Detections
Analytics

MiracleLinux 4 : httpd-2.2.15-60.6.0.1.AXS4 (AXSA:2017-2391:05)

high Nessus Plugin ID 290066

Synopsis

The remote MiracleLinux host is missing one or more security updates.

Description

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2017-2391:05 advisory.

 * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash.
 (CVE-2017-9798)
 * A regression was found in the Asianux Server 6.9 version of httpd, causing comments in the Allow and Deny configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP resource. (CVE-2017-12171) Asianux would like to thank Hanno Bck for reporting CVE-2017-9798 and KAWAHARA Masashi for reporting CVE-2017-12171.
 CVE-2017-12171
 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
 CVE-2017-9798 Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27.
 The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://tsn.miraclelinux.com/en/node/8834

Plugin Details

Severity: High

ID: 290066

File Name: miracle_linux_AXSA-2017-2391.nasl

Version: 1.1

Type: local

Published: 1/16/2026

Updated: 1/16/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2017-12171

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2017-9798

Vulnerability Information

CPE: p-cpe:/a:miracle:linux:httpd-tools, p-cpe:/a:miracle:linux:httpd-manual, p-cpe:/a:miracle:linux:httpd, cpe:/o:miracle:linux:4, p-cpe:/a:miracle:linux:httpd-devel, p-cpe:/a:miracle:linux:mod_ssl

Required KB Items: Host/local_checks_enabled, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/2/2017

Vulnerability Publication Date: 9/18/2017

Reference Information

CVE: CVE-2017-12171, CVE-2017-9798