openwall.com/lists/oss-security/2017/09/18/2

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

https://www.exploit-db.com/exploits/42745/

http://www.securitytracker.com/id/1039387

http://www.securityfocus.com/bid/100872

https://security.gentoo.org/glsa/201710-32

http://www.debian.org/security/2017/dsa-3980

https://access.redhat.com/errata/RHSA-2017:3240

https://access.redhat.com/errata/RHSA-2017:3239

https://access.redhat.com/errata/RHSA-2017:3195

https://access.redhat.com/errata/RHSA-2017:3194

https://access.redhat.com/errata/RHSA-2017:3193

https://access.redhat.com/errata/RHSA-2017:3114

https://access.redhat.com/errata/RHSA-2017:3113

https://access.redhat.com/errata/RHSA-2017:3018

https://access.redhat.com/errata/RHSA-2017:2972

https://access.redhat.com/errata/RHSA-2017:2882

https://access.redhat.com/errata/RHSA-2017:3477

https://access.redhat.com/errata/RHSA-2017:3476

https://access.redhat.com/errata/RHSA-2017:3475

https://support.apple.com/HT208331

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

https://security.netapp.com/advisory/ntap-20180601-0003/

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/105598

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://www.tenable.com/security/tns-2019-09

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

Details

Source: MITRE

Published: 2017-09-18

Updated: 2021-06-06

Type: CWE-416

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (50 total)

IDNameProductFamilySeverity
144074IBM HTTP Server 7.0.0.0 < 7.0.0.45 / 8.0.0.0 < 8.0.0.15 / 8.5.0.0 < 8.5.5.13 / 9.0.0.0 < 9.0.0.6 Multiple Vulnerabilities (298437)NessusWeb Servers
high
127360NewStart CGSL MAIN 4.05 : httpd Multiple Vulnerabilities (NS-SA-2019-0118)NessusNewStart CGSL Local Security Checks
critical
125147Oracle Enterprise Manager Ops Center (Apr 2019 CPU)NessusMisc.
critical
124922EulerOS Virtualization 3.0.1.0 : httpd (EulerOS-SA-2019-1419)NessusHuawei Local Security Checks
critical
124892EulerOS Virtualization for ARM 64 3.0.1.0 : httpd (EulerOS-SA-2019-1389)NessusHuawei Local Security Checks
critical
124170Oracle Primavera Unifier Multiple Vulnerabilities (Apr 2019 CPU)NessusCGI abuses
critical
124169Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Apr 2019 CPU)NessusCGI abuses
critical
700513macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)Nessus Network MonitorOperating System Detection
critical
98913Apache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)Web Application ScanningComponent Vulnerability
high
119234Virtuozzo 6 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2017-2972)NessusVirtuozzo Local Security Checks
medium
111152Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (July 2018 CPU)NessusMisc.
critical
109294openSUSE Security Update : virtualbox (openSUSE-2018-389) (Optionsbleed)NessusSuSE Local Security Checks
high
109165Oracle Secure Global Desktop Multiple Vulnerabilities (April 2018 CPU)NessusMisc.
high
108520Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)NessusJunos Local Security Checks
critical
106349Oracle iPlanet Web Server 7.0.x < 7.0.27 NSS Unspecified Vulnerability (January 2018 CPU)NessusWeb Servers
critical
106299Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2018 CPU)NessusWeb Servers
critical
106018Fedora 27 : httpd (2017-fdd3a98e8f) (Optionsbleed)NessusFedora Local Security Checks
high
105369RHEL 6 : Red Hat JBoss Core Services Apache HTTP Server 2.4.23 (RHSA-2017:3477) (Optionsbleed)NessusRed Hat Local Security Checks
critical
105368RHEL 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.23 (RHSA-2017:3476) (Optionsbleed)NessusRed Hat Local Security Checks
critical
105081macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)NessusMacOS X Local Security Checks
high
105080macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)NessusMacOS X Local Security Checks
high
104699RHEL 6 / 7 : JBoss EAP (RHSA-2017:3240) (Optionsbleed)NessusRed Hat Local Security Checks
critical
104541RHEL 6 : httpd (RHSA-2017:3195) (Optionsbleed)NessusRed Hat Local Security Checks
critical
104540RHEL 7 : httpd (RHSA-2017:3194) (Optionsbleed)NessusRed Hat Local Security Checks
critical
104539RHEL 7 : httpd (RHSA-2017:3193) (Optionsbleed)NessusRed Hat Local Security Checks
critical
104456RHEL 6 / 7 : Red Hat JBoss Web Server (RHSA-2017:3113) (Optionsbleed)NessusRed Hat Local Security Checks
critical
104278EulerOS 2.0 SP2 : httpd (EulerOS-SA-2017-1253)NessusHuawei Local Security Checks
high
104277EulerOS 2.0 SP1 : httpd (EulerOS-SA-2017-1252)NessusHuawei Local Security Checks
high
104270SUSE SLES11 Security Update : apache2 (SUSE-SU-2017:2907-1) (Optionsbleed)NessusSuSE Local Security Checks
critical
104233GLSA-201710-32 : Apache: Multiple vulnerabilities (Optionsbleed)NessusGentoo Local Security Checks
critical
104053CentOS 6 : httpd (CESA-2017:2972) (Optionsbleed)NessusCentOS Local Security Checks
high
104007Scientific Linux Security Update : httpd on SL6.x i386/x86_64 (20171019) (Optionsbleed)NessusScientific Linux Local Security Checks
high
104006RHEL 6 : httpd (RHSA-2017:2972) (Optionsbleed)NessusRed Hat Local Security Checks
high
104002Oracle Linux 6 : httpd (ELSA-2017-2972) (Optionsbleed)NessusOracle Linux Local Security Checks
high
103961SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2756-1) (Optionsbleed)NessusSuSE Local Security Checks
critical
103838Apache 2.4.x < 2.4.28 HTTP Vulnerability (OptionsBleed)NessusWeb Servers
high
103833SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2718-1) (Optionsbleed)NessusSuSE Local Security Checks
high
103806Scientific Linux Security Update : httpd on SL7.x x86_64 (20171011) (Optionsbleed)NessusScientific Linux Local Security Checks
high
103804RHEL 7 : httpd (RHSA-2017:2882) (Optionsbleed)NessusRed Hat Local Security Checks
high
103803Oracle Linux 7 : httpd (ELSA-2017-2882) (Optionsbleed)NessusOracle Linux Local Security Checks
high
103790CentOS 7 : httpd (CESA-2017:2882) (Optionsbleed)NessusCentOS Local Security Checks
high
103438Fedora 26 : httpd (2017-a52f252521) (Optionsbleed)NessusFedora Local Security Checks
high
103413SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2542-1) (Optionsbleed)NessusSuSE Local Security Checks
high
103399openSUSE Security Update : apache2 (openSUSE-2017-1083) (Optionsbleed)NessusSuSE Local Security Checks
high
103389Debian DLA-1102-1 : apache2 security update (Optionsbleed)NessusDebian Local Security Checks
high
103364Debian DSA-3980-1 : apache2 - security update (Optionsbleed)NessusDebian Local Security Checks
high
103356Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : apache2 vulnerability (USN-3425-1) (Optionsbleed)NessusUbuntu Local Security Checks
high
103344FreeBSD : Apache -- HTTP OPTIONS method can leak server memory (76b085e2-9d33-11e7-9260-000c292ee6b8) (Optionsbleed)NessusFreeBSD Local Security Checks
high
103309Amazon Linux AMI : httpd24 / httpd (ALAS-2017-896) (Optionsbleed)NessusAmazon Linux Local Security Checks
high
103306Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : httpd (SSA:2017-261-01) (Optionsbleed)NessusSlackware Local Security Checks
high