Описание
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash.
Отчет
This issue affects the versions of httpd as shipped with Red Hat Enterprise Linux 5, 6, and 7. This issue affects the versions of httpd24-httpd as shipped with Red Hat Software Collections. Product Security has rated this issue as having Moderate security impact. In order to be vulnerable, .htaccess files need to contain an invalid or not globally registered HTTP method in a "Limit" directive.
Меры по смягчению последствий
This issue can be mitigated by configuring httpd to disallow the use of the "Limit" configuration directive in .htaccess files. The set of directives that can be used in .htaccess files is configured using the "AllowOverride" directive. Refer to Red Hat Bugzilla bug 1490344 for further details: https://bugzilla.redhat.com/show_bug.cgi?id=1490344#c18
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | httpd | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 5 | httpd | Not affected | ||
| Red Hat JBoss Enterprise Web Server 1 | httpd | Under investigation | ||
| Red Hat JBoss Web Server 3 | httpd | Will not fix | ||
| Red Hat Software Collections | httpd24-httpd | Affected | ||
| JBoss Core Services on RHEL 6 | jbcs-httpd24-httpd | Fixed | RHSA-2017:3477 | 15.12.2017 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-mod_bmx | Fixed | RHSA-2017:3477 | 15.12.2017 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-mod_cluster-native | Fixed | RHSA-2017:3477 | 15.12.2017 |
| JBoss Core Services on RHEL 7 | jbcs-httpd24-httpd | Fixed | RHSA-2017:3476 | 15.12.2017 |
| JBoss Core Services on RHEL 7 | jbcs-httpd24-mod_bmx | Fixed | RHSA-2017:3476 | 15.12.2017 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
Apache httpd allows remote attackers to read secret data from process ...
EPSS
5.9 Medium
CVSS3