Vulnerability Name:

CVE-2017-9798

Assigned:2017-06-21
Published:2017-09-18
Updated:2017-12-07
Summary:Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
CVSS v3 Severity:7.5 High (CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.7 Medium (Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
7.5 High (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.7 Medium (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.9 Medium (REDHAT CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.3 Medium (REDHAT Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-416
References:Source: MISC
Type: UNKNOWN
http://openwall.com/lists/oss-security/2017/09/18/2

Source: DEBIAN
Type: UNKNOWN
DSA-3980

Source: BID
Type: VENDOR_ADVISORY
100872

Source: SECTRACK
Type: VENDOR_ADVISORY
1039387

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2882

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2972

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3018

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3113

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3114

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3193

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3194

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3195

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3239

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3240

Source: MISC
Type: VENDOR_ADVISORY
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Source: MISC
Type: VENDOR_ADVISORY
https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

Source: XF
Type: UNKNOWN
apache-cve20179798-info-disc(132159)

Source: MISC
Type: VENDOR_ADVISORY
https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9

Source: MISC
Type: VENDOR_ADVISORY
https://github.com/hannob/optionsbleed

Source: MISC
Type: VENDOR_ADVISORY
https://security-tracker.debian.org/tracker/CVE-2017-9798

Source: GENTOO
Type: UNKNOWN
GLSA-201710-32

Source: MISC
Type: VENDOR_ADVISORY
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

Source: EXPLOIT-DB
Type: VENDOR_ADVISORY
42745

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:http_server:2.2.34:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.10:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.12:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.16:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.17:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.18:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.20:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.23:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.25:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.26:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.27:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20179798
    V
    CVE-2017-9798
    2017-12-13
    oval:com.redhat.rhsa:def:20172972
    P
    RHSA-2017:2972: httpd security update (Moderate)
    2017-10-19
    oval:com.redhat.rhsa:def:20172882
    P
    RHSA-2017:2882: httpd security update (Moderate)
    2017-10-11
    oval:com.ubuntu.trusty:def:20179798000
    V
    CVE-2017-9798 on Ubuntu 14.04 LTS (trusty) - medium.
    2017-09-18
    oval:com.ubuntu.xenial:def:20179798000
    V
    CVE-2017-9798 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-09-18
    BACK
    apache http_server 2.2.34
    apache http_server 2.4.0
    apache http_server 2.4.1
    apache http_server 2.4.2
    apache http_server 2.4.3
    apache http_server 2.4.4
    apache http_server 2.4.6
    apache http_server 2.4.7
    apache http_server 2.4.9
    apache http_server 2.4.10
    apache http_server 2.4.12
    apache http_server 2.4.16
    apache http_server 2.4.17
    apache http_server 2.4.18
    apache http_server 2.4.20
    apache http_server 2.4.23
    apache http_server 2.4.25
    apache http_server 2.4.26
    apache http_server 2.4.27
    debian debian_linux 7.0
    debian debian_linux 8.0
    debian debian_linux 9.0
    redhat enterprise_linux 7
    redhat enterprise_linux 6